Packages and Binaries:


PHPGGC is a library of payloads exploiting unsafe object deserialization. It also provides a command-line tool to generate them.

Installed size: 413 KB
How to install: sudo apt install phpggc

  • php-cli
root@kali:~# phpggc -h

PHPGGC: PHP Generic Gadget Chains

  ./phpggc [-h|-l|-i|...] <GadgetChain> [arguments]

  -h, --help Displays help
  -l, --list [filter] Lists available gadget chains
  -i, --information
     Displays information about a gadget chain

  -o, --output <file>
     Outputs the payload to a file instead of standard output

  -p, --phar <tar|zip|phar>
     Creates a PHAR file of the given format
  -pj, --phar-jpeg <file>
     Creates a polyglot JPEG/PHAR file from given image
  -pp, --phar-prefix <file>
     Sets the PHAR prefix as the contents of the given file.
     Generally used with -p phar to control the beginning of the generated file.
  -pf, --phar-filename <filename>
     Defines the name of the file contained in the generated PHAR (default: test.txt)

  -f, --fast-destruct
     Applies the fast-destruct technique, so that the object is destroyed
     right after the unserialize() call, as opposed to at the end of the
  -a, --ascii-strings
     Uses the 'S' serialization format instead of the standard 's'. This
     replaces every non-ASCII value to an hexadecimal representation:
     s:5:"A<null_byte>B<cr><lf>"; -> S:5:"A\00B\09\0D";
     This is experimental and it might not work in some cases.
  -n, --plus-numbers <types>
     Adds a + symbol in front of every number symbol of the given type.
     For instance, -n iO adds a + in front of every int and object name size:
     O:3:"Abc":1:{s:1:"x";i:3;} -> O:+3:"Abc":1:{s:1:"x";i:+3;}
     Note: Since PHP 7.2, only i and d (float) types can have a +
  -w, --wrapper <wrapper>
     Specifies a file containing either or both functions:
       - process_parameters($parameters): called right before object is created
       - process_object($object): called right before the payload is serialized
       - process_serialized($serialized): called right after the payload is serialized

  -s, --soft   Soft URLencode
  -u, --url    URLencodes the payload
  -b, --base64 Converts the output into base64
  -j, --json   Converts the output into json
  Encoders can be chained, for instance -b -u -u base64s the payload,
  then URLencodes it twice

  -N, --new <framework> <type>
    Creates the file structure for a new gadgetchain for given framework
    Example: ./phpggc -n Drupal RCE
    Instead of displaying or storing the payload, includes vendor/autoload.php and unserializes the payload.
    The test script can only deserialize __destruct, __wakeup, __toString and PHAR payloads.
    Warning: This will run the payload on YOUR system !

  ./phpggc -l
  ./phpggc -l drupal
  ./phpggc Laravel/RCE1 system id
  ./phpggc SwiftMailer/FW1 /var/www/html/shell.php /path/to/local/shell.php

Updated on: 2021-Nov-26