Introduce --session-encode/-se option

Creastery · web-flow · commit a56721eccf82 · 2024-04-09T12:22:56.000+08:00
Allow using session_encode() instead of serialize() to generate the payload.
diff --git a/lib/PHPGGC.php b/lib/PHPGGC.php
@@ -194,7 +194,10 @@ public function serialize($gc, $parameters)
         $parameters = $this->process_parameters($gc, $parameters);
         $object = $gc->generate($parameters);
         $object = $this->process_object($gc, $object);
-        $serialized = serialize($object);
+        if(in_array('session-encode', $this->options))
+            $serialized = $this->session_encode($object);
+        else
+            $serialized = serialize($object);
         $serialized = $this->process_serialized($gc, $serialized);
         return $serialized;
     }
@@ -367,6 +370,26 @@ function phar_generate($serialized)
         return $phar->generate();
     }
 
+    #
+    # Session Encode
+    #
+
+    /**
+     * Uses session_encode() instead of serialize().
+     * 
+     * This is useful if you have an existing arbitrary file write primitive, but the
+     * web root directory is non-writable. In such cases, it is possible to forge a 
+     * session file containing an unserialize() payload and trigger the chain by 
+     * visiting any webpage that invokes session_start().
+     */
+    function session_encode($object)
+    {
+        $_SESSION['_'] = $object;
+        $serialized = session_encode();
+        session_destroy();
+        return $serialized;
+    }
+
     /**
      * Applies command line parameters and options to the gadget chain
      * parameters.
@@ -555,6 +578,10 @@ protected function help()
         $this->o('  -pf, --phar-filename <filename>');
         $this->o('     Defines the name of the file contained in the generated PHAR (default: test.txt)');
         $this->o('');
+        $this->o('SESSION ENCODE');
+        $this->o('  -se, --session-encode');
+        $this->o('     Uses session_encode() instead of serialize() to generate the payload.');
+        $this->o('');
         $this->o('ENHANCEMENTS');
         $this->o('  -f, --fast-destruct');
         $this->o('     Applies the fast-destruct technique, so that the object is destroyed');
@@ -649,6 +676,8 @@ function _parse_cmdline_arg(&$i, &$argv, &$parameters, &$options)
             'phar-jpeg' => true,
             'phar-prefix' => true,
             'phar-filename' => true,
+            # Session Encode
+            'session-encode' => false,
             # Enhancements
             'fast-destruct' => false,
             'ascii-strings' => false,
@@ -676,7 +705,8 @@ function _parse_cmdline_arg(&$i, &$argv, &$parameters, &$options)
             'phar-filename' => 'pf',
             'new' => 'N',
             'ascii-strings' => 'a',
-            'armor-strings' => 'A'
+            'armor-strings' => 'A',
+            'session-encode' => 'se',
         ] + $abbreviations;
 
         # If we are in this function, the argument starts with a dash, so we
@@ -783,6 +813,10 @@ protected function parse_cmdline($argv)
                     $this->o($gc, 2);
                     $this->o($this->_get_command_line_gc($gc));
                     return;
+                case 'session-encode':
+                    session_name('phpggc');
+                    session_start();
+                    break;
             }
         }
 
