📖 File Reader
<?php
/**
* Environment Enumeration & Bypass Potential Checker
* Safe, non-destructive – only reads information.
* Output is designed to be clear and machine-readable (key: value lines).
*/
// Helper function to check if a function is usable (exists and not disabled)
function is_func_usable($func) {
return function_exists($func) && is_callable($func);
}
// --- Basic Info ---
echo "=== BASIC INFO ===\n";
echo "PHP Version: " . phpversion() . "\n";
echo "Server Software: " . ($_SERVER['SERVER_SOFTWARE'] ?? 'unknown') . "\n";
echo "PHP SAPI: " . php_sapi_name() . "\n";
echo "Current User: " . (function_exists('get_current_user') ? get_current_user() : 'unknown') . "\n";
echo "UID: " . (function_exists('posix_getuid') ? posix_getuid() : 'unknown') . "\n";
echo "GID: " . (function_exists('posix_getgid') ? posix_getgid() : 'unknown') . "\n";
// --- Security Settings ---
echo "\n=== SECURITY SETTINGS ===\n";
$disabled = ini_get('disable_functions');
echo "disable_functions: " . ($disabled ?: 'none') . "\n";
$open_basedir = ini_get('open_basedir');
echo "open_basedir: " . ($open_basedir ?: 'none') . "\n";
echo "cgi.fix_pathinfo: " . ini_get('cgi.fix_pathinfo') . "\n";
echo "display_errors: " . ini_get('display_errors') . "\n";
echo "allow_url_fopen: " . ini_get('allow_url_fopen') . "\n";
echo "allow_url_include: " . ini_get('allow_url_include') . "\n";
// --- Critical Functions Status ---
echo "\n=== FUNCTION AVAILABILITY ===\n";
$critical_funcs = [
'system', 'exec', 'shell_exec', 'passthru', 'popen', 'proc_open',
'pcntl_exec', 'putenv', 'mail', 'imap_open', 'error_log', 'dl',
'pcntl_fork', 'posix_setsid', 'posix_kill', 'apache_setenv'
];
foreach ($critical_funcs as $func) {
echo "$func: " . (is_func_usable($func) ? 'ENABLED' : 'DISABLED') . "\n";
}
// --- Extensions (Modules) ---
echo "\n=== LOADED EXTENSIONS (key ones) ===\n";
$exts = get_loaded_extensions();
$key_exts = ['ffi', 'imagick', 'curl', 'sockets', 'mysqli', 'pdo_mysql', 'xmlrpc', 'soap', 'ftp', 'mbstring', 'openssl'];
foreach ($key_exts as $ext) {
echo "$ext: " . (in_array($ext, $exts) ? 'LOADED' : 'NOT LOADED') . "\n";
}
// --- FFI Specific Check ---
if (in_array('ffi', $exts)) {
echo "\n=== FFI DETAILS ===\n";
if (class_exists('FFI')) {
echo "FFI class exists: YES\n";
// Check if we can create a simple binding (optional, safe)
try {
$ffi = FFI::cdef("int printf(const char *format, ...);");
echo "FFI basic binding: WORKING\n";
} catch (Throwable $e) {
echo "FFI basic binding: ERROR - " . $e->getMessage() . "\n";
}
} else {
echo "FFI class exists: NO\n";
}
}
// --- Network Functions ---
echo "\n=== NETWORK CAPABILITIES ===\n";
echo "fsockopen: " . (is_func_usable('fsockopen') ? 'YES' : 'NO') . "\n";
echo "stream_socket_client: " . (is_func_usable('stream_socket_client') ? 'YES' : 'NO') . "\n";
echo "curl_init: " . (is_func_usable('curl_init') ? 'YES' : 'NO') . "\n";
echo "socket_create: " . (is_func_usable('socket_create') ? 'YES' : 'NO') . "\n";
// --- File System Tests (within open_basedir) ---
echo "\n=== FILESYSTEM WITHIN OPEN_BASEDIR ===\n";
$test_dirs = ['/tmp', '/www/wwwroot/hljrlsj.com', '/var/tmp', '/dev/shm'];
foreach ($test_dirs as $dir) {
if (is_dir($dir)) {
echo "$dir: " . (is_writable($dir) ? 'WRITABLE' : 'NOT WRITABLE') . "\n";
} else {
echo "$dir: NOT FOUND\n";
}
}
// Check current working directory and ability to change
$cwd = getcwd() ?: 'unknown';
echo "Current working directory: $cwd\n";
if (is_func_usable('chdir')) {
@chdir('/tmp');
echo "chdir to /tmp: " . (getcwd() == '/tmp' ? 'SUCCESS' : 'FAILED') . "\n";
}
// --- mail() test (if not disabled, we attempt a safe test) ---
if (is_func_usable('mail')) {
echo "\n=== MAIL FUNCTION ===\n";
// Attempt to send a dummy mail to nowhere (to localhost) – this might still trigger sendmail
// We'll just check if the function returns false (error) or true (maybe works)
$result = @mail('root@localhost', 'Test', 'Body', 'From: test@localhost');
echo "mail() test returned: " . ($result ? 'TRUE (maybe working)' : 'FALSE (likely blocked)') . "\n";
} else {
echo "\n=== MAIL FUNCTION: DISABLED ===\n";
}
// --- putenv test ---
if (is_func_usable('putenv')) {
echo "\n=== PUTENV ===\n";
@putenv('TEST_ENV=123');
$env = getenv('TEST_ENV');
echo "putenv/getenv test: " . ($env == '123' ? 'WORKING' : 'FAILED') . "\n";
}
// --- PHP-FPM Socket Check (if we can find it) ---
$sock_path = '/tmp/php-cgi-73.sock';
echo "\n=== PHP-FPM SOCKET ===\n";
if (file_exists($sock_path)) {
echo "Socket exists: YES\n";
echo "Socket permissions: " . substr(sprintf('%o', fileperms($sock_path)), -4) . "\n";
// Check if we can connect (optional, but safe)
$test = @stream_socket_client('unix://' . $sock_path, $errno, $errstr, 1);
if ($test) {
echo "Socket connection: SUCCESS\n";
fclose($test);
} else {
echo "Socket connection: FAILED ($errstr)\n";
}
} else {
echo "Socket exists: NO\n";
}
// --- Environment Variables (potentially sensitive) ---
echo "\n=== ENVIRONMENT VARIABLES (selected) ===\n";
$env_vars = ['PATH', 'LD_PRELOAD', 'LD_LIBRARY_PATH', 'TEMP', 'TMP', 'USER', 'HOME'];
foreach ($env_vars as $var) {
echo "$var: " . (getenv($var) ?: 'not set') . "\n";
}
// --- Database Checks (if extensions loaded) ---
if (in_array('mysqli', $exts)) {
echo "\n=== MYSQLI ===\n";
echo "mysqli class exists: YES\n";
// We cannot test connection without credentials, but we note it's available.
}
if (in_array('pdo_mysql', $exts)) {
echo "\n=== PDO_MYSQL ===\n";
echo "PDO MySQL driver available: YES\n";
}
// --- Dangerous PHP Configurations ---
echo "\n=== DANGEROUS SETTINGS ===\n";
if (ini_get('allow_url_include')) {
echo "allow_url_include = ON (dangerous)\n";
}
if (ini_get('allow_url_fopen')) {
echo "allow_url_fopen = ON (may allow RFI)\n";
}
// --- Summary of Potential Bypass Vectors ---
echo "\n=== POTENTIAL BYPASS VECTORS ===\n";
$vectors = [];
if (is_func_usable('mail')) $vectors[] = 'mail() (if not blocked by disabled_functions, may invoke sendmail)';
if (in_array('ffi', $exts) && class_exists('FFI')) $vectors[] = 'FFI extension (direct C calls)';
if (in_array('imagick', $exts)) $vectors[] = 'Imagick (possible command injection via image payloads)';
if (is_func_usable('putenv')) $vectors[] = 'putenv (LD_PRELOAD possible if combined with mail/error_log)';
if (is_func_usable('proc_open') || is_func_usable('popen')) $vectors[] = 'proc_open/popen (direct command execution)';
if (ini_get('cgi.fix_pathinfo') == 1) $vectors[] = 'cgi.fix_pathinfo=1 (possible CVE-2019-11043 if Nginx misconfigured)';
if (is_writable('/tmp') && is_func_usable('putenv') && is_func_usable('mail')) $vectors[] = 'LD_PRELOAD via /tmp + putenv + mail';
if (empty($vectors)) {
echo "No obvious bypass vectors found within PHP.\n";
} else {
foreach ($vectors as $v) {
echo " - $v\n";
}
}
echo "\n=== END OF REPORT ===\n";
?>