FUGIO is the first automatic exploit generation (AEG) tool for PHP object injection (POI) vulnerabilities. When exploiting a POI vulnerability, an attacker crafts an injection object by carefully choosing its property values to invoke a chain of existing class methods or functions (gadgets) for finally triggering a sensitive function with attack payloads. The technique used in composing this exploit object is called property-oriented programming (POP). FUGIO identifies feasible POP gadget chains considering the availability of gadgets and their caller-callee relationships via static and dynamic analyses. FUGIO then conducts a feedback-driven fuzzing campaign for each identified POP chain, thus producing exploit objects. For more details, please refer to our paper, "FUGIO: Automatic Exploit Generation for PHP Object Injection Vulnerabilities", which will appear in USENIX Security 2022.
FUGIO is tested on a machine running Ubuntu 18.04. Python 3 and PHP (5.4, 5.6, or 7.2) are required to run FUGIO. We provide three Docker images depending on PHP versions in FUGIO-artifact. If you use the given Docker images, follow the instructions in Prepare Docker containers and then go to the phase 2.
-
Clone git repo
git clone --recurse-submodules https://github.com/WSP-LAB/FUGIO.git cd FUGIO
-
Install Docker
-
Run RabbitMQ Docker
- You can set up RabbitMQ by running
./run_rabbitmq.sh
.- Username: fugio
- Password: fugio_password
- RabbitMQ Management port: 15672
- You can set up RabbitMQ by running
-
Install Python 3 pip
sudo apt-get install -y python3-pip
-
Install PHP Composer
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && \ php composer-setup.php && \ php -r "unlink('composer-setup.php');" && \ mv composer.phar /usr/local/bin/composer
-
Install PHP libraries
- PHP 5.4: we installed PHP 5.4 by compiling source code
sudo apt-get install -y autoconf apache2-dev libxml2-dev libbz2-dev \ libcurl4-gnutls-dev libjpeg-dev libpng-dev libmcrypt-dev sudo ln -s /usr/include/x86_64-linux-gnu/curl /usr/local/include/ wget -O /tmp/bison-2.6.tar.gz http://ftp.gnu.org/gnu/bison/bison-2.6.tar.gz tar -xvf /tmp/bison-2.6.tar.gz -C /tmp cd /tmp/bison-2.6 ./configure --prefix=/usr/local/bison --with-libiconv-prefix=/usr/local/libiconv/ make sudo make install sudo ln -s /usr/local/bison/bin/bison /usr/bin/bison git clone https://github.com/openssl/openssl.git /tmp/openssl cd /tmp/openssl git checkout OpenSSL_1_0_2-stable ./config shared make sudo make install git clone https://github.com/php/php-src.git /tmp/php-src cd /tmp/php-src git checkout PHP-5.4 ./buildconf ./configure --with-mysql --with-zlib --with-gd --with-mhash --with-mcrypt \ --with-curl --with-openssl --with-zlib --with-jpeg-dir --with-png-dir --with-gettext \ --with-pcre-regex --with-pdo-mysql --enable-calendar --enable-exif --with-bz2 \ --enable-ftp --enable-mbstring --enable-shmop --enable-soap --enable-bcmath \ --enable-sockets --enable-wddx --enable-zip --with-mysqli --with-apxs2=/usr/bin/apxs2 make sudo make install sudo cp php.ini-production /usr/local/lib/php.ini
- PHP 5.6
sudo apt-get install -y php5.6-dev php5.6-bcmath php5.6-mbstring php5.6-xml
- PHP 7.2
sudo apt-get install -y php7.2-dev php7.2-bcmath php7.2-mbstring php7.2-xml
- PHP 5.4: we installed PHP 5.4 by compiling source code
-
Install dependencies
- We provide scripts for installing all dependencies and changing PHP settings.
Run
./install_XX.sh
depending on the version of PHP.- PHP 5.4:
./install_54.sh
- PHP 5.6:
./install_56.sh
- PHP 7.2:
./install_72.sh
- PHP 5.4:
- We provide scripts for installing all dependencies and changing PHP settings.
Run
-
Prepare the target application source code and its running service
- In FUGIO-artifact, we provide 30 PHP applications that are evaluated in our paper. If you want to use it, refer to Build benchmarks.
-
Setting for monitoring POI vulnerabilities
- Add
.htaccess
file for monitoring POI vulnerabilities by running./htaccess.py on
. If you want to stop monitoring, runhtaccess.py off
.
- Add
-
Execute FUGIO using
./run.py
.# ./run.py usage: run.py [-h] [--all] [--rabbitmq_ip RABBITMQ_IP] [--php_ver {5,7}] [--hook_extension {uopz,runkit}] [--cpus CPUS] target
rabbitmq_ip
: the IP address of RabbitMQphp_ver
: the version of PHP, choose 5 or 7 (default 5)hook_extension
: the library for using hooks to PHP built-in functions, choose uopz or runkit (default uopz)
Since some applications such as CubeCart conflicts with uopz library, we also support runkit.cpus
: the number of CPU cores for assigning to run FUGIO (default all CPU cores)target
: the path of the target application source codeall
: enable if you want to consider all gadgets regardless of their availability (default false)
In Dahse et al., the authors assume that all existing classes are loadable when there exists at least one autoloader callback in an application. Although this assumption is no longer valid because this bug was patched in PHP 5.4.24 and 5.5.8, we added this option for a fair comparison to FUGIO in the paper.
For more concrete examples, refer to scripts
run_FUGIO_XX.sh
.If you run the command, FUGIO starts to analyze the source code of the target application. At the first run, FUGIO generates a dump file in
Files/dump_files
. It is for reducing time to analyze the target source code when you run FUGIO again for the same application. If the source code of the target application changed, you need to delete its dump file and run the script again. -
Monitor POI vulnerabilities After FUGIO finishes analyzing the source code, FUGIO starts to monitor a POI vulnerability. We can trigger POI vulnerabilities using crawlers, spiders, or manual browsing. In
Trigger
folder, we provide scripts for triggering POI vulnerabilities of our benchmarks; you can find the details in FUGIO-artifact.
All outputs are generated in the Files/fuzzing/[app_path.time]/PUT/
directory.
put-head.php
andput-body.php
: a PUT fileinst_PUT.php
: an instrumented PUT file for fuzzing the target applicationprocX_X_X_X_X_X.chain
: an identified POP chainPROBABLY_EXPLOITABLE
: a directory for probably exploitable exploit objects (payloads)EXPLOITABLE
: a directory for exploitable exploit objects (payloads)