mm0r1 / exploits Goto Github PK

how modify it at php5

In many case that trigger bypass, How phper deal with it?

Hello
My version of PHP is PHP Version 7.1.27

disable_functions：passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,popen

I uploaded exploit. PHP to the website，Execution is wrong, and the information is as follows.

Couldn't parse ELF

Can you solve it, please?

What changes are needed at the addresses if the system is 32-bit? Thank you

From cli work perfect

But from apache2 not work, i get error "connection reset"

Apache/2.4.18 (Ubuntu)
Ubuntu 16.04.3

Hey,

I noticed you mentioned that this is applicable to 5.x, just wondering if you could share the changes that are needed for that?

Thanks.

Do you have any suggestions if I want to learn how to exploit, thank you.

A talk was given at 2016 Ruxcon:
https://2016.ruxcon.org.au/slides/

PHP Internals: Exploit Dev Edition

This talk showed how to scan the running memory for PHP and hot-patch the memory space to enable functions by toggling the setting in RAM.

As this has been ~3 years in the making, might give you an idea to create another path...

Hi @mm0r1

Incredible work you have published!!!

This is among the best (if not the best) PHP code that I have seen in many years.

Currently all of your published scripts require PHP reference syntax; do you have any bypass code that works without references?

I have a unique situation where I allow end-users to publish PHP code on a server with minimal restrictions, so I’m very interested in the work you are publishing.

Works on an up to date Ubuntu 18.04.3 with PHP 7.2.19.
Can anything be done other than disabling gc_collect_cycles while waiting for the issue to be patched?

Is it possible in "php-concat-bypass" exploit POC to return back the ability to execute functions like proc_open, popen, passthru etc.?
Not just introduce new function "pwn", but load disabled functions?

Treat it as a feature request. I'll pay 500$ for this in btc.
Love, Peace =*

As the title