GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → GoSecure → Php7 Opcache Override

GoSecure / Php7 Opcache Override

Licence: mit
Security-related PHP7 OPcache abuse tools and demo

Programming Languages

python
139335 projects - #7 most used programming language

Labels

vulnerabilitypoc

Projects that are alternatives of or similar to Php7 Opcache Override

NSE-scripts
NSE scripts to detect CVE-2020-1350 SIGRED and CVE-2020-0796 SMBGHOST, CVE-2021-21972, proxyshell, CVE-2021-34473
Stars: ✭ 105 (-55.7%)
Mutual labels:  poc, vulnerability
Exphub
Exphub[漏洞利用脚本库] 包括Webloigc、Struts2、Tomcat、Nexus、Solr、Jboss、Drupal的漏洞利用脚本,最新添加CVE-2020-14882、CVE-2020-11444、CVE-2020-10204、CVE-2020-10199、CVE-2020-1938、CVE-2020-2551、CVE-2020-2555、CVE-2020-2883、CVE-2019-17558、CVE-2019-6340
Stars: ✭ 3,056 (+1189.45%)
Mutual labels:  vulnerability, poc
Javadeserh2hc
Sample codes written for the Hackers to Hackers Conference magazine 2017 (H2HC).
Stars: ✭ 361 (+52.32%)
Mutual labels:  vulnerability, poc
CVE-2020-1611
Juniper Junos Space (CVE-2020-1611) (PoC)
Stars: ✭ 25 (-89.45%)
Mutual labels:  poc, vulnerability
Cve 2020 10199 cve 2020 10204
CVE-2020-10199、CVE-2020-10204漏洞一键检测工具,图形化界面。CVE-2020-10199 and CVE-2020-10204 Vul Tool with GUI.
Stars: ✭ 20 (-91.56%)
Mutual labels:  vulnerability, poc
CVE-2021-33766
ProxyToken (CVE-2021-33766) : An Authentication Bypass in Microsoft Exchange Server POC exploit
Stars: ✭ 37 (-84.39%)
Mutual labels:  poc, vulnerability
Ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
Stars: ✭ 4,808 (+1928.69%)
Mutual labels:  vulnerability, poc
Hacking
hacker, ready for more of our story ! 🚀
Stars: ✭ 413 (+74.26%)
Mutual labels:  vulnerability, poc
Xray
一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档
Stars: ✭ 6,218 (+2523.63%)
Mutual labels:  vulnerability, poc
Vulscan
vulscan 扫描系统:最新的poc&exp漏洞扫描,redis未授权、敏感文件、java反序列化、tomcat命令执行及各种未授权扫描等...
Stars: ✭ 486 (+105.06%)
Mutual labels:  vulnerability, poc
CVE-2020-11651
CVE-2020-11651: Proof of Concept
Stars: ✭ 41 (-82.7%)
Mutual labels:  poc, vulnerability
Bitp0wn
Algorithms to re-compute a private key, to fake signatures and some other funny things with Bitcoin.
Stars: ✭ 59 (-75.11%)
Mutual labels:  vulnerability, poc
dheater
D(HE)ater is a proof of concept implementation of the D(HE)at attack (CVE-2002-20001) through which denial-of-service can be performed by enforcing the Diffie-Hellman key exchange.
Stars: ✭ 142 (-40.08%)
Mutual labels:  poc, vulnerability
Pentesting
Misc. Public Reports of Penetration Testing and Security Audits.
Stars: ✭ 24 (-89.87%)
Mutual labels:  poc, vulnerability
Ary
Ary 是一个集成类工具,主要用于调用各种安全工具,从而形成便捷的一键式渗透。
Stars: ✭ 241 (+1.69%)
Mutual labels:  vulnerability, poc
Poc
Proofs-of-concept
Stars: ✭ 467 (+97.05%)
Mutual labels:  vulnerability, poc
Poccollect
Poc Collected for study and develop
Stars: ✭ 15 (-93.67%)
Mutual labels:  vulnerability, poc
Pub
Vulnerability Notes, PoC Exploits and Write-Ups for security issues disclosed by tintinweb
Stars: ✭ 217 (-8.44%)
Mutual labels:  vulnerability, poc
Dvhma
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities.
Stars: ✭ 180 (-24.05%)
Mutual labels:  vulnerability
Ladon
大型内网渗透扫描器&Cobalt Strike,Ladon8.9内置120个模块,包含信息收集/存活主机/端口扫描/服务识别/密码爆破/漏洞检测/漏洞利用。漏洞检测含MS17010/SMBGhost/Weblogic/ActiveMQ/Tomcat/Struts2,密码口令爆破(Mysql/Oracle/MSSQL)/FTP/SSH(Linux)/VNC/Windows(IPC/WMI/SMB/Netbios/LDAP/SmbHash/WmiHash/Winrm),远程执行命令(smbexec/wmiexe/psexec/atexec/sshexec/webshell),降权提权Runas、GetSystem,Poc/Exploit,支持Cobalt Strike 3.X-4.0
Stars: ✭ 2,911 (+1128.27%)
Mutual labels:  poc
View All Similar Projects ➔

PHP OPcache Override

This project contains the demo website and the tools presented in the following blog posts :

010 Editor Template

These templates parse OPcache files generated by a 32 and 64 bit platform.

  • Download 010 editor
  • Templates -> Open Template... Select OPCACHE_x86.bt or OPCACHE_x86_64.bt
  • Open your OPcache file
  • Press F5

Python System ID Scraper

This tool lets you extract the system_id of a phpinfo() page. Simply pass a filename or a URL.

$ ./system_id_scraper.py info.html
PHP version : 7.0.4-7ubuntu2
Zend Extension ID : API320151012,NTS
Zend Bin ID : BIN_SIZEOF_CHAR48888
Assuming x86_64 architecture
------------
System ID : 81d80d78c6ef96b89afaadc7ffc5d7ea

OPcache Disassembler

This tool lets you disassemble an OPcache file.

You can display it as a syntax tree (-t) or pseudocode (-c) on both 32 and 64 bit platforms. Simply pass a display option, the architecture to use and an OPcache file.

$ ./opcache_disassembler.py -c -a64 malware.php.bin

#0 $280 = FETCH_IS('_GET', None);
#1 ~0 = ISSET_ISEMPTY_DIM_OBJ($280, 'test');
#2 JMPZ(~408, ->5);
#3 ECHO('success', None);
...

OPcache Malware Hunter

This tool helps detect malware hidden in OPcache files by looking for manipulated OPcache files. It compiles its own version of the source code, compares the compiled file with the current cache file and checks for differences. You must run this tool on the same system as the one where the cache files have been compiled originally.

OPcache malware hunter requires four parameters :

  • The location of the cache folder
  • The architecture of the system (32 or 64 bit)
  • The system_id
  • The php.ini file used

In the situation where a potentially infected cache file is found, OPcache Malware Hunter will generate an HTML report in the filesystem showing the differences between the source code and the infected cache file.

$ ./opcache_malware_hunt.py /tmp/cache -a64 2d3b19863f4c71f9a3adda4c957752e2 /etc/php/7.0/cli/php.ini
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/payload.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/payload.php.bin
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-config.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-config.php.bin
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-load.php.bin
...
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin
Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-includes/pomo/translations.php.bin
Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-includes/pomo/translations.php.bin
Potentially infected files :
 - /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin

Main page of generated report :

A typical report page :

diff

Demo

To setup the demo, run the following two commands :

sudo ./setup.sh
php -S 127.0.0.1:8080 -c php.ini

Note that on some Linux based systems, the opcache subsystem is compiled out of the PHP core and must be dynamically loaded. This can be performed by adding the following statement under the [PHP] directive:

zend_extension=opcache.so

Dockerized setup

Due to construct 2.9's API breakage, I created a docker container to run this project using construct 2.8. To use:

docker build -t opcache_analysis .
docker run -it --rm opcache_analysis sh

Then inside the busybox shell of the container you can use the tools, for example:

python ./analysis_tools/opcache_disassembler.py -c -a64 index.php.bin
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].