How to use Smarty SSTi
Title description
The title provides an api for reading XFF headers. There are words Build With Smarty at the bottom of the page. It can be determined that it is written with the Smarty engine.
Basically ok Determine the possibility of SSTi on this page
Change the xff header from 127.0.0.1 to 127.0.0{1 2} and the following result will appear
ssti is undoubtedly
The final payload is
X-Forwarded-For: {if var_dump(file_get_contents('/flag')) }{/if }
Smarty SSTI Utilization
Smarty is developed based on PHP. The utilization methods of Smarty’s SSTI are very different from the common SSTI of flask. Big difference.
Vulnerability Confirmation
Generally, you can see the returned smarty version number by entering {$smarty.version}. The Smarty version of this topic is 3.1.30
General Usage
Smarty supports using the {php}{/php} tag to execute the wrapped code php command, the most conventional idea is to test the tag first. But as far as this topic is concerned, using the {php}{/php} tag will report an error:
The official manual of Smarty3 has the following description:
Smarty has deprecated the {php} tag and it is strongly recommended not to use it. In Smarty 3.1, {php} is only available in SmartyBC.
This question uses the Smarty class, so we can only find another way.
{literal} tag
The official manual describes this tag as follows:
{literal} allows the characters in a template area to be output as is. This is often used to protect Javascript or CSS stylesheets on the page from being parsed incorrectly due to Smarty delimiters.
Then for the php5 environment, we can use
<script language="php">phpinfo();</script>
to implement PHP code execution, but the question environment of this question is PHP7, so this method is invalid.
Static method
Getting the Smarty class through self and then calling its static method to read and write files is adopted by many articles on the Internet.
The code of the getStreamVariable method of the Smarty class is as follows:
public function getStreamVariable($variable)
{
$_result = '';
$fp = fopen($variable, 'r+');
if ($fp) {
while (!feof($fp) && ($current_line = fgets($fp)) !== false) {
$_result .= $current_line;
}
fclose($fp);
return $_result;
}
$smarty = isset($this->smarty) ? $this->smarty : $this;
if ($smarty->error_unassigned) {
throw new SmartyException('Undefined stream variable "' . $variable . '"');
} else {
return null;
}
}You can see that this method can read a file and return its content, so we can use self to obtain the Smarty object and call this method , the payload given in many articles is in the form: {self::getStreamVariable("file:///etc/passwd")}. However, using this payload will trigger the following error:
Fatal error: Uncaught --> Smarty Compiler: Syntax error in template "string: Current IP:{self::getStreamVariable('file:///etc/passwd')}" static class 'self' is undefined or not allowed by security setting <-- thrown in /var/www/html/smarty/ libs/sysplugins/smarty_internal_templatecompilerbase.phpon line 12
It can be seen that the SSTI utilization method of this old version of Smarty is not applicable to the new version of Smarty. Moreover, this static method has been officially deleted in Smarty version 3.1.30. The writeFile method of the Smarty_Internal_Write_File class mentioned in those articles to write the shell cannot be used for the same reason.
{if} Tag
I saw this description in the official documentation:
Smarty’s {if}Conditional judgment and PHP’s if is very similar, just with some added features. Each {if} must have a matching {/if}. {else} and {elseif} can also be used. All PHP conditional expressions and functions can be used within if, such as ||, or, &&, and, is_array(), etc.
Since all PHP functions can be used, can we How about using this to execute our code?
As mentioned at the beginning
The vulnerability code of the question
is read through the file after getshell. The code that causes SSTI in this question is simplified as follows:
display("string:".$ip);
}
You can see that strings are used instead of smarty templates, which causes the injected Smarty tags to be directly parsed and executed, resulting in SSTI.
The above is the detailed content of How to use Smarty SSTi. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1378
52
How does PHP prevent SSTI attacks?
Jun 30, 2023 am 09:36 AM
How to use PHP to defend against Server-SideTemplateInjection (SSTI) attacks Introduction: Server-SideTemplateInjection (SSTI) is a common web application security vulnerability. An attacker can cause the server to execute arbitrary code by injecting malicious code into the template engine, thereby causing Serious safety hazard. In PHP applications, SST can be exposed when user input is not handled correctly
How to use PHP and Smarty to achieve front-end and back-end separation development
Jun 25, 2023 pm 01:46 PM
In modern web development, the separation of front-end and back-end has become a very popular trend, which allows developers to better organize projects and improve the efficiency of project development. PHP and Smarty are two very commonly used technologies, which can be used to achieve front-end and back-end separation development. This article will introduce how to use PHP and Smarty to achieve front-end and back-end separation development. What is front-end and back-end separation development? In traditional web development, the front-end is mainly responsible for the presentation of the page and the logic of interaction with the back-end. The backend is mainly responsible for the business
A preliminary study on the template engine Smarty in PHP
May 11, 2023 pm 05:15 PM
Nowadays, website development is inseparable from an important component-template engine. A template engine refers to a tool that combines page templates and data to generate HTML code with a specific format. In various website development frameworks, the template engine is an essential component, because the template engine can greatly reduce the duplication of code and improve the dynamics of the page. One of the most common and popular template engines is Smarty. Smarty is a DSL (DomainSpecif
How to use Smarty template engine in PHP development
Jun 27, 2023 pm 01:28 PM
As a PHP developer, using a template engine is a natural choice. Smarty is a popular template engine that provides a way to separate HTML/CSS/JavaScript from PHP code, allowing developers to better organize and manage projects. In this article, we will learn how to use Smarty template engine during PHP development. 1. Install Smarty Before, we must install Smarty. In this article we will use Composer to install
How to use PHP and the Smarty template engine
May 11, 2023 pm 03:33 PM
PHP is a powerful server-side scripting language that can be used to develop web applications. In the early days of web development, programmers used a lot of HTML and JavaScript code to develop web applications. However, this approach is difficult to maintain and manage because the HTML and JavaScript code can become very complex. To solve this problem, the Smarty template engine was created. Smarty is a template engine developed based on PHP for managing and generating W
Application of template engine Smarty in PHP development
Jun 14, 2023 pm 02:02 PM
With the rapid development and upgrading of the Internet, PHP, as a programming language widely used in Web application development, has gradually become a very popular programming language in the industry. However, in the PHP development process, traditional code implementation methods often lead to a decrease in code readability and maintainability. At this time, an efficient template engine becomes one of the solutions. Among many template engines, Smarty has become a popular choice among PHP developers due to its powerful functions and good performance. This article will detail
How to use Smarty with CakePHP?
Jun 03, 2023 pm 03:10 PM
CakePHP is an open source PHP framework that provides rich features and tools to accelerate web application development. One of the powerful features is the template engine. By default, CakePHP uses PHP's native syntax for view rendering. However, sometimes we may want to use another template engine, such as Smarty. This article will introduce how to use Smarty in CakePHP. 1. What is Smarty? Smarty is a template-based PHP framework that
what are thinkphp and smarty
Jun 14, 2022 pm 05:56 PM
thinkphp is an open source lightweight PHP framework that is used to simplify enterprise application development and agile WEB application development; using ThinkPHP, developers can develop and deploy applications more conveniently and quickly. Smarty is a PHP template engine that can better help developers separate program logic and page display (separation of business logic and display logic), so that programmers can change the logic content of the program without affecting the page design of the front-end staff, and the front-end staff can re- Modifying the page will not affect the program logic of the program.
