Smarty <= 3.1.32 Remote Code execution(CVE-2017-1000480)
Smarty介紹php
smarty是一個php模板引擎,其項目地址:https://github.com/smarty-php/smartygit
測試環境搭建github
下載:https://github.com/smarty-php/smarty/releases (本案例測試爲smarty-3.1.31)web
解壓之後放在web任意路徑中,而後建立一個文件進行漏洞測試。測試文件內容爲:api
<?php define('SMARTY_ROOT_DIR', str_replace('\\', '/', __DIR__)); define('SMARTY_COMPILE_DIR', SMARTY_ROOT_DIR.'/tmp/templates_c'); define('SMARTY_CACHE_DIR', SMARTY_ROOT_DIR.'/tmp/cache'); include_once(SMARTY_ROOT_DIR . '/smarty-3.1.31/libs/Smarty.class.php'); class testSmarty extends Smarty_Resource_Custom { protected function fetch($name, &$source, &$mtime) { $template = "CVE-2017-1000480 smarty PHP code injection"; $source = $template; $mtime = time(); } } $smarty = new Smarty(); $smarty->setCacheDir(SMARTY_CACHE_DIR); $smarty->setCompileDir(SMARTY_COMPILE_DIR); $smarty->registerResource('test', new testSmarty); $smarty->display('test:'.$_GET['eval']); ?>
漏洞的觸發函數是這裏的display, 也就是渲染頁面之後輸出結果的這個函數。緩存
漏洞原理分析函數
咱們來跟進smarty對象的成員方法display, 位置爲 smarty-3.1.31\libs\sysplugins\smarty_internal_templatebase.php測試
public function display($template = null, $cache_id = null, $compile_id = null, $parent = null) { // display template $this->_execute($template, $cache_id, $compile_id, $parent, 1); }
咱們傳給display的參數就是這裏的局部變量$template, 而後這裏直接調用了_execute(),跟進fetch
private function _execute($template, $cache_id, $compile_id, $parent, $function) { $smarty = $this->_getSmartyObj(); $saveVars = true; if ($template === null) { if (!$this->_isTplObj()) { throw new SmartyException($function . '():Missing \'$template\' parameter'); } else { $template = $this; } } elseif (is_object($template)) { /* @var Smarty_Internal_Template $template */ if (!isset($template->_objType) || !$template->_isTplObj()) { throw new SmartyException($function . '():Template object expected'); } } else { // get template object $saveVars = false; // 這裏調用函數建立了一個模板 $template = $smarty->createTemplate($template, $cache_id, $compile_id, $parent ? $parent : $this, false); if ($this->_objType == 1) { // set caching in template object $template->caching = $this->caching; } } // fetch template content $level = ob_get_level(); try { $_smarty_old_error_level = isset($smarty->error_reporting) ? error_reporting($smarty->error_reporting) : null; if ($this->_objType == 2) { /* @var Smarty_Internal_Template $this */ $template->tplFunctions = $this->tplFunctions; $template->inheritance = $this->inheritance; } /* @var Smarty_Internal_Template $parent */ if (isset($parent->_objType) && ($parent->_objType == 2) && !empty($parent->tplFunctions)) { $template->tplFunctions = array_merge($parent->tplFunctions, $template->tplFunctions); } if ($function == 2) { if ($template->caching) { // return cache status of template if (!isset($template->cached)) { $template->loadCached(); } $result = $template->cached->isCached($template); Smarty_Internal_Template::$isCacheTplObj[ $template->_getTemplateId() ] = $template; } else { return false; } } else { if ($saveVars) { $savedTplVars = $template->tpl_vars; $savedConfigVars = $template->config_vars; } ob_start(); $template->_mergeVars(); if (!empty(Smarty::$global_tpl_vars)) { $template->tpl_vars = array_merge(Smarty::$global_tpl_vars, $template->tpl_vars); } $result = $template->render(false, $function); // 省略無關代碼...
咱們須要關心的是,咱們的可控變量是如何被帶入執行的:this
在代碼中咱們能夠看到調用createTemplate()建立了模板。有興趣能夠跟進去看看。我在這裏直接輸出獲得$template被覆蓋以後的值,是一個Smarty_Internal_Template對象。我就不貼出來了,太長了。
而後咱們繼續跟進這個render的渲染處理函數, 位置 smarty-3.1.31\libs\sysplugins\smarty_internal_template.php
public function render($no_output_filter = true, $display = null) { if ($this->smarty->debugging) { if (!isset($this->smarty->_debug)) { $this->smarty->_debug = new Smarty_Internal_Debug(); } $this->smarty->_debug->start_template($this, $display); } // checks if template exists if (!$this->source->exists) { throw new SmartyException("Unable to load template '{$this->source->type}:{$this->source->name}'" . ($this->_isSubTpl() ? " in '{$this->parent->template_resource}'" : '')); } // disable caching for evaluated code if ($this->source->handler->recompiled) { $this->caching = false; } // read from cache or render $isCacheTpl = $this->caching == Smarty::CACHING_LIFETIME_CURRENT || $this->caching == Smarty::CACHING_LIFETIME_SAVED; if ($isCacheTpl) { if (!isset($this->cached) || $this->cached->cache_id !== $this->cache_id || $this->cached->compile_id !== $this->compile_id ) { $this->loadCached(true); } $this->cached->render($this, $no_output_filter); } else { if (!isset($this->compiled) || $this->compiled->compile_id !== $this->compile_id) { $this->loadCompiled(true); } $this->compiled->render($this); } // 省略無關代碼...
這裏由於咱們以前沒有進行過模板緩存文件的生成,$isCacheTpl 的值爲false,咱們而後咱們繼續跟進render(), 位置 smarty-3.1.31\libs\sysplugins\smarty_template_compiled.php
public function render(Smarty_Internal_Template $_template) { // checks if template exists if (!$_template->source->exists) { $type = $_template->source->isConfig ? 'config' : 'template'; throw new SmartyException("Unable to load {$type} '{$_template->source->type}:{$_template->source->name}'"); } if ($_template->smarty->debugging) { if (!isset($_template->smarty->_debug)) { $_template->smarty->_debug = new Smarty_Internal_Debug(); } $_template->smarty->_debug->start_render($_template); } if (!$this->processed) { $this->process($_template); } if (isset($_template->cached)) { $_template->cached->file_dependency = array_merge($_template->cached->file_dependency, $this->file_dependency); } if ($_template->source->handler->uncompiled) { $_template->source->handler->renderUncompiled($_template->source, $_template); } else { $this->getRenderedTemplateCode($_template); } if ($_template->caching && $this->has_nocache_code) { $_template->cached->hashes[ $this->nocache_hash ] = true; } if ($_template->smarty->debugging) { $_template->smarty->_debug->end_render($_template); } }
而後能夠看到 $this->process($_template)調用了process()函數, 跟進。
public function process(Smarty_Internal_Template $_smarty_tpl) { $source = &$_smarty_tpl->source; $smarty = &$_smarty_tpl->smarty; if ($source->handler->recompiled) { $source->handler->process($_smarty_tpl); } elseif (!$source->handler->uncompiled) { if (!$this->exists || $smarty->force_compile || ($smarty->compile_check && $source->getTimeStamp() > $this->getTimeStamp()) ) { $this->compileTemplateSource($_smarty_tpl); $compileCheck = $smarty->compile_check; $smarty->compile_check = false; $this->loadCompiledTemplate($_smarty_tpl); $smarty->compile_check = $compileCheck; } else { $_smarty_tpl->mustCompile = true; @include($this->filepath); if ($_smarty_tpl->mustCompile) { $this->compileTemplateSource($_smarty_tpl); $compileCheck = $smarty->compile_check; $smarty->compile_check = false; $this->loadCompiledTemplate($_smarty_tpl); $smarty->compile_check = $compileCheck; } } $_smarty_tpl->_subTemplateRegister(); $this->processed = true; } }
而後進入了這個流程, $this->compileTemplateSource($_smarty_tpl) 繼續跟進。
public function compileTemplateSource(Smarty_Internal_Template $_template) { $this->file_dependency = array(); $this->includes = array(); $this->nocache_hash = null; $this->unifunc = null; // compile locking $saved_timestamp = $_template->source->handler->recompiled ? false : $this->getTimeStamp(); if ($saved_timestamp) { touch($this->filepath); } // compile locking try { // call compiler $_template->loadCompiler(); $this->write($_template, $_template->compiler->compileTemplate($_template)); } catch (Exception $e) { // restore old timestamp in case of error if ($saved_timestamp) { touch($this->filepath, $saved_timestamp); } unset($_template->compiler); throw $e; } // release compiler object to free memory unset($_template->compiler); }
而後進入到 $this->write($_template, $_template->compiler->compileTemplate($_template)) 咱們來看一下write()是怎麼實現的:
public function write(Smarty_Internal_Template $_template, $code) { if (!$_template->source->handler->recompiled) { if ($_template->smarty->ext->_writeFile->writeFile($this->filepath, $code, $_template->smarty) === true) { $this->timestamp = $this->exists = is_file($this->filepath); if ($this->exists) { $this->timestamp = filemtime($this->filepath); return true; } } return false; } return true; }
咱們來關注一下這裏,$_template->smarty->ext->_writeFile->writeFile($this->filepath, $code, $_template->smarty) === true 這裏調用了writeFile函數,而後咱們跟進, 位置在 smarty-3.1.31\libs\sysplugins\smarty_internal_runtime_writefile.php
public function writeFile($_filepath, $_contents, Smarty $smarty) { $_error_reporting = error_reporting(); error_reporting($_error_reporting & ~E_NOTICE & ~E_WARNING); $_file_perms = property_exists($smarty, '_file_perms') ? $smarty->_file_perms : 0644; $_dir_perms = property_exists($smarty, '_dir_perms') ? (isset($smarty->_dir_perms) ? $smarty->_dir_perms : 0777) : 0771; if ($_file_perms !== null) { $old_umask = umask(0); } $_dirpath = dirname($_filepath); // if subdirs, create dir structure if ($_dirpath !== '.' && !file_exists($_dirpath)) { mkdir($_dirpath, $_dir_perms, true); } // write to tmp file, then move to overt file lock race condition $_tmp_file = $_dirpath . $smarty->ds . str_replace(array('.', ','), '_', uniqid('wrt', true)); // var_dump($_tmp_file); // var_dump($_contents); // exit(); if (!file_put_contents($_tmp_file, $_contents)) { error_reporting($_error_reporting); throw new SmartyException("unable to write file {$_tmp_file}"); }
這裏執行了 file_put_contents($_tmp_file, $_contents), 生成文件。此時咱們將要執行的代碼已經寫入了, 寫入的路徑由咱們最初定義的SMARTY_COMPILE_DIR常量來進行決定,這裏咱們看到值爲測試文件同一個目錄下的/tmp/templates_c。寫入的內容以下所示:
到此,其實咱們已經實現了代碼執行,咱們只須要訪問這個文件就行了,可是文件的名字太長了,實在難受。就算你通過計算而後去爆破,若是更改這裏緩存文件的位置不在web目錄。還怎麼辦?咱們看到在process函數中,在對文件模板文件編譯結束以後調用了這個:$this->loadCompiledTemplate($_smarty_tpl)。咱們來跟進:
private function loadCompiledTemplate(Smarty_Internal_Template $_smarty_tpl) { // var_dump($this->filepath);exit(); if (function_exists('opcache_invalidate') && strlen(ini_get("opcache.restrict_api")) < 1) { opcache_invalidate($this->filepath, true); } elseif (function_exists('apc_compile_file')) { apc_compile_file($this->filepath); } // 最終在這裏代碼執行 if (defined('HHVM_VERSION')) { eval("?>" . file_get_contents($this->filepath)); } else { include($this->filepath); } }
在這裏不管是否認義 HHVM_VERSION 這個常量,寫入緩存文件中的代碼都會被執行,eval("?>" . file_get_contents($this->filepath))至關於一個遠程文件包含,而這裏調用了include,而後我麼以前寫入緩存的代碼就被包含執行了。
利用的代碼不言而喻了。
相關文章
- 1. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse
- 2. vs code 編輯 remote script
- 3. ElasticSearch Remote Code Execution (CVE-2014-3120)
- 4. WSL + VS Code Remote真香
- 5. smarty
- 6. <<細說PHP>>
- 7. phpMyadmin /scripts/setup.php Remote Code Injection && Execution CVE-2009-1151
- 8. VS code Insiders Remote SSH鏈接問題
- 9. Webmin Unauthenticated Remote Code Execution (CVE-2019-15107)
- 10. Discuz! X2.5 /source/class/helper/helper_seo.php Remote Code Execution Vul
- 更多相關文章...
- • PHP show_source() 函數 - PHP參考手冊
- • PHP highlight_file() 函數 - PHP參考手冊
- • Github 簡明教程
- • Git可視化極簡易教程 — Git GUI使用方法
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse
- 2. vs code 編輯 remote script
- 3. ElasticSearch Remote Code Execution (CVE-2014-3120)
- 4. WSL + VS Code Remote真香
- 5. smarty
- 6. <<細說PHP>>
- 7. phpMyadmin /scripts/setup.php Remote Code Injection && Execution CVE-2009-1151
- 8. VS code Insiders Remote SSH鏈接問題
- 9. Webmin Unauthenticated Remote Code Execution (CVE-2019-15107)
- 10. Discuz! X2.5 /source/class/helper/helper_seo.php Remote Code Execution Vul