pwneglyph logo

Note

web php snuffleupagus file-upload validation rce

When Snuffleupagus is loaded, check whether its upload-validation hooks interpret attacker-controlled bytes before assuming classic PHP routes still work.

Snuffleupagus Upload Validation RCE without VLD

Snuffleupagus changes the exploit landscape enough to deserve a dedicated branch in the checklist. Some historical paths depended on upload-validation behavior plus a missing VLD extension.

Why It Matters

  • The protections (and their gaps) differ from a vanilla PHP target, so verify the enabled features before assuming classic object injection / function-call routes behave normally.

Vulnerable Pattern

  • snuffleupagus loaded, file-upload validation enabled, and documentation or phpinfo() suggesting an unusual validation configuration.

Exploit Flow

  1. Verify the exact Snuffleupagus features enabled.
  2. If upload validation is involved, look for ways attacker-controlled uploaded bytes are interpreted by validation hooks or side tooling.

Common Blockers

  • The specific vulnerable validation path is not enabled, or VLD is installed, removing the intended primitive.

PoC Sketch

# confirm Snuffleupagus is loaded in phpinfo()
# check whether upload_validation is enabled and VLD is absent
# then see whether validation hooks touch attacker-controlled upload content

Good Situations To Use It

  • phpinfo() shows Snuffleupagus with upload validation on.
  • VLD appears absent.
  • Classic PHP RCE routes are blocked.

Sources

  • fcsc2026/web/secure_mood_notes_2