PHPGGC
PHPGGC generates payloads that exploit unsafe object deserialization vulnerabilities in PHP applications. It provides a library of gadget chains and a command-line tool for creating serialized payloads.
Description
PHPGGC is a specialized tool for generating gadget chains that exploit unsafe object deserialization in PHP. This vulnerability occurs when applications unserialize untrusted data, allowing attackers to execute arbitrary code through carefully crafted object chains. The tool maintains a library of known gadget chains for popular PHP frameworks and libraries, enabling rapid payload creation for penetration testing and vulnerability research.
Use cases include testing PHP web applications for deserialization flaws, such as in content management systems or custom APIs. It supports various output formats like PHAR files and polyglots, making payloads suitable for different injection vectors. Enhancements like fast-destruct and ASCII-safe serialization help bypass common detection mechanisms.
The command-line interface simplifies payload generation, listing available chains, and even testing them locally. While powerful for exploitation demos, the --test-payload option warns of executing code on the attacker's system.
How It Works
PHPGGC leverages PHP's object serialization mechanism, crafting gadget chains—sequences of classes with magic methods like __destruct, __wakeup, or __toString—that trigger when unserialized. It serializes objects from vulnerable frameworks (e.g., Laravel, Drupal) into payloads executable via unserialize(). PHAR support creates deserialization vectors within archive files, exploiting PHP's PHAR stream handling. Techniques like fast-destruct destroy objects immediately post-unserialize to evade script-end cleanup, while encoders (base64, URL) obfuscate payloads for evasion.
Installation
sudo apt install phpggcFlags
Examples
./phpggc -l./phpggc -l drupal./phpggc Laravel/RCE1 system id./phpggc SwiftMailer/FW1 /var/www/html/shell.php /path/to/local/shell.php./phpggc -N Drupal RCE./phpggc [GadgetChain] -b -u -u./phpggc [GadgetChain] -p phar -f