search

ambionics / phpggc

PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
https://ambionics.io/blog
Apache License 2.0
3.25k stars 502 forks source link

Added features on test-gc + 2 doctrine-bundle RCE #140

Closed remsio-syn closed 1 year ago

remsio-syn commented 1 year ago

test-gc-compatibility.py improvements

I adapted test-gc-compatibility.py and added some features on it.

Taking the PHP version in consideration

test-gc was installing the packages with the option --ignore-platform-reqs which installed the packages without taking in consideration the version of PHP running the payloads, which can cause some issues if incompatible packages are installed, in my case it broke the dependency psr/log and installed the latest, even if it is not compatible with PHP 7.4.

So I replaced it with the option --ignore-platform-req=ext-* which takes the PHP version in consideration but ignores PHP extensions requirements.

Give details on the PHP version which runs test-gc

Since the PHP version on which the gadget chain runs can cause unexpected issues, I printed it at the start of test-gc to make it easier to debug.

Selecting specific package versions

Before this update, running test-gc on packages with a ton of version such as symfony/symfony could take hours.

You can now specify the versions you want to test by using the following syntax.

$ ./test-gc-compatibility.py monolog/monolog:2.3.0,1.25.4 monolog/rce1 monolog/rce3
Testing 2 versions for monolog/monolog against 2 gadget chains.

┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃ monolog/monolog ┃ Package ┃ monolog/rce1 ┃ monolog/rce3 ┃
┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━┩
│ 2.3.0           │   OK    │      OK      │      KO      │
│ 1.25.4          │   OK    │      OK      │      KO      │
└─────────────────┴─────────┴──────────────┴──────────────┘

Docker compatibility for test-gc-compatibility.py

Require packages to use test-gc-compatibility.py in the Dockerfile were added, you can run it from docker with the following syntax.

$ docker run --entrypoint './test-gc-compatibility.py' phpggc doctrine/doctrine-bundle:2.2,2.7.2 doctrine/rce1 doctrine/rce2
Runing on PHP version ('PHP 8.1.13 (cli) (built: Nov 30 2022 21:53:44) (NTS).
Testing 2 versions for doctrine/doctrine-bundle against 2 gadget chains.

┏━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┓
┃ doctrine/doctrine-bundle ┃ Package ┃ doctrine/rce1 ┃ doctrine/rce2 ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━┩
│ 2.2                      │   OK    │      OK       │      OK       │
│ 2.7.2                    │   OK    │      OK       │      KO       │
└──────────────────────────┴─────────┴───────────────┴───────────────┘

Two gadget chains on the doctrine/doctrine-bundle package

I also added two gadget chains working on several doctrine/doctrine-bundle versions, Doctrine/RCE1 works from version 1.5.1 to version 2.7.2, Doctrine/RCE2 works from version 1.11.0 to version 2.3.2.

Since the PHP version has an influence on the chain Doctrine/RCE1, here are the ./test-gc-compatibility.py result on PHP 7.4.33 and 8.1.13 :

On PHP 7.4.33 :

php7_popchain_1 php7_popchain_2 php7_popchain_3

On PHP 8.1.13 :

php8_popchain_1 php8_popchain_2 php8_popchain_3

cfreal commented 1 year ago

Thank you, remsio !