Bypass PHP Disabled functions for Executing Shell commands.

Bypass PHP Disabled functions for Executing Shell commands.

Hello, This is my first post since I have started this blog. Let’s start by imagining our scenario. We have a target server with a PHP shell access which doesn’t let us execute commands. 

Bypassing Disabled Functions

So let’s start by discussing how a command is executed using PHP normally. We all know there are certain PHP functions to carry out commands. A smart server admin will always keep them disabled unless A legitimate user ask him to enable them for legitimate usage. Anyways, we are not  here to discuss how to convince the server admin to enable them and we could continue our penetration testing.  In a normal scenario, A user sends a command string to the PHP script and by then the script will try to execute the command using some builtin function(s).

 

output of above code

Following are few PHP functions which yields similar output with minor differences

Code for passthru:

Code for shell_exec:

Code for exec:

Code for proc_open

Above are few methods for executing shell commands through PHP interface.


But what if the server admin has disabled a few functions?

Well, there is always a possibility, Let’s say admin has disabled shell_exec, exec, system, passthru, proc_open functions, But he unknowingly left popen or any other function. We can always check if any of the above functions are available. So, I wrote a simple PHP script which will try all these functions one by one to check if there is any possibility to execute command. 


 

What if the above code doesn’t work and all the functions are disabled?

 Yes, this may happen. But we should never lose hope. There is a chance. We might be able to override admin security protocols. And believe me the solution is very simple and very much effective in most of the cases. We just need to override admin’s php.ini (configuration file). All we need to do is create a new file in the working directory and add the following code:

and save it as php.ini then reload your shell script.

Still helpless?

Well, when everything fails, we can always try CGI scripts. That doesn’t care about PHP restrictions. But remember our problem? We cannot execute commands. And when you cannot execute commands, you can upload your CGI script to the server, but you cannot execute those.

 

500 error
Internal Server Error? Ooh oh!

Because when you upload your cgi script to the server, you need to make it executable. Remember this?

But how would you execute this when you’re not allowed to execute commands?

I have written a script which will test all the methods described above test to if there is any possibility. If everything fails, It would try to write a CGI script onto the server and chmod it automatically then It’ll generate a link to the CGI shell.

Functions are disabled. Commands are not executed.
Functions are disabled. Commands are not executed.



After applying CGI Bypass, Script generated this shell:

cgibypass


For video demo, Go to this Link (YouTube)

You can download the complete script from From here 

Thank you for reading this.

Comments are closed.