Hi,Welcome to my blog!Have you ever used some online PHP sandboxes or bumped into a CTF that you can upload a web shell but can't use some function like system, passthru, shell_exec,...Yeah, in most cases a warning will be displayed like this:This is caused by using directive disable_functions . You can disable any functions (dangerous functions) by setting it in the file php.ini. For example, many sites are configured like this:So, how can I bypass it? Thanks to mm0r1 to share an outstanding exploit to bypass disable_functions in PHP 7.x by using a use-after-free bug of JSON serializer. The exploit can success with all PHP has version 7.1.x, 7.2.x before 7.2.19 and 7.3.x before 7.3.6.Using mm0r1's exploit, I could easily execute any commands in the online PHP sandboxes which using the PHP versions above. I found many sites are not using docker and so I can really pwn the web servers:The next step is only elevating to root!I think this exploit will be also used as a web shell in APT attacks , so you should take a look and prepare to deal with it if you are in a blue team.If you found it valuable, please share it with other people.If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.Thank you for reading!