search

ambionics / phpggc

PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
https://ambionics.io/blog
Apache License 2.0
3.2k stars 492 forks source link

Minor improvement to Symfony/RCE11 Chain #155

Closed Creastery closed 1 year ago

Creastery commented 1 year ago

Hi,

This PR improves the Symfony/RCE11 gadget chain by removing the redundant dependency on symfony/browserkit.

In the original gadget chain, \Symfony\Component\BrowserKit\Response was used to trigger a foreach() loop in __toString().

However, I realised that some Symfony-based applications do not actually have symfony/browserkit installed. After taking a quick look at the Symfony/RCE11 gadget chain, it would appear that the \Symfony\Component\Validator\ConstraintViolationList class has the following __toString() implementation:

    public function __toString()
    {
        $string = '';

        foreach ($this->violations as $violation) { // triggers getIterator()
            $string .= $violation."\n";
        }

        return $string;
    }

This makes \Symfony\Component\Validator\ConstraintViolationList a suitable candidate gadget, rendering the usage of the \Symfony\Component\BrowserKit\Response redundant.

Unsurprisingly, this minor improvement does not affect the range of versions the gadget chain will work on when tested with test-gc-compatibility.py since \Symfony\Component\Validator\ConstraintViolationList was already used as part of the original gadget chain.

Great work on discovering the universal gadget chain by the way! Cheers!

cfreal commented 1 year ago

Hello Creastery,

Nice work, and thanks for the detailed explanation !

Pushing.

Charles