Jump to content
YOUR-AD-HERE
HOSTING
TOOLS

Locked PHPGGC

0x1

By INACTIVE 0x1
in Tools

 Share

Recommended Posts

0x1 Little Hacker

INACTIVE 0x1

Posted
Posted

PHPGGC: PHP Generic Gadget Chains

This is the hidden content, please

PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically. When encountering an unserialize on a website you don’t have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them. It can be seen as the equivalent of Ysoserial, but for PHP. Currently, the tool supports: CodeIgniter4, Doctrine, Drupal7, Guzzle, Laravel, Magento, Monolog, Phalcon, Podio, Slim, SwiftMailer, Symfony, Wordpress, Yii and ZendFramework.

Requirements

Quote

PHP >= 5.6 is required to run PHPGGC.

Usage

Run ./phpggc -l to obtain a list of gadget chains:

Spoiler
This is the hidden content, please

 

Every gadget chain has:

  • Name: Name of the framework/library
  • Version: Version of the framework/library for which gadgets are for
  • Type: Type of exploitation: RCE, File Write, File Read, Include…
  • Vector: the vector to trigger the chain after the unserialize (__destruct(), __toString(), offsetGet(), …)
  • Informations: Other informations about the chain

Use -i to get detailed information about a chain:

This is the hidden content, please

Once you have selected a chain, run ./phpggc <gadget-chain> [parameters] to obtain the payload. For instance, to obtain a payload for Monolog, you’d do:

This is the hidden content, please

For a file write using SwiftMailer, you’d do:

This is the hidden content, please

Wrapper

The --wrapper (-w) option allows you to define a PHP file containing the following functions:

  • process_parameters($parameters): Called right before generate(), allows to change parameters
  • process_object($object): Called right before serialize(), allows to change the object
  • process_serialized($serialized): Called right after serialize(), allows to change the serialized string

For instance, if the vulnerable code looks like this:

This is the hidden content, please

You could use a __toString() chain, wrapping it like so:

This is the hidden content, please

And you’d call phpggc like so:

This is the hidden content, please

PHAR(GGC)

History

At BlackHat US 2018, @s_n_t released PHARGGC, a fork of PHPGGC which instead of building a serialized payload, builds a whole PHAR file. This PHAR file contains serialized data and as such can be used for various exploitation techniques (file_exists, fopen, etc.). The paper is here.

This is the hidden content, please

Implementation

PHAR archives come in three different formats: PHAR, TAR, and ZIP. The three of them are supported by PHPGGC. Polyglot files can be generated using --phar-jpeg (-pj). Other options are available (use -h).

Examples

This is the hidden content, please

Encoders

Arguments allow to modify the way the payload is output. For instance, -u will URL encode it, and -b will convert it to base64. Payloads often contain NULL bytes and cannot be copy/pasted as-is. Use -s for a soft URL encode, which keeps the payload readable.

The encoders can be chained, and as such the order is important. For instance, ./phpggc -b -u -u slim/rce1 system id will base64 the payload, then URLencode it twice.

Advanced: Enhancements

Fast destruct

PHPGGC implements a --fast-destruct (-f) flag, that will make sure your serialized object will be destroyed right after the unserialize() call, and not at the end of the script. I’d recommend using it for every __destruct vector, as it improves reliability. For instance, if PHP script raises an exception after the call, the __destruct method of your object might not be called. As it is processed at the same time as encoders, it needs to be set first.

This is the hidden content, please

ASCII Strings

Uses the S serialization format instead of the standard s. This replaces every non-ASCII value to an hexadecimal representation: s:5:"A<null_byte>B<cr><lf>";̀ -> S:5:"A\00B\09\0D"; This can be useful when for some reason non-ascii characters are not allowed (NULL BYTE for instance). Since payloads generally contain them, this makes sure that the payload consists only of ASCII values. Note: this is experimental and it might not work in some cases.

Plus Numbers

Sometimes, PHP scripts verify that the given serialized payload does not contain objects by using a regex such as /O:[0-9]+:. This is easily bypassed using O:+123:... instead of O:123:. One can use --plus-numbers <types>, or -n <types>, to automatically add these + signs in front of symbols. For instance, to obfuscate objects and strings, one can use: --n Os. Please note that since PHP 7.2, only i and d (float) types can have a +.

More info && Download

This is the hidden content, please

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.