Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How to execute Lab: Exploiting PHP deserialization with a pre-built gadget chain using only burp suite?

Ali | Last updated: Jul 07, 2022 08:09AM UTC

Hi , can i execute this lab using only burp suite ? when i search for solution videos i only see solutions using Kali ? thanks

Ben, PortSwigger Agent | Last updated: Jul 07, 2022 05:11PM UTC

Hi, This lab requires you to use a third party tool to generate a malicious serialized object so you will, I am afraid, have to carry out some of the requisite steps outside of Burp (specifically, step 7 of the solution requires the use of the PHPGGC tool).

Ali | Last updated: Jul 20, 2022 05:57AM UTC

I have professional purb suite , so i believe I can download PHPGGC tool ? If yes , kindly share what are the steps to use the tool to be able to complete this lab since the steps are not mentioned in the solution , and all videos on youtube are using Kali linux to complete the lab.

Ben, PortSwigger Agent | Last updated: Jul 20, 2022 08:21AM UTC

Hi, The PHPGGC tool is written by a third party, is completely independent of Burp and can be obtained by anyone. You can obtain a copy of the tool from the author's GitHub repository below and would need to follow the author's instructions on how to run the tool (please note the pre-requisite to have PHP available in order to run PHPGGC): https://github.com/ambionics/phpggc Step 7 of the written solution details what you then need to use the tool for in terms of solving the lab itself.

Ali | Last updated: Jul 21, 2022 06:09AM UTC

hi , i have instealld PHP , Docker and PHPGGC , but when i run this command in windows cmd (DOS) as per lab solution " ./phpggc Symfony/RCE4 exec 'rm /home/carlos/morale.txt' | base64" i am getting this error " '.' is not recognized as an internal or external command, operable program or batch file. " so this command is it for windows or linux ? if it is only of linux then how windows users can solve this lab , please ?

Ben, PortSwigger Agent | Last updated: Jul 22, 2022 06:28AM UTC

Hi, I believe the tool itself has been designed to be run on Linux based systems. If you really do not have access to a Linux system you could look to use something like Cygwin on your Windows machine which would allow you to run the command detailed in the solution?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.