Skip to content
Branch: master
Find file History
Type Name Latest commit message Commit time
Failed to load latest commit information. Update Nov 28, 2019
exploit.php Fix leaking basic_functions for some builds Jan 30, 2020

PHP 7.1-7.3 disable_functions bypass

Check out my php7-gc-bypass exploit which uses another bug that works on all php 7.0-7.3 versions released as of 28.11.2019.

not an issue

This exploit utilises a use after free vulnerability in json serializer in order to bypass disable_functions and execute a system command. It should be fairly reliable and work on all server apis, although that is not guaranteed.


  • 7.1 - all versions to date
  • 7.2 < 7.2.19 (released: 30 May 2019)
  • 7.3 < 7.3.6 (released: 30 May 2019)

Credits to @cfreal for the original bug discovery.

You can’t perform that action at this time.