Skip to content

frontdevops/php-evil

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

assets

assets

 
 

tests

tests

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

config.m4

config.m4

 
 

config.w32

config.w32

 
 

evil.c

evil.c

 
 

evil.ini

evil.ini

 
 

evil.stub.php

evil.stub.php

 
 

evil_arginfo.h

evil_arginfo.h

 
 

php-hardening.ini

php-hardening.ini

 
 

php_evil.h

php_evil.h

 
 

Repository files navigation

Evil Eval PHP 8

PHP extension to disable the eval language construct in PHP8

Reasons

I got sick of hackers and others who trying to execute different PHP shells based on execution of eval. I can turn off dangerous functions through the php.ini, but I can't turn off the eval using standard methods.

Eval function can't be disabled via the disabled_functions in INI setting, because eval is not a function!

I haven't found Suhosin module for PHP 8.0 or any other solutions. So I wrote an extension for this.

eval('$i = 123');

// Result of execution
Fatal error: syntax error, unexpected token, expecting end of file in /www/index.php on line 3

Or, if disabled hide presence this extension

eval('$i = 123');

// Result of execution
Fatal error: eval is not a function in /www/index.php on line 3

In PHP 8 no longer supports eval by:

  1. preg_replace('/a/e', $_REQUEST['shell'], 'a') -> Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
  2. mb_ereg_replace('a', $_REQUEST['shell'], 'a', 'e'); -> Fatal error: Uncaught ValueError: Option "e" is not supported
  3. create_function -> Fatal error: Uncaught Error: Call to undefined function create_function()

And now with my extension, you can disable eval

Disable eval in PHP8 Screenshot

Or

Disable eval in PHP8 Screenshot

Versions

  • Works for PHP8.
  • Tested in PHP 8.0.8 on my production server and it works well. Possibly more versions, but I haven't explicitly tested it.

Build instructions

  1. git clone https://github.com/frontdevops/php-evil
  2. cd php-evil
  3. phpize
  4. ./configure or ./configure --enable-hide-presence (whether to hide presence this extension)
  5. make && make install
  6. Add to php.ini extension=evil.so

Build in Docker

FROM php:8.0-fpm


RUN git clone https://github.com/frontdevops/php-evil && \
    cd php-evil && \
    phpize && ./configure --enable-hide-presence && \
    make && make install && \
    echo "extension=evil.so" > /usr/local/etc/php/conf.d/evil.ini && \
    cd .. && \
    rm -rf php-evil

License

My Standard Open Source License

  1. As it is
  2. No guarantees that any of this works anymore
  3. I will not be responsible for your code and do not guarantee that everything works as it should on your server.
  4. Other in No license text

Feedback and supports

If you have any suggestions, create a pull request.

About

Disable eval instruction in PHP8

Resources

Readme

License

Unlicense license
Activity

Stars

33 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages