Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of Laravel 5.8 deserialization vulnerabilities. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Laravel 5.8 deserialization vulnerability POP chain 1

PendingBroadcast- > destruct-> Dispatcher- > dispatch-> Dispatcher- > dispatchToQueue

First, look at Dispatcher- > dispatchToQueue. As long as the parameters of call_user_func are controllable, you can execute any command.

And look at the head of the pop chain.

PendingBroadcast- > _ _ destruct

$this- > events and $this- > event are controllable.

Here you need to call Dispatcher- > dispatch

Follow up commandShouldBeQueued and return true as long as $command belongs to the ShouldQueue class (subclass is also fine)

Follow up Dispatcher- > dispatchToQueue

$this- > queueResolver is controllable, and $connection is controlled by the passed $command, that is, $this- > event above.

Arbitrary code can be executed simply by finding an implementation class of ShouldQueue that contains the $connection attribute.

First find the implementation class of ShouldQueue as follows

These classes themselves do not have a $connection attribute, but some classes use a trait class called Queueable that contains $connection, as follows

Therefore, if the following category is available,

QueuedCommandBroadcastEventSendQueuedNotificationsCallQueuedClosure

At this point, you can write exp and sort it out.

PendingBroadcast- > events = Dispatcher class PendingBroadcast- > event = BroadcastEvent class / / implementation class of ShouldQueue containing $connection attribute Dispatcher- > queueResolver = function to be executed BroadcastEvent- > connection = parameter exp1

Control the $connection of broadcastevent as the parameter to execute the command, other masters do not do so, do not quite understand the reason. But let's talk about other masters.

Any class method can be called using call_user_func with controllable parameters, as follows

Therefore, you can call the load method of the EvalLoader class here, as follows

The getCode method of the MockDefinition class returns a controllable value, as follows

Code can be executed as long as you control code and do not enter the if statement (making $definition- > getClassName an unloaded class)

Tracking getClassName method

Find the getName method with controllable return value globally and find the MockConfiguration class

At this point, you can write exp and sort it out as follows

PendingBroadcast- > events = Dispatcher class PendingBroadcast- > event = BroadcastEvent class / / implementation class Dispatcher- > queueResolver = [EvalLoader class, "load"] BroadcastEvent- > connection = MockDefinition class MockDefinition- > config = MockConfiguration class / / any getName return value controllable class MockDefinition- > code = code to be executed MockConfiguration- > name = ConfigCacheCommand class / / any unloaded class exp2

POP chain 2

TagAwareAdapter- > _ destruct-- > TagAwareAdapter- > commit-- > TagAwareAdapter- > invalidateTags-- > ProxyAdapter- > saveDeferrred-- > ProxyAdapter- > doSave

First, let's take a look at the order enforcement office.

If ProxyAdapter- > setInnerItem, $innerItem, $item are controllable, you can execute the command.

Back to the head of the POP chain.

TagAwareAdapter- > _ _ destruct

Follow up, TagAwareAdapter- > commit

Follow up, TagAwareAdapter- > invalidateTags (intercept part)

Make the $this- > pool=ProxyAdapter class

Follow up ProxyAdapter- > saveDeferred

Follow up ProxyAdapter- > doSave

First, $item is the parameter we passed in, that is, $TagAwareAdapter- > deferred, which is controllable.

The 204line if statement can be passed as long as you make $item an instance of CacheItem.

$this- > setInnerItem is the attribute of ProxyAdapter and can be controlled.

$innerItem can be controlled by 213 lines of code

At this point, you can write exp and sort it out.

$TagAwareAdapter- > deferred = ["4ut15m", CacheItem class] $TagAwareAdapter- > pool = ProxyAdapter class $ProxyAdapter- > setInnerItem = "system"; $ProxyAdapter- > poolHash = "4ut15m"; $CacheItem- > innerItem = command to be executed $CacheItem- > poolHash = "4ut15m"

This chain is not complicated. See exp for details.

Exp

This is the end of this article on "sample analysis of Laravel 5.8 deserialization vulnerabilities". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.