[CISCN2019 South China Division]Web11

[CISCN2019 South China Division]Web11

headerSee the question of smarty ssti once

smart ssti:
smart is the template engine of php. The function of the template engine is to separate the front-end page and data. The URL of the API displayed in the title cannot be used due to environmental reasons, but our IP is still displayed on the page., and according to its prompt XFF, we can easily think of constructing ssti:payload in X-Forwarded-For.

Here's another image:

According to the hint on the page, it is likely to be constructed in the XFF header:
Test:

Smarty ssti does exist
Saw another master's wp:

Smarty supports the use of {php}{/php} tags to execute the php instructions wrapped in them, then we can use the {php}{/php} tags to construct the payload, but this question will report an error
Because the current smartThis label is no longer used.
You can check the version with {$smarty.version}.

Tested it and it did


This version no longer supports php tags

Although the php tag cannot be used, there is an {if} tag.Smarty's {if} conditional judgment is very similar to PHP's if
, but with some additional features.Each {if} must have a matching {/if}. {else} and {elseif} can also be used.
All PHP conditional expressions and functions can be used inside if, such as *||*,or,&&,and,is_array(), etc.

Since all PHP conditional expressions and functions can be used inside if, we can also write PHP code inside.{if phpinfo()}{/if}

Execute {if phpinfo()}{/if}try

Successful echo
Execute the command directly: {if system('cat /flag')}{/if}

Principle introduction, refer to In another master’s wp:

require_once('./smarty/libs/' . 'Smarty.class.php');$smarty = new Smarty();$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];//Get XFF$smarty->display("string:".$ip);//This is not in the smart template format, but in the form of a string, so our tag will be parsed, that is, if, and the content will be echoed to the corresponding position on the page after parsing}