PHP 7.1-7.3 disable_functions bypass
This exploit utilises a use after free vulnerability in json serializer in order to bypass
disable_functions and execute a system command. It should be fairly reliable and work on all server apis, although that is not guaranteed.
- 7.1 - all versions to date
- 7.2 < 7.2.19 (released: 30 May 2019)
- 7.3 < 7.3.6 (released: 30 May 2019)
Credits to @cfreal for the original bug discovery.