Shulou(Shulou.com)06/01 Report--

This article shows you how to achieve deserialization in Laravel 8. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Text

First of all, it is still the same. The master who is familiar with the pop chain of laravel must be familiar with it. The entry point is still the destructor in PendingBroadcast.php.

Public function _ destruct () {$this- > events- > dispatch ($this- > event);}

It is obvious that you can control the dispatch function under any class; here you still choose Dispatcher.php to continue the chain

Public function dispatch ($command) {return $this- > queueResolver & & $this- > commandShouldBeQueued ($command)? $this- > dispatchToQueue ($command): $this- > dispatchNow ($command);}

Here is a simple look at the source code, interested masters can take the source code of laravel5 to compare, here is just written in the form of ternary operation, essentially the same, we control the queueResolver variable and commandShouldBeQueued function to return to true, so that we can enter the dispatchToQueue function; here the audit class is not difficult to find that queueResolver is our controllable variable, but we can trace the commandShouldBeQueued function

Protected function commandShouldBeQueued ($command) {return $command instanceof ShouldQueue;}

It is not difficult to find that our command is a class that inherits the ShouldQueue interface; so search globally; select the class of BroadcastEvent.php; then you can return true and enter the dispatchToQueue function; backtrack the dispatchToQueue function

Public function dispatchToQueue ($command) {$connection = $command- > connection? Null; $queue = call_user_func ($this- > queueResolver, $connection)

You can find that there is a dangerous function call_user_func; that can directly implement any method under any class; here you can jump directly to the method we want to execute; globally search for the eval method; and find that it exists

Class EvalLoader implements Loader {public function load (MockDefinition $definition) {if (class_exists ($definition- > getClassName (), false)) {return;} eval (? > ". $definition- > getCode ();}}

When the first parameter of the call_user_func function is an array, the first parameter is the class we choose, and the second parameter is the method under the class; so here we go directly to the EvalLoader class, execute the load method and call the eval function; here we find that there is a parameter, and the parameter must be an instance of the MockDefinition class; this means that our connection needs to be an instance of the MockDefinition class

Continuing the audit found that if must be false to trigger the eval method; so here we need to trace it directly to the MockDefinition class

Class MockDefinition {protected $config; protected $code; public function _ construct (MockConfiguration $config, $code) {if (! $config- > getName ()) {throw new\ InvalidArgumentException ("MockConfiguration must contain a name");} $this- > config = $config; $this- > code = $code;} public function getConfig () {return $this- > config } public function getClassName () {return $this- > config- > getName ();} public function getCode () {return $this- > code;}}

Take a look at the getClassName function; here the config is controllable, so we directly find a class that exists the getName method and can control it; find MockConfiguration.php under the global search to implement

Protected $name; public function getName () {return $this- > name;}

Because in the end, it has to be judged by the class_exit function, so we can directly control it to return a class that does not exist, which will cause false to enter the eval method; go back to the eval method

Class EvalLoader implements Loader {public function load (MockDefinition $definition) {if (class_exists ($definition- > getClassName (), false)) {return;} eval (? > ". $definition- > getCode ();}}

There is also a getCode method, and we can also audit the getCode method through the above class; code is also controllable in the MockDefinition class, so we can control its contents at will, so we can command and execute; release my exp:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.