TimeAfterFree
PHP 8 sandbox escape PoC demonstrating a disable_functions bypass on Unix-like systems.
This exploit leverages a use-after-free bug to bypass disable_functions and execute system commands. The exploitation techniques used for leaking heap pointers and obtaining read/write primitives utilize the DateInterval object.
The PoC was tested across multiple standard PHP distributions and common server APIs (CLI, PHP-FPM, Apache module) and reproduces deterministically.
Affected Versions
- PHP 8.2.x
- PHP 8.3.x
- PHP 8.4.x
- PHP 8.5.x
Mitigation / Notes
PHP core is memory-unsafe, and memory corruption in typical PHP deployments is exploitable. While some PHP memory corruption issues and exploitation strategies are publicly known, others are not. Relying on sandboxing mechanisms such as disable_functions for security is wishful thinking.
Disclaimer
The PoC in this repository is provided strictly for educational and research purposes. The author does not endorse or encourage any unauthorized access to systems.