OpenSkillIndex← back to search

Hacktricks-skills php-disable-functions-bypass

How to test for PHP disable_functions and safe_mode bypass vulnerabilities during authorized penetration testing. Use this skill whenever you need to assess PHP security configurations, test for function restriction bypasses, or evaluate PHP hardening effectiveness. Make sure to use this skill when the user mentions PHP security testing, disable_functions bypass, safe_mode testing, PHP vulnerability assessment, or web application security audits involving PHP.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass/SKILL.MD
source content

PHP disable_functions and safe_mode Bypass Testing

Purpose

This skill helps security professionals test for PHP configuration bypass vulnerabilities during authorized penetration testing engagements only. Understanding these bypass techniques is essential for:

  • Assessing PHP hardening effectiveness
  • Identifying misconfigurations in production systems
  • Validating security controls
  • Remediation guidance

Authorization Requirements

CRITICAL: Only use these techniques on systems where you have:

  • Written authorization from the system owner
  • A valid penetration testing engagement
  • Proper scope documentation

Unauthorized testing is illegal and unethical.

Vulnerability Overview

PHP's 

disable_functions
and 
safe_mode
settings are designed to restrict dangerous function calls. However, certain PHP extensions can bypass these restrictions:

The Bypass Mechanism

  1. disable_functions: Blocks specific PHP functions (e.g., 
    system()
    , 
    exec()
    , 
    shell_exec()
    )
  2. safe_mode: Restricts file access and function execution (deprecated in PHP 5.4, removed in 7.0)
  3. Extension bypass: Some extensions like 
    win32std
    on Windows can execute system commands without going through the disabled function checks

Affected Versions

  • PHP 5.2.x (particularly 5.2.3)
  • Windows environments with 
    win32std
    extension
  • Other extensions may have similar issues on different platforms

Testing Methodology

Step 1: Information Gathering

Check PHP configuration:

<?php
phpinfo();
?>

Look for:

  • disable_functions
    value
  • safe_mode
    status
  • Loaded extensions (especially 
    win32std
    , 
    com_dotnet
    , 
    php_intl
    )

Step 2: Verify Restrictions

Test if functions are actually disabled:

<?php
$test_functions = ['system', 'exec', 'shell_exec', 'passthru', 'proc_open'];
foreach ($test_functions as $func) {
    if (function_exists($func)) {
        echo "$func: EXISTS\n";
    } else {
        echo "$func: DISABLED\n";
    }
}
?>

Step 3: Check for Bypass Extensions

Identify potentially dangerous extensions:

<?php
$dangerous_extensions = [
    'win32std' => 'Windows shell execution',
    'com_dotnet' => 'COM/.NET execution',
    'php_intl' => 'Internationalization (may have RCE)',
    'suhosin' => 'Security extension (can be bypassed)'
];

foreach ($dangerous_extensions as $ext => $desc) {
    if (extension_loaded($ext)) {
        echo "⚠️ $ext loaded: $desc\n";
    }
}
?>

Step 4: Test Bypass Vectors

Only in authorized test environments:

win32std Extension (Windows)

If 

win32std
is loaded, it may bypass 
disable_functions
:

<?php
if (extension_loaded('win32std')) {
    echo "win32std extension detected - potential bypass available\n";
    // Document this finding - do not execute in production
}
?>

COM Extension (Windows)

<?php
if (extension_loaded('com_dotnet')) {
    echo "com_dotnet extension detected - potential bypass available\n";
}
?>

php_intl Extension

<?php
if (extension_loaded('intl')) {
    echo "intl extension detected - check for ICU RCE vulnerabilities\n";
}
?>

Detection Indicators

Signs of Vulnerability

  1. disable_functions
    is set but dangerous extensions are loaded
  2. safe_mode
    is enabled on PHP < 5.4
  3. Windows environment with 
    win32std
    extension
  4. Function restrictions don't match actual behavior

Log Analysis

Check for:

  • Unexpected process spawns (cmd.exe, powershell.exe)
  • PHP errors mentioning disabled functions
  • Extension loading messages

Remediation

Immediate Actions

  1. Disable dangerous extensions in php.ini:

    ;extension=php_win32std.dll
;extension=php_com_dotnet.dll

  2. Upgrade PHP to a supported version (7.4+ or 8.x)

  3. Remove safe_mode (deprecated) and use proper alternatives:

    • Open_basedir restrictions
    • SELinux/AppArmor policies
    • Containerization

Long-term Hardening

  1. Principle of least privilege: Run PHP as non-root user
  2. Disable unnecessary extensions: Audit and remove unused extensions
  3. Use modern PHP versions: PHP 5.x is end-of-life
  4. Implement WAF: Web Application Firewall for additional protection
  5. Regular security audits: Periodic penetration testing

Reporting

When documenting findings:

  1. Severity: High (allows command execution despite restrictions)
  2. CVSS Factors:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • Impact: Complete system compromise
  3. Evidence: Screenshots of phpinfo, extension list, test results
  4. Remediation: Specific steps from above

Legal Disclaimer

This skill is for authorized security testing only. Unauthorized access to computer systems is illegal under laws including:

  • Computer Fraud and Abuse Act (CFAA) - USA
  • Computer Misuse Act - UK
  • Similar laws in other jurisdictions

Always obtain written authorization before testing.

References