php-json-bypass

PHP 7.1-7.3 disable_functions bypass

Check out my php7-gc-bypass exploit which uses another bug that works on all php 7.0-7.3 versions released as of 28.11.2019.

This exploit utilises a use after free vulnerability in json serializer in order to bypass disable_functions and execute a system command. It should be fairly reliable and work on all server apis, although that is not guaranteed.

Targets

7.1 - all versions to date
7.2 < 7.2.19 (released: 30 May 2019)
7.3 < 7.3.6 (released: 30 May 2019)

Credits to @cfreal for the original bug discovery.

Name		Name	Last commit message	Last commit date
parent directory ..
README.md		README.md
exploit.php		exploit.php

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

php-json-bypass

php-json-bypass

README.md

README.md

exploit.php

exploit.php

README.md

PHP 7.1-7.3 disable_functions bypass

Targets

Files

php-json-bypass

Directory actions

More options

Directory actions

More options

Latest commit

History

php-json-bypass

Folders and files

parent directory

README.md

README.md

exploit.php

exploit.php

README.md

PHP 7.1-7.3 disable_functions bypass

Targets