huntergregal
/ php_FFI_exploit.php
Created
July 8, 2020 00:08
PHP FFI disable_functions Bypass (no FFI::load or FFI::cdefs) hunter gregal
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* | |
| FFI Exploit - uses 3 potential BUGS. | |
| PHP was contacted and said nothing in FFI is a security issue. | |
| Able to call system($cmd) without using FFI::load() or FFI::cdefs() | |
| * BUG #1 (maybe intended, but why have any size checks then?) | |
| no bounds check for FFI::String() when type is ZEND_FFI_TYPE_POINTER | |
| (https://github.com/php/php-src/blob/php-7.4.7RC1/ext/ffi/ffi.c#L4411) |