Exploitationphpgadgetchainsdeserializationrcepharpayload

PHPGGC

PHPGGC generates payloads that exploit unsafe object deserialization vulnerabilities in PHP applications. It provides a library of gadget chains and a command-line tool for creating serialized payloads.

Description

PHPGGC is a specialized tool for generating gadget chains that exploit unsafe object deserialization in PHP. This vulnerability occurs when applications unserialize untrusted data, allowing attackers to execute arbitrary code through carefully crafted object chains. The tool maintains a library of known gadget chains for popular PHP frameworks and libraries, enabling rapid payload creation for penetration testing and vulnerability research.

Use cases include testing PHP web applications for deserialization flaws, such as in content management systems or custom APIs. It supports various output formats like PHAR files and polyglots, making payloads suitable for different injection vectors. Enhancements like fast-destruct and ASCII-safe serialization help bypass common detection mechanisms.

The command-line interface simplifies payload generation, listing available chains, and even testing them locally. While powerful for exploitation demos, the --test-payload option warns of executing code on the attacker's system.

How It Works

PHPGGC leverages PHP's object serialization mechanism, crafting gadget chains—sequences of classes with magic methods like __destruct, __wakeup, or __toString—that trigger when unserialized. It serializes objects from vulnerable frameworks (e.g., Laravel, Drupal) into payloads executable via unserialize(). PHAR support creates deserialization vectors within archive files, exploiting PHP's PHAR stream handling. Techniques like fast-destruct destroy objects immediately post-unserialize to evade script-end cleanup, while encoders (base64, URL) obfuscate payloads for evasion.

Installation

bash

sudo apt install phpggc

Flags

-h, --helpDisplays help

-l, --list [filter]Lists available gadget chains

-i, --informationDisplays information about a gadget chain

-o, --output <file>Outputs the payload to a file instead of standard output

-p, --phar <tar|zip|phar>Creates a PHAR file of the given format

-pj, --phar-jpeg <file>Creates a polyglot JPEG/PHAR file from given image

-f, --fast-destructApplies the fast-destruct technique, so that the object is destroyed right after the unserialize() call

-a, --ascii-stringsUses the 'S' serialization format instead of the standard 's' for non-printable chars

-s, --softSoft URLencode

-u, --urlURLencodes the payload

-b, --base64Converts the output into base64

-N, --new <framework> <type>Creates the file structure for a new gadgetchain for given framework

--test-payloadIncludes vendor/autoload.php and unserializes the payload to test it

Examples

Lists all available gadget chains

./phpggc -l

Lists gadget chains filtered by 'drupal'

./phpggc -l drupal

Generates a Laravel RCE1 gadget chain payload with 'system' command and 'id' argument

./phpggc Laravel/RCE1 system id

Generates a SwiftMailer FW1 payload to write a shell.php from local file to web directory

./phpggc SwiftMailer/FW1 /var/www/html/shell.php /path/to/local/shell.php

Creates file structure for a new Drupal RCE gadget chain

./phpggc -N Drupal RCE

Generates a payload, base64 encodes it, then URL encodes it twice

./phpggc [GadgetChain] -b -u -u

Generates a PHAR payload with fast-destruct enhancement

./phpggc [GadgetChain] -p phar -f

Updated 2026-04-16kali.org ↗