Very cool stuff! But when you say "weaponized", that sort of implies there's a vulnerability that can be attacked. Are there scenarios where a PHP author doesn't already have code execution, e.g. via system() or exec()?
I've recently been fuzzing the PHP interpreter, and took a UaF bug all the way from crashing-sample to weaponized code execution. Here is the first of several blog posts I plan to write about the process. https://blog.jmpesp.org/2020/01/fuzzing-php-with-domato.html …
-
-
-
Maybe a generous use of the term. :) But yes, often settings like disable_functions will be enabled, restricting what the script can do. This bypasses those restrictions.
- Još 3 druga odgovora
Novi razgovor -
-
-
Maybe you can find useful this article about extracting the function parameters: https://x-c3ll.github.io/posts/find-bypass-disable_functions/ … . I used reflection+scraping PHP.net+symbols+parsing errors.
-
Very cool! Hadn't considered these methods. Good ideas.
Kraj razgovora
Novi razgovor -
-
-
Nice work re-purposing
@ifsecure 's Domato to fuzz PHP. -
Thank you! Shoulders of giants
Kraj razgovora
Novi razgovor -
-
-
Nice work. I wonder if that would be worth making domato more generic than just fuzzing output for browsers so there is no need to duplicate http://generator.py for each new target (spoiler: I did the same in the past)
-
I imagine there's a wide variety of other languages and formats it would be effective against.
Kraj razgovora
Novi razgovor -
-
-
2020 lookin like
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Happy new year
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.