Skip to content

Latest commit

 

History

History
 
 

php-json-bypass

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

PHP 7.1-7.3 disable_functions bypass

Check out my php7-gc-bypass exploit which uses another bug that works on all php 7.0-7.3 versions released as of 28.11.2019.


not an issue


This exploit utilises a use after free vulnerability in json serializer in order to bypass disable_functions and execute a system command. It should be fairly reliable and work on all server apis, although that is not guaranteed.

Targets

  • 7.1 - all versions to date
  • 7.2 < 7.2.19 (released: 30 May 2019)
  • 7.3 < 7.3.6 (released: 30 May 2019)

Credits to @cfreal for the original bug discovery.