Closed riramar closed 6 years ago
Im having almost the same but with a python webapp ! Any fix or way to exploit it?!
That's probably a false postive. Blind testing is time-based, so slowing down application/network would result as false positive. If you want to investigate the low-level requests, proxify tplmap and analyze the positive requests.
I confirmed that the problem is reproduced on the test environment of tplmap.
Reproduction procedure:
cd /path/to/tplmap/docker-envs; docker-compose rm -f && docker-compose up tplmap_test_php
Confirm that smarty-3.1.29-secured.php
is not injectable
python2 tplmap.py -u 'http://localhost:15002/smarty-3.1.29-secured.php?inj=*&blind=1' -e smarty
[+] Tplmap 0.4
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'inj' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[!][checks] Tested parameters appear to be not injectable. Try to increase '--level' value to perform more tests.
Confirm that smarty-3.1.29-unsecured.php
is injectable
python2 tplmap.py -u 'http://localhost:15002/smarty-3.1.29-unsecured.php?inj=*&blind=1' -e smarty
[+] Tplmap 0.4
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'inj' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Smarty plugin has confirmed blind injection
[+] Tplmap identified the following injection point:
GET parameter: inj
Engine: Smarty
Injection: *
Context: text
OS: undetected
Technique: blind
Capabilities:
Shell command execution: ok (blind)
Bind and reverse shell: ok
File write: ok (blind)
File read: no
Code evaluation: ok, php code (blind)
[+] Rerun tplmap providing one of the following options:
--os-shell Run shell on the target
--os-cmd Execute shell commands
--bind-shell PORT Connect to a shell bind to a target port
--reverse-shell HOST PORT Send a shell back to the attacker's port
--upload LOCAL REMOTE Upload files to the server
Scan again smarty-3.1.29-secured.php
, then it becomes injectable
python2 tplmap.py -u 'http://localhost:15002/smarty-3.1.29-secured.php?inj=*&blind=1' -e smarty
[+] Tplmap 0.4
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'inj' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Smarty plugin has confirmed blind injection
[+] Tplmap identified the following injection point:
GET parameter: inj
Engine: Smarty
Injection: *
Context: text
OS: undetected
Technique: blind
Capabilities:
Shell command execution: no
Bind and reverse shell: no
File write: no
File read: no
Code evaluation: ok, php code (blind)
[+] Rerun tplmap providing one of the following options:
Now, analyzing without using tplmap.
Confirm that smarty-3.1.29-secured.php
is not injectable
request
GET /smarty-3.1.29-secured.php?blind=1&inj={php}sleep(4);{/php} HTTP/1.1
Host: localhost:15002
<br />
<b>Fatal error</b>: Uncaught --> Smarty Compiler: Syntax error in template "string:{php}sleep(4);{/php}" on line 1 "{php}sleep(4);{/php}" {php}{/php} tags not allowed. Use SmartyBC to enable them <--
thrown in <b>/tests/lib/smarty-3.1.29/libs/sysplugins/smarty_internal_templatecompilerbase.php</b> on line <b>1</b><br />
Confirm that smarty-3.1.29-unsecured.php
is injectable(blind)
request
GET /smarty-3.1.29-unsecured.php?blind=1&inj={php}sleep(4);{/php} HTTP/1.1
Host: localhost:15002
J7VQvumBFc
Test again smarty-3.1.29-secured.php
, then it becomes injectable(blind)
request
GET /smarty-3.1.29-secured.php?blind=1&inj={php}sleep(4);{/php} HTTP/1.1
Host: localhost:15002
JLaS43hi2D
I believe that this strange behavior is caused by Smarty's cache mechanism. I straced php process, and then I saw same template cache file was re-used. I know this is the rare case, so it might not be match with @riramar reported case.
Fixed @jx6f issue, closing this.
Got the results below but it doesn't give any options to rerun. Is there a way to take some advantage from that?