OpenSkillIndex← back to search

Hacktricks-skills php-disable-functions-bypass

Bypass PHP disable_functions restrictions using stream wrapper exploits. Use this skill when testing PHP applications for security vulnerabilities, specifically when you encounter disabled functions like fopen, file_get_contents, or similar file operations. Trigger this when the user mentions PHP security testing, disable_functions bypass, PHP wrapper exploits, or when analyzing PHP configurations with restricted functions. Make sure to use this skill whenever the user is doing authorized pentesting on PHP applications and needs to understand or demonstrate function restriction bypasses.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit/SKILL.MD
source content

PHP Disable Functions Bypass

A skill for bypassing PHP's 

disable_functions
restriction using stream wrapper exploits during authorized security testing.

Overview

PHP's 

disable_functions
directive restricts dangerous functions like 
fopen()
, 
file_get_contents()
, 
exec()
, etc. However, certain stream wrappers can be exploited to bypass these restrictions in specific PHP versions.

PHP 5.2 - FOpen Exploit

Technique

In PHP 5.2, the 

srpath://
stream wrapper can be used with 
fopen()
to bypass disable_functions restrictions:

php -r 'fopen("srpath://../../../../../../../dir/pliczek", "a");'

How it works

The 

srpath://
wrapper allows path traversal that can bypass certain restrictions. By using this wrapper with 
fopen()
, you can potentially write to files even when the function appears to be disabled.

Requirements

  • PHP 5.2 (specific version)
  • The 
    srpath://
    stream wrapper must be available
  • Appropriate file system permissions

Usage

Command Line

php -r 'fopen("srpath://../../../../../../../target/path", "a");'

In PHP Script

<?php
fopen("srpath://../../../../../../../target/path", "a");
?>

Testing Checklist

Before attempting this bypass:

  1. Verify PHP version (5.2)
  2. Check if 
    disable_functions
    is set
  3. Confirm 
    srpath://
    wrapper availability
  4. Ensure you have write permissions to target directory
  5. Document findings for security report

Important Notes

  • This technique is version-specific and may not work on newer PHP versions
  • Requires proper file system permissions
  • Should only be used in authorized security testing environments
  • Modern PHP versions have patched many of these vulnerabilities

Security Considerations

This skill is for authorized security testing only. Always:

  • Obtain proper authorization before testing
  • Document all findings
  • Report vulnerabilities responsibly
  • Never use these techniques on systems you don't own or have permission to test

References