Bypass disable_functions in PHP by JSON serializer

Welcome to my blog!

Have you ever used some online PHP sandboxes or bumped into a CTF that you can upload a web shell but can't use some function like system, passthru, shell_exec,...
Yeah, in most cases a warning will be displayed like this:

This is caused by using directive disable_functions. You can disable any functions (dangerous functions) by setting it in the file php.ini. For example, many sites are configured like this:

So, how can I bypass it? Thanks to mm0r1 to share an outstanding exploit to bypass disable_functions in PHP 7.x by using a use-after-free bug of JSON serializer. The exploit can success with all PHP has version 7.1.x, 7.2.x before 7.2.19 and 7.3.x before 7.3.6.

Using mm0r1's exploit, I could easily execute any commands in the online PHP sandboxes which using the PHP versions above. I found many sites are not using docker and so I can really pwn the web servers:

The next step is only elevating to root!

I think this exploit will be also used as a web shell in APT attacks, so you should take a look and prepare to deal with it if you are in a blue team.

If you found it valuable, please share it with other people.
If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!