Shulou(Shulou.com)06/01 Report--

Editor to share with you the web CVE-2020-15148 Yii2 deserialization RCE analysis and reproduction of the case, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to understand it!

1. Scope of influence

Yii2

< 2.0.38 2、环境搭建 影响范围：Yii2 < 2.0.38 所以我们下载2.0.37即可 https://github.com/yiisoft/yii2/releases/tag/2.0.37 之后直接在根目录下执行php yii serve开启服务，然后修改下配置文件config/web.php；给cookieValidationKey修改一个任意值，不然会报错。

3. PHP (deserialize) magic functions related to serialization

When the environment is set up, you should first understand the magic function to facilitate the understanding of the chain.

_ _ construct (): automatically called when the object is created (new). However, unserialize () is not called automatically.

_ _ destruct (): automatically called when the object is destroyed.

_ _ call (): triggered when an inaccessible method is called in the context of an object

_ _ callStatic (): is triggered when an inaccessible method is called in a static context.

_ _ get (): used to read data from inaccessible attributes.

_ _ set (): used to write data to inaccessible properties.

_ _ isset (): triggered by calling isset () or empty () on an inaccessible attribute.

_ _ unset (): triggered when unset () is used on an inaccessible attribute.

_ _ sleep (): executes when the serialization function serialize () is executed.

_ _ wakeup (): executes when the deserialization function unserialize () is executed.

_ _ toString (): allows a class to decide how it will react when it behaves like a string.

_ _ invoke (): the _ _ invoke () method is called when the script attempts to call the object as a function.

Commonly used magic function diagram, more intuitive understanding:

4. Loophole analysis and recurrence analysis:

Starting with the analysis of the EXP of the bosses

As shown in the figure, the execution order of EXP is the last RCE of ①②③.

①: new a BatchQueryResult object, resulting in the execution of the _ _ construct function under the BatchQueryResult class

②: new a Generator object, resulting in the execution of the _ _ construct function under the Generator class

③: new a CreateAction object, resulting in the execution of _ _ construct under the CreateAction class

Finally, RCE is caused because the values of checkAccess and id in the run () method in the CreateAction class are controllable.

According to the classes in EXP, we follow up each file to analyze.

The BatchQueryResult of new first, so BatchQueryResult.php is the starting point of the whole POP chain.

1. The _ _ destruct in the BatchQueryResult class calls the reset () method, and then you can see that the $this- > dataReader in the reset () method is controllable, and the $this- > dataReader- > close () here can make use of the magic function _ _ call (as mentioned earlier, the call method will be called if a method that does not exist is executed), which means that there is a _ _ call method available in the second class Generator of EXP to continue to follow up Generator.php.

2. In the generator class, you can see that _ _ call calls the format method, and format calls call_user_func_array, but $formatter and arguments are uncontrollable. Continue to go down, $formatter passed in $this- > getFormatter, in this method, $this- > formatters is controllable, that is to say, the return value of the getFormatter method is controllable, the first parameter of the call_user_func_array function is controllable, and the second parameter is empty; then the next step in EXP is substituted into a parameterless method to RCE; We go to check the last step of EXP, the run () method in the CreateActiion class, and follow up the CreateAction.php file.

3. In the CreateAction class, run () can obviously see that $this- > checkAccess and $this- > id are controllable and come out using the chain.

Yii\ db\ BatchQueryResult::__destruct ()-> Faker\ Generator::__call ()-> yii\ rest\ CreateAction.php::run ()

Reproduce:

To repeat the first step, add a deserialization entry by yourself and create a new Action,TestController.php with deserialization in the controllers directory.

After the entry is successfully established, you can execute EXP. After executing EXP, you will get the serialized characters encoded by Base64.

You can successfully RCE by substituting the attack code into URL.

5. Repair suggestion

This vulnerability can be successfully fixed by upgrading to a version after 2.0.38.

These are all the contents of this article entitled "the case of CVE-2020-15148 Yii2 deserialization RCE Analysis and Reproduction in web". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.