I've recently been fuzzing the PHP interpreter, and took a UaF bug all the way from crashing-sample to weaponized code execution. Here is the first of several blog posts I plan to write about the process. https://blog.jmpesp.org/2020/01/fuzzing-php-with-domato.html …
Very cool stuff! But when you say "weaponized", that sort of implies there's a vulnerability that can be attacked. Are there scenarios where a PHP author doesn't already have code execution, e.g. via system() or exec()?
-
-
Maybe a generous use of the term. :) But yes, often settings like disable_functions will be enabled, restricting what the script can do. This bypasses those restrictions.
-
Thx. My understanding was that even the PHP folks themselves claim that locking down what you can do with PHP (i.e. a shared server with an untrusted PHP dev) using PHP itself isn't viable. But perhaps this isn't an accurate representation of what's expected in the real world.pic.twitter.com/JWlM95d71F
- 2 more replies
New conversation -
-
-
these calls are usually disabled.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.