FUGIO is the first automatic exploit generation (AEG) tool for PHP object injection (POI) vulnerabilities. The artifact includes Docker images to run the experiments performed in the paper. We tested our Docker images and scripts on a Ubuntu 18.04 machine.
To install Docker CE, please follow the instructions in this link.
For our scripts not to ask you for sudo password, we assumed that you run Docker commands as a non-root user. Please follow the instructions in this link.
We provide three Docker images depending on PHP versions: PHP 5.4, PHP 5.6, and PHP 7.2.
Build each Docker image by running 1_docker_build.sh in each folder. Each takes about 5 ~ 20 minutes.
When building a Docker image for PHP 5.4,
cd php5.4 ./1_docker_build.sh
After building a Docker image, run the corresponding 2_docker_run.sh and 3_docker_exec.sh scripts.
FUGIO uses RabbitMQ for communicating between different modules.
We can set up RabbitMQ using run_rabbitmq.sh.
- Username: fugio
- Password: fugio_password
- RabbitMQ Management port: 15672
In the Docker container, execute the following commands.
-
PHP 5.4:
cd /FUGIO ./install_54.sh /start.sh & /create_user.sh -
PHP 5.6:
cd /FUGIO ./install_56.sh /start.sh & /create_user.sh -
PHP 7.2:
cd /FUGIO ./install_72.sh /start.sh & /create_user.sh
We evaluated 30 PHP applications in the paper.
We uploaded all target applications' source code in each benchmarks/org_code.
We also provide dump files of applications and databases for convenient settings.
If you want to install all applications, run install.py all.
If you want to install each application, install.py [dump file path].
The applications will be installed in /app/ directory.
cd /FUGIO/benchmarks
./install.py [all/dump file path]
For other applications, it requires manual installation.
Add .htaccess file for monitoring POI vulnerabilities by running htaccess.py.
cd /FUGIO
./htaccess.py on
If you want to stop monitoring, run htaccess.py off.
We need at least two Docker container terminals.
One is for running FUGIO and the other is for triggering POI vulnerabilities.
You can connect two shells by running 3_docker_exec.sh in two terminals respectively.
In the first terminal, run FUGIO using run_FUGIO_XX.sh with the target applications path
(i.e. /app/[target application]).
In the other terminal, trigger the corresponding POI vulnerability using the given scripts.
I recommend the following applications for obtaining results fastly.
- PHP 5.4: Open Web Analytics, CMS Made Simple, SwiftMailer 5.0.1, SwiftMailer 5.1.0, Smarty, CubeCart
- PHP 5.6: EverestForms, Emailsubscribers, PHPExcel 1.8.1, PHPExcel 1.8.2, WooCommerce 2.6.0
- PHP 7.2: SwiftMailer 5.4.12, SwiftMailer 6.0.0, Monolog 1.7.0, Laminas
Warning. If you get the results that you expect, I recommend stopping the FUGIO. If not, FUGIO might last 12 hours and require hundreds GBs of disk space for some applications. Since it might identify millions of POP chains and try fuzzing for the identified chains.
-
PHP 5.4:
./run_FUGIO_54.sh [target application path]- For CubeCart,
./run_FUGIO_cubecart.sh [target application path]
- For CubeCart,
-
PHP 5.6:
./run_FUGIO_56.sh [target application path] -
PHP 7.2:
./run_FUGIO_72.sh [target application path]
Warning. FUGIO uses all CPU cores by default. If you want to change it, add --cpus= option.
Also, the size of each Docker container can be over 20 GB after running FUGIO.
./run_FUGIO_XX.sh --cpus=12 [target application path]
If you run the command, FUGIO starts to analyze the source code of the target application.
At the first run, FUGIO generates a dump file in Files/dump_files.
It is for reducing time to analyze the target source code when you run FUGIO again for the same application.
If the source code of the target application is changed, you need to delete its dump file and run the script again.
When you run FUGIO on Smarty (PHP 5.4),
# ./run_FUGIO.sh /app/smarty-3.1.28/ /app/smarty-3.1.28/index.php /app/smarty-3.1.28/libs/Smarty.class.php /app/smarty-3.1.28/libs/Autoloader.php /app/smarty-3.1.28/libs/SmartyBC.class.php ... /app/smarty-3.1.28/vendor/composer/installed.php /app/smarty-3.1.28/vendor/composer/InstalledVersions.php /app/smarty-3.1.28/vendor/composer/autoload_namespaces.php Done! (215) CLASSES: 175 (Before autoload)FUGIO generates
app.smarty-3.1.28.dumpfile inFiles/dump_files/after successfully analyzing the source code.# ls Files/dump_files/ app.smarty-3.1.28.dump
After FUGIO finishes analyzing the source code, FUGIO starts to monitor a POI vulnerability. We can trigger POI vulnerabilities using crawlers, spiders, or manual browsing. In the artifact, we provide scripts for triggering each POI vulnerability.
-
PHP 5.4:
- Contao CMS, Piwik, GLPI, Joomla, CubeCart, CMS Made Simple, Open Web Analytics, Vanilla Forums:
cd /FUGIO/Trigger/ ./ccs_run.py [target application path] - SwiftMailer 5.0.1, SwiftMailer 5.1.0, Smarty, ZendFramework:
cd /FUGIO/Trigger/ ./lib_run.py [target application path]
- Contao CMS, Piwik, GLPI, Joomla, CubeCart, CMS Made Simple, Open Web Analytics, Vanilla Forums:
-
PHP 5.6:
- PHPExcel 1.8.1, PHPExcel 1.8.2, Dompdf, Guzzle, WooCommerce 2.6.0, WooCommerce 3.4.0, Emailsubscribers, EverestForms:
cd /FUGIO/Trigger/ ./wp_run.py [target application path]
- PHPExcel 1.8.1, PHPExcel 1.8.2, Dompdf, Guzzle, WooCommerce 2.6.0, WooCommerce 3.4.0, Emailsubscribers, EverestForms:
-
PHP 7.2:
- TCPDF, SwiftMailer 5.4.12, SwiftMailer 6.0.0, Monolog 1.7.0, Monolog 1.18.0, Monolog 2.0.0, Laminas, Yii:
cd /FUGIO/Trigger/ ./lib_run.py [target application path] - Drupal7: https://github.com/WSP-LAB/FUGIO/tree/main/Trigger/drupal
- TYPO3: https://github.com/WSP-LAB/FUGIO/tree/main/Trigger/typo3
- TCPDF, SwiftMailer 5.4.12, SwiftMailer 6.0.0, Monolog 1.7.0, Monolog 1.18.0, Monolog 2.0.0, Laminas, Yii:
When you trigger the POI vulnerability of Smarty (PHP 5.4),
# cd Trigger/ # ./lib_run.py /app/smarty-3.1.28/FUGIO starts to analyze the POI vulnerability and identify POP chains and generate their exploit objects.
[#] Exploitable! - Injected Function: unserialize() MAGIC METHODS: ['__destruct', '__call', '__callStatic', '__get', '__set', '__isset', '__unset', '__sleep', '__wakeup', '__toString', '__set_state', '__clone'] DECL_CLASSES: 304 (After autoload) DECL_INTERFACES: 15 (After autoload) DECL_TRAITS: 0 (After autoload) USER_CLASSES: 170 (After autoload) CLASSES: 175 (Before autoload) ... [+] Time: 00:00:01:09 [+] Fuzzer - Chain Found: 7/49 (14.29 %) [+] Fuzzer - Chain Tried: 15/15 (100.0 %) - Skip: 0 [+] Fuzzer - Chain Tried (+ Skip): 15/15 (100.0 %) [+] Fuzzer - Running: 4/12 (33.33 %) [+] Fuzzer - Sink Reach: 1/7 (14.29 %) [+] Fuzzer - Success: 1/7 (14.29 %) ...
All outputs are generated in the Files/fuzzing/[app_path.time]/PUT/ directory.
put-head.phpandput-body.php: a PUT fileinst_PUT.php: an instrumented PUT file for fuzzing the target applicationprocX_X_X_X_X_X.chain: an identified POP chainPROBABLY_EXPLOITABLE: a directory for probably exploitable exploit objects (payloads)EXPLOITABLE: a directory for exploitable exploit objects (payloads)
When running FUGIO on Smarty (PHP 5.4),
- this is the final result:
[+] Time: 00:00:01:54 [+] Fuzzer - Chain Found: 7/49 (14.29 %) [+] Fuzzer - Chain Tried: 15/15 (100.0 %) - Skip: 0 [+] Fuzzer - Chain Tried (+ Skip): 15/15 (100.0 %) [+] Fuzzer - Running: 0/12 (0.0 %) [+] Fuzzer - Sink Reach: 1/7 (14.29 %) [+] Fuzzer - Success: 1/7 (14.29 %) Total time: 120.78427648544312(s)
- there are 15 POP chains:
# cd Files/fuzzing/app.smarty-3.1.28.yymmddhhmmss/PUT # ls proc*.chain proc0_1_3_1_240_2.chain proc0_4_3_1_240_2.chain proc1_2_3_0_252_2.chain proc1_5_3_0_252_2.chain proc32_1_3_2_45_1.chain proc0_2_3_1_240_2.chain proc0_5_3_1_240_2.chain proc1_3_3_0_252_2.chain proc24_1_3_2_45_1.chain proc3_1_2_1_22_1.chain proc0_3_3_1_240_2.chain proc1_1_3_0_252_2.chain proc1_4_3_0_252_2.chain proc2_1_2_0_14_2.chain proc44_1_3_1_37_2.chain- there is one exploit object:
# ls EXPLOITABLE XXXXXXXXXXXXXX_proc44_1_3_1_37_2.chain.php_887700_unlink- there are 214 probably exploititable objects:
Among 214 POP chains, there are unique 2 POP chains:# ls PROBABLY_EXPLOITABLE | wc -l 214 # ls PROBABLY_EXPLOITABLE/ # ls PROBABLY_EXPLOITABLE/ XXXXXXXXXXXXXX_proc44_1_3_1_37_2.chain.php_887700_unlink XXXXXXXXXXXXXX_proc2_1_2_0_14_2.chain.php_909905_call_user_func_array XXXXXXXXXXXXXX_proc2_1_2_0_14_2.chain.php_909905_call_user_func_array XXXXXXXXXXXXXX_proc2_1_2_0_14_2.chain.php_909905_call_user_func_array XXXXXXXXXXXXXX_proc2_1_2_0_14_2.chain.php_909905_call_user_func_array XXXXXXXXXXXXXX_proc2_1_2_0_14_2.chain.php_909905_call_user_func_array XXXXXXXXXXXXXX_proc2_1_2_0_14_2.chain.php_909905_call_user_func_array XXXXXXXXXXXXXX_proc2_1_2_0_14_2.chain.php_909905_call_user_func_array XXXXXXXXXXXXXX_proc2_1_2_0_14_2.chain.php_909905_call_user_func_array XXXXXXXXXXXXXX_proc2_1_2_0_14_2.chain.php_909905_call_user_func_array XXXXXXXXXXXXXX_proc2_1_2_0_14_2.chain.php_909905_call_user_func_array XXXXXXXXXXXXXX_proc2_1_2_0_14_2.chain.php_909905_call_user_func_array ...proc44_1_3_1_37_2.chainandproc2_1_2_0_14_2.chain. When counting the number of probably exploitable POP chains, we exclude exploitable POP chains. Thusproc44_1_3_1_37_2.chainis excluded and the number of probably exploitable POP chains is one.
The artifact provides environments for reproducing evaluations in Sections 7.2 and 7.3 producing Tables 1, 2, and 3 in the paper.
-
For reproducing Table 1, run
./config.py orginphp5.4,php5.6, andphp7.2Docker containers before following the step 3 "Run FUGIO".cd /FUGIO ./config.py orgThen, run the following commands depending on the version of PHP and applications.
- php 5.4:
- CubeCart:
./run_FUGIO_cubecart.sh - Others:
./run_FUGIO_54.sh
- CubeCart:
- php 5.6:
./run_FUGIO_56.sh - php 7.2:
./run_FUGIO_72.sh
The number of true positive chains in Table 1 is manually analyzed. We provide a utility for helping the analysis of the generated POP chains in the step 5 "Analyzing the results".
- php 5.4:
-
For reproducing Table 2, run
./config.py ccsinphp5.4Docker container before following the step 3 "Run FUGIO".cd /FUGIO ./config.py ccsThen, run the following commands depending on the applications.
- php 5.4:
- CubeCart:
./run_FUGIO_cubecart_all.sh - Others:
./run_FUGIO_54_all.sh
- CubeCart:
Since Dahse et al. did not provide the details of each chain, we could not match each exploitable chain. Thus, we compared the numbers of exploit objects that FUGIO reported with the numbers reported in their paper.
- php 5.4:
-
For reproducing Table 3, run
./config.py phpggcinphp5.4,php5.6, andphp7.2Docker containers, before following the step 3 "Run FUGIO".cd /FUGIO ./config.py phpggcThen, run the following commands depending on the version of PHP.
- php 5.4:
- CubeCart:
./run_FUGIO_cubecart.sh - Others:
./run_FUGIO_54.sh
- CubeCart:
- php 5.6:
./run_FUGIO_56.sh - php 7.2:
./run_FUGIO_72.sh
PHPGGC provides templates for generating POP exploits. However, it is not clear that what POP gadget each POP chain consists of. Thus, we provide POP chains from PHPGGC in the repo (https://github.com/WSP-LAB/FUGIO/tree/main/PHPGGC) by analyzing each template.
chain_analyzerin "Analyzing the results" also will be helpful for analyzing the reported POP chains. - php 5.4:
We provide chain_analyzer to easily analyze the generated POP chains.
For using it, follow the instructions.
cd /app
ln -s /FUGIO/chain_analyzer
Then, enter website "http://[ip]:[port]/chain_analyzer/chain_analyzer.php?file_path=[chain_path]".
For each Docker image, the port is assigned as 5454 (php 5.4), 5656 (php 5.6), and 7272 (php 7.2).
For example, http://127.0.0.1:5454/chain_analyzer/chain_analyzer.php?file_path=/FUGIO/Files/fuzzing/app.owa-1.5.6.211101184553/PUT/proc33_1_2_1_18_1.chain
shows the detils of the chain proc33_1_2_1_18_1.chain.
It also can list all POP chains: http://127.0.0.1:5454/chain_analyzer/sink_list.php?dir_path=/FUGIO/Files/fuzzing/app.owa-1.5.6.211101184553/PUT.