Smarty介绍
smarty是一个php模板引擎,其项目地址:https://github.com/smarty-php/smarty
测试环境搭建
下载:https://github.com/smarty-php/smarty/releases (本案例测试为smarty-3.1.31)
解压以后放在web任意路径中,然后创建一个文件进行漏洞测试。测试文件内容为:
<?php
define('SMARTY\_ROOT\_DIR', str\_replace('\\\\', '/', \_\_DIR\_\_));
define('SMARTY\_COMPILE\_DIR', SMARTY\_ROOT\_DIR.'/tmp/templates\_c');
define('SMARTY\_CACHE\_DIR', SMARTY\_ROOT\_DIR.'/tmp/cache');
include\_once(SMARTY\_ROOT\_DIR . '/smarty-3.1.31/libs/Smarty.class.php');
class testSmarty extends Smarty\_Resource\_Custom
{
protected function fetch($name, &$source, &$mtime)
{
$template = "CVE-2017-1000480 smarty PHP code injection";
$source = $template;
$mtime = time();
}
}
$smarty = new Smarty();
$smarty\->setCacheDir(SMARTY\_CACHE\_DIR);
$smarty\->setCompileDir(SMARTY\_COMPILE\_DIR);
$smarty\->registerResource('test', new testSmarty);
$smarty\->display('test:'.$\_GET\['eval'\]);
?>
漏洞的触发函数是这里的display, 也就是渲染页面以后输出结果的这个函数。
漏洞原理分析
我们来跟进smarty对象的成员方法display, 位置为 smarty-3.1.31\libs\sysplugins\smarty_internal_templatebase.php
public function display($template = null, $cache\_id = null, $compile\_id = null, $parent = null)
{
// display template
$this\->\_execute($template, $cache\_id, $compile\_id, $parent, 1);
}
我们传给display的参数就是这里的局部变量$template, 然后这里直接调用了_execute(),跟进
private function \_execute($template, $cache\_id, $compile\_id, $parent, $function)
{
$smarty = $this\->\_getSmartyObj();
$saveVars = true;
if ($template === null) {
if (!$this\->\_isTplObj()) {
throw new SmartyException($function . '():Missing \\'$template\\' parameter');
} else {
$template = $this;
}
} elseif (is\_object($template)) {
/\* @var Smarty\_Internal\_Template $template \*/
if (!isset($template\->\_objType) || !$template\->\_isTplObj()) {
throw new SmartyException($function . '():Template object expected');
}
} else {
// get template object
$saveVars = false;
// 这里调用函数创建了一个模板
$template = $smarty\->createTemplate($template, $cache\_id, $compile\_id, $parent ? $parent : $this, false);
if ($this\->\_objType == 1) {
// set caching in template object
$template\->caching = $this\->caching;
}
}
// fetch template content
$level = ob\_get\_level();
try {
$\_smarty\_old\_error\_level =
isset($smarty\->error\_reporting) ? error\_reporting($smarty\->error\_reporting) : null;
if ($this\->\_objType == 2) {
/\* @var Smarty\_Internal\_Template $this \*/
$template\->tplFunctions = $this\->tplFunctions;
$template\->inheritance = $this\->inheritance;
}
/\* @var Smarty\_Internal\_Template $parent \*/
if (isset($parent\->\_objType) && ($parent\->\_objType == 2) && !empty($parent\->tplFunctions)) {
$template\->tplFunctions = array\_merge($parent\->tplFunctions, $template\->tplFunctions);
}
if ($function == 2) {
if ($template\->caching) {
// return cache status of template
if (!isset($template\->cached)) {
$template\->loadCached();
}
$result = $template\->cached->isCached($template);
Smarty\_Internal\_Template::$isCacheTplObj\[ $template\->\_getTemplateId() \] = $template;
} else {
return false;
}
} else {
if ($saveVars) {
$savedTplVars = $template\->tpl\_vars;
$savedConfigVars = $template\->config\_vars;
}
ob\_start();
$template\->\_mergeVars();
if (!empty(Smarty::$global\_tpl\_vars)) {
$template\->tpl\_vars = array\_merge(Smarty::$global\_tpl\_vars, $template\->tpl\_vars);
}
$result = $template\->render(false, $function);
// 省略无关代码...
我们需要关心的是,我们的可控变量是如何被带入执行的:
在代码中我们可以看到调用createTemplate()创建了模板。有兴趣可以跟进去看看。我在这里直接输出得到$template被覆盖之后的值,是一个Smarty_Internal_Template对象。我就不贴出来了,太长了。
然后我们继续跟进这个render的渲染处理函数, 位置 smarty-3.1.31\libs\sysplugins\smarty_internal_template.php
public function render($no\_output\_filter = true, $display = null)
{
if ($this\->smarty->debugging) {
if (!isset($this\->smarty->\_debug)) {
$this\->smarty->\_debug = new Smarty\_Internal\_Debug();
}
$this\->smarty->\_debug->start\_template($this, $display);
}
// checks if template exists
if (!$this\->source->exists) {
throw new SmartyException("Unable to load template '{$this\->source->type}:{$this\->source->name}'" .
($this\->\_isSubTpl() ? " in '{$this\->parent->template\_resource}'" : ''));
}
// disable caching for evaluated code
if ($this\->source->handler->recompiled) {
$this\->caching = false;
}
// read from cache or render
$isCacheTpl =
$this\->caching == Smarty::CACHING\_LIFETIME\_CURRENT || $this\->caching == Smarty::CACHING\_LIFETIME\_SAVED;
if ($isCacheTpl) {
if (!isset($this\->cached) || $this\->cached->cache\_id !== $this\->cache\_id ||
$this\->cached->compile\_id !== $this\->compile\_id
) {
$this\->loadCached(true);
}
$this\->cached->render($this, $no\_output\_filter);
} else {
if (!isset($this\->compiled) || $this\->compiled->compile\_id !== $this\->compile\_id) {
$this\->loadCompiled(true);
}
$this\->compiled->render($this);
}
// 省略无关代码...
这里因为我们之前没有进行过模板缓存文件的生成,$isCacheTpl 的值为false,我们然后我们继续跟进render(), 位置 smarty-3.1.31\libs\sysplugins\smarty_template_compiled.php
public function render(Smarty\_Internal\_Template $\_template)
{
// checks if template exists
if (!$\_template\->source->exists) {
$type = $\_template\->source->isConfig ? 'config' : 'template';
throw new SmartyException("Unable to load {$type} '{$\_template\->source->type}:{$\_template\->source->name}'");
}
if ($\_template\->smarty->debugging) {
if (!isset($\_template\->smarty->\_debug)) {
$\_template\->smarty->\_debug = new Smarty\_Internal\_Debug();
}
$\_template\->smarty->\_debug->start\_render($\_template);
}
if (!$this\->processed) {
$this\->process($\_template);
}
if (isset($\_template\->cached)) {
$\_template\->cached->file\_dependency =
array\_merge($\_template\->cached->file\_dependency, $this\->file\_dependency);
}
if ($\_template\->source->handler->uncompiled) {
$\_template\->source->handler->renderUncompiled($\_template\->source, $\_template);
} else {
$this\->getRenderedTemplateCode($\_template);
}
if ($\_template\->caching && $this\->has\_nocache\_code) {
$\_template\->cached->hashes\[ $this\->nocache\_hash \] = true;
}
if ($\_template\->smarty->debugging) {
$\_template\->smarty->\_debug->end\_render($\_template);
}
}
然后可以看到 $this->process($_template)调用了process()函数, 跟进。
public function process(Smarty\_Internal\_Template $\_smarty\_tpl)
{
$source = &$\_smarty\_tpl\->source;
$smarty = &$\_smarty\_tpl\->smarty;
if ($source\->handler->recompiled) {
$source\->handler->process($\_smarty\_tpl);
} elseif (!$source\->handler->uncompiled) {
if (!$this\->exists || $smarty\->force\_compile ||
($smarty\->compile\_check && $source\->getTimeStamp() > $this\->getTimeStamp())
) {
$this\->compileTemplateSource($\_smarty\_tpl);
$compileCheck = $smarty\->compile\_check;
$smarty\->compile\_check = false;
$this\->loadCompiledTemplate($\_smarty\_tpl);
$smarty\->compile\_check = $compileCheck;
} else {
$\_smarty\_tpl\->mustCompile = true;
@include($this\->filepath);
if ($\_smarty\_tpl\->mustCompile) {
$this\->compileTemplateSource($\_smarty\_tpl);
$compileCheck = $smarty\->compile\_check;
$smarty\->compile\_check = false;
$this\->loadCompiledTemplate($\_smarty\_tpl);
$smarty\->compile\_check = $compileCheck;
}
}
$\_smarty\_tpl\->\_subTemplateRegister();
$this\->processed = true;
}
}
然后进入了这个流程, $this->compileTemplateSource($_smarty_tpl) 继续跟进。
public function compileTemplateSource(Smarty\_Internal\_Template $\_template)
{
$this\->file\_dependency = array();
$this\->includes = array();
$this\->nocache\_hash = null;
$this\->unifunc = null;
// compile locking
$saved\_timestamp = $\_template\->source->handler->recompiled ? false : $this\->getTimeStamp();
if ($saved\_timestamp) {
touch($this\->filepath);
}
// compile locking
try {
// call compiler
$\_template\->loadCompiler();
$this\->write($\_template, $\_template\->compiler->compileTemplate($\_template));
}
catch (Exception $e) {
// restore old timestamp in case of error
if ($saved\_timestamp) {
touch($this\->filepath, $saved\_timestamp);
}
unset($\_template\->compiler);
throw $e;
}
// release compiler object to free memory
unset($\_template\->compiler);
}
然后进入到 $this->write($_template, $_template->compiler->compileTemplate($_template)) 我们来看一下write()是怎么实现的:
public function write(Smarty\_Internal\_Template $\_template, $code)
{
if (!$\_template\->source->handler->recompiled) {
if ($\_template\->smarty->ext->\_writeFile->writeFile($this\->filepath, $code, $\_template\->smarty) === true) {
$this\->timestamp = $this\->exists = is\_file($this\->filepath);
if ($this\->exists) {
$this\->timestamp = filemtime($this\->filepath);
return true;
}
}
return false;
}
return true;
}
我们来关注一下这里,$_template->smarty->ext->_writeFile->writeFile($this->filepath, $code, $_template->smarty) === true 这里调用了writeFile函数,然后我们跟进, 位置在 smarty-3.1.31\libs\sysplugins\smarty_internal_runtime_writefile.php
public function writeFile($\_filepath, $\_contents, Smarty $smarty)
{
$\_error\_reporting = error\_reporting();
error\_reporting($\_error\_reporting & ~E\_NOTICE & ~E\_WARNING);
$\_file\_perms = property\_exists($smarty, '\_file\_perms') ? $smarty\->\_file\_perms : 0644;
$\_dir\_perms =
property\_exists($smarty, '\_dir\_perms') ? (isset($smarty\->\_dir\_perms) ? $smarty\->\_dir\_perms : 0777) : 0771;
if ($\_file\_perms !== null) {
$old\_umask = umask(0);
}
$\_dirpath = dirname($\_filepath);
// if subdirs, create dir structure
if ($\_dirpath !== '.' && !file\_exists($\_dirpath)) {
mkdir($\_dirpath, $\_dir\_perms, true);
}
// write to tmp file, then move to overt file lock race condition
$\_tmp\_file = $\_dirpath . $smarty\->ds . str\_replace(array('.', ','), '\_', uniqid('wrt', true));
// var\_dump($\_tmp\_file);
// var\_dump($\_contents);
// exit();
if (!file\_put\_contents($\_tmp\_file, $\_contents)) {
error\_reporting($\_error\_reporting);
throw new SmartyException("unable to write file {$\_tmp\_file}");
}
这里执行了 file_put_contents($_tmp_file, $_contents), 生成文件。此时我们将要执行的代码已经写入了, 写入的路径由我们最初定义的SMARTY_COMPILE_DIR常量来进行决定,这里我们看到值为测试文件同一个目录下的/tmp/templates_c。写入的内容如下所示:
到此,其实我们已经实现了代码执行,我们只需要访问这个文件就好了,但是文件的名字太长了,实在难受。就算你经过计算然后去爆破,如果更改这里缓存文件的位置不在web目录。还怎么办?我们看到在process函数中,在对文件模板文件编译结束之后调用了这个:$this->loadCompiledTemplate($_smarty_tpl)。我们来跟进:
private function loadCompiledTemplate(Smarty\_Internal\_Template $\_smarty\_tpl)
{
// var\_dump($this->filepath);exit();
if (function\_exists('opcache\_invalidate') && strlen(ini\_get("opcache.restrict\_api")) < 1) {
opcache\_invalidate($this\->filepath, true);
} elseif (function\_exists('apc\_compile\_file')) {
apc\_compile\_file($this\->filepath);
}
// 最终在这里代码执行
if (defined('HHVM\_VERSION')) {
eval("?>" . file\_get\_contents($this\->filepath));
} else {
include($this\->filepath);
}
}
在这里无论是否定义 HHVM_VERSION 这个常量,写入缓存文件中的代码都会被执行,eval("?>" . file_get_contents($this->filepath))相当于一个远程文件包含,而这里调用了include,然后我么之前写入缓存的代码就被包含执行了。
利用的代码不言而喻了。