Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "how to use Smarty SSTi". In the operation of actual cases, many people will encounter such a dilemma. Then let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Topic description

The title provides an api to read the XFF header, with the word Build With Smarty at the bottom of the page, which can be written by the Smarty engine.

You can basically determine the possibility of the existence of SSTi on this page

Changing the xff header from 127.0.0.1 to 127.0.0 {1mm 2} produces the following result

Ssti no doubt.

The final payload is

X-Forwarded-For: {if var_dump (file_get_contents ('/ flag'))} {/ if}

Smarty SSTI utilization

Smarty is developed based on PHP, and the use of SSTI for Smarty is very different from the common SSTI of flask.

Vulnerability confirmation

In general, type {$smarty.version} to see the version number of the returned smarty. The Smarty version of the topic is 3.1.30

Conventional utilization mode

Smarty supports the use of the {php} {/ php} tag to execute the wrapped php instructions, and the most general idea is to test the tag first. But as far as this topic is concerned, using the {php} {/ php} tag will report an error:

The following is described in Smarty3's official manual:

Smarty has discarded the {php} tag and is strongly recommended not to use it. In Smarty 3.1, {php} is only available in SmartyBC.

This topic uses the Smarty class, so you have to find another way.

{literal} label

The official manual describes the label as follows:

{literal} allows the characters of a template area to be output as is. This is often used to protect Javascript or css stylesheets on the page from being mistakenly parsed because of the delimiter of Smarty.

Then for the php5 environment, we can use

Phpinfo ()

To implement the execution of PHP code, but the title environment of this problem is PHP7, this method is invalid.

Static method

Getting Smarty class through self and then calling its static method to realize file reading and writing is adopted by many articles on the Internet.

The code for the getStreamVariable method of the Smarty class is as follows:

Public function getStreamVariable ($variable) {$_ result =''; $fp = fopen ($variable, 'rushing'); if ($fp) {while (! feof ($fp) & & ($current_line = fgets ($fp))! = false) {$_ result. = $current_line;} fclose ($fp); return $_ result } $smarty = isset ($this- > smarty)? $this- > smarty: $this; if ($smarty- > error_unassigned) {throw new SmartyException ('Undefined stream variable "'. $variable. '")} else {return null;}}

You can see that this method can read a file and return its contents, so we can use self to get the Smarty object and call this method. The payload given in many articles looks like: {self::getStreamVariable ("file:///etc/passwd")}. However, using this payload will trigger an error message as follows:

Fatal error: Uncaught-- > Smarty Compiler: Syntax error in template "string:Current IP: {self::getStreamVariable ('file:///etc/passwd')}" static class' self' is undefined or not allowed by security setting)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.