{"id":13658835,"url":"https://github.com/GoSecure/php7-opcache-override","last_synced_at":"2025-04-24T11:32:55.126Z","repository":{"id":39351730,"uuid":"57056261","full_name":"GoSecure/php7-opcache-override","owner":"GoSecure","description":"Security-related PHP7 OPcache abuse tools and demo","archived":false,"fork":false,"pushed_at":"2023-01-02T07:56:03.000Z","size":346,"stargazers_count":310,"open_issues_count":1,"forks_count":75,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-04-06T15:12:37.506Z","etag":null,"topics":["opcache","php7","poc","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GoSecure.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-04-25T16:05:34.000Z","updated_at":"2025-02-19T19:41:15.000Z","dependencies_parsed_at":"2023-02-01T02:16:06.138Z","dependency_job_id":null,"html_url":"https://github.com/GoSecure/php7-opcache-override","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoSecure%2Fphp7-opcache-override","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoSecure%2Fphp7-opcache-override/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoSecure%2Fphp7-opcache-override/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoSecure%2Fphp7-opcache-override/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GoSecure","download_url":"https://codeload.github.com/GoSecure/php7-opcache-override/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250618680,"owners_count":21460137,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["opcache","php7","poc","vulnerability"],"created_at":"2024-08-02T05:01:03.007Z","updated_at":"2025-04-24T11:32:54.822Z","avatar_url":"https://github.com/GoSecure.png","language":"Python","readme":"# PHP OPcache Override\n\nThis project contains the demo website and the tools presented in the following blog posts :\n\n - HackFest presentation: [slides](https://docs.google.com/presentation/d/18y60Xy0eVeUnBXIH_t3ikfly_uyYbtfI6zAuKCHtlac/edit?usp=sharing)\n   and [video](https://www.youtube.com/watch?v=yLpsIWh7rvU)\n - http://gosecure.net/2016/04/27/binary-webshell-through-opcache-in-php-7/\n - http://gosecure.net/2016/05/26/detecting-hidden-backdoors-in-php-opcache/\n\n## 010 Editor Template\n\nThese templates parse OPcache files generated by a 32 and 64 bit platform.\n\n - Download [010 editor](http://www.sweetscape.com/010editor/)\n - `Templates` -\u003e `Open Template...` Select OPCACHE_x86.bt or OPCACHE_x86_64.bt\n - Open your OPcache file\n - Press `F5`\n\n## Python System ID Scraper\n\nThis tool lets you extract the `system_id` of a `phpinfo()` page.\nSimply pass a filename or a URL.\n\n    $ ./system_id_scraper.py info.html\n    PHP version : 7.0.4-7ubuntu2\n    Zend Extension ID : API320151012,NTS\n    Zend Bin ID : BIN_SIZEOF_CHAR48888\n    Assuming x86_64 architecture\n    ------------\n    System ID : 81d80d78c6ef96b89afaadc7ffc5d7ea\n\n## OPcache Disassembler\nThis tool lets you disassemble an OPcache file.\n\nYou can display it as a syntax tree (-t) or pseudocode (-c) on both 32 and 64 bit platforms.\nSimply pass a display option, the architecture to use and an OPcache file.\n\n    $ ./opcache_disassembler.py -c -a64 malware.php.bin\n\n    #0 $280 = FETCH_IS('_GET', None);\n    #1 ~0 = ISSET_ISEMPTY_DIM_OBJ($280, 'test');\n    #2 JMPZ(~408, -\u003e5);\n    #3 ECHO('success', None);\n    ...\n\n\n## OPcache Malware Hunter\nThis tool helps detect malware hidden in OPcache files by looking for manipulated OPcache files. It compiles its own version of the source code, compares the compiled file\nwith the current cache file and checks for differences. **You must run this tool on the same system as the one where the cache files\nhave been compiled originally.**\n\nOPcache malware hunter requires four parameters :\n  - The location of the cache folder\n  - The architecture of the system (32 or 64 bit) \n  - The system_id\n  - The php.ini file used\n\n  In the situation where a potentially infected cache file is found, OPcache Malware Hunter will generate an HTML report\n  in the filesystem showing the differences between the source code and the infected cache file.\n \n\n ```\n $ ./opcache_malware_hunt.py /tmp/cache -a64 2d3b19863f4c71f9a3adda4c957752e2 /etc/php/7.0/cli/php.ini\n Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/payload.php.bin\n Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/payload.php.bin\n Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-config.php.bin\n Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-config.php.bin\n Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-load.php.bin\n ...\n Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin\n Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin\n Parsing /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-includes/pomo/translations.php.bin\n Parsing hunt_opcache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/wp-includes/pomo/translations.php.bin\n Potentially infected files :\n  - /tmp/cache/2d3b19863f4c71f9a3adda4c957752e2/home/vagrant/wordpress/index.php.bin\n ```\n\nMain page of generated report : \n\n\u003cimg src=\"https://raw.githubusercontent.com/GoSecure/php7-opcache-override/master/static/index.png\" width=\"500px\"\u003e\n\nA typical report page : \n\n![diff](https://raw.githubusercontent.com/GoSecure/php7-opcache-override/master/static/diff.png)\n\n## Demo\nTo setup the demo, run the following two commands :\n\n    sudo ./setup.sh\n    php -S 127.0.0.1:8080 -c php.ini\n\nNote that on some Linux based systems, the opcache subsystem is compiled out of\nthe PHP core and must be dynamically loaded. This can be performed by adding\nthe following statement under the `[PHP]` directive:\n\n    zend_extension=opcache.so\n\n## Dockerized setup\n\nDue to construct 2.9's API breakage, I created a docker container to run this project using construct 2.8. To use:\n\n    docker build -t opcache_analysis .\n    docker run -it --rm opcache_analysis sh\n\nThen inside the busybox shell of the container you can use the tools, for example:\n\n    python ./analysis_tools/opcache_disassembler.py -c -a64 index.php.bin\n","funding_links":[],"categories":["Python (144)"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGoSecure%2Fphp7-opcache-override","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FGoSecure%2Fphp7-opcache-override","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FGoSecure%2Fphp7-opcache-override/lists"}