from 90sec
漏洞文件:
/system/module/file/model.php

public function pasteImage($data, $uid)
    {
     
        $data = str_replace('"', '"', $data);
 
        if(!$this->checkSavePath()) return false;
        ini_set('pcre.backtrack_limit', strlen($data));
        preg_match_all('/<img src="(data:image/(S+);base64,(S+))" .+ />/U', $data, $out);
        foreach($out[3] as $key => $base64Image)
        {
            $imageData = base64_decode($base64Image);
            $imageSize = array('width' => 0, 'height' => 0);
            $file['id']        = $key;
            $file['extension'] = $out[2][$key];
            $file['size']      = strlen($imageData);
            $file['addedBy']   = $this->app->user->account;
            $file['addedDate'] = helper::today();
            $file['title']     = basename($file['pathname']);
            $file['pathname']  = $this->setPathName($file);
            $file['editor']    = 1;
            file_put_contents($this->savePath . $file['pathname'], $imageData);
            $this->compressImage($this->savePath . $file['pathname']);
 
            $imageSize      = $this->getImageSize($this->savePath . $file['pathname']);
            $file['width']  = $imageSize['width'];
            $file['height'] = $imageSize['height'];
            $file['lang']   = 'all';
 
            $this->dao->insert(TABLE_FILE)->data($file)->exec();
            $_SESSION['album'][$uid][] = $this->dao->lastInsertID();
 
            $data = str_replace($out[1][$key], $this->webPath . $file['pathname'], $data);
        }
 
      return $data;
    }

主要观察的地方是file_put这里,我们看看哪里可控。$imageData是由穿入的内容经过正则匹配然后遍历经过base64解码出来的内容。
$this->savePath . $file['pathname']
$this->savePath 不可控,$file['pathname']目前不知道
先看看这个函数从哪里调用过来的
关联文件:/system/module/file/control.php

public function ajaxPasteImage($uid)
    {
        if($_POST)
        {
            echo $this->file->pasteImage($this->post->editor, $uid);
        }
}

Uid就不多说了,首先肯定是当post请求的时候才能够进入我们发现隐患的函数,这个不困难
data是由editor参数传入的,uid不确定是否能够控制但目前的条件来说无关紧要,继续回到原来的地方

foreach($out[3] as $key => $base64Image)
        {
            $imageData = base64_decode($base64Image);
            $imageSize = array('width' => 0, 'height' => 0);
            $file['id']        = $key;
            $file['extension'] = $out[2][$key];
            $file['size']      = strlen($imageData);
            $file['addedBy']   = $this->app->user->account;
            $file['addedDate'] = helper::today();
            $file['title']     = basename($file['pathname']);
            $file['pathname']  = $this->setPathName($file);
            $file['editor']    = 1;

Data既然是可控的，那么自然out[3]也是可控内容,这里的 $file['extension'] = $out2;是赋值后缀,$key可控的。但这里重点关注的是file['pathname'] = $this->setPathName($file);我们唯一不能控值的pathname是从这里赋出来的,先跟入函数看看

public function setPathName($file, $objectType = 'upload')
    {
        if(strpos('slide,source,themePackage', $objectType) === false)
        {
            $sessionID  = session_id();
            $randString = substr($sessionID, mt_rand(0, strlen($sessionID) - 5), 3);
            $pathName   = date('Ym/dHis', $this->now) . $file['id'] . mt_rand(0, 10000) . $randString;
        }
        elseif($objectType == 'source') 
        {
            /* Process file path if objectType is source. */
            $template = $this->config->template->{$this->app->clientDevice}->name;
            $theme    = $this->config->template->{$this->app->clientDevice}->theme;
            return "source/{$template}/{$theme}/{$file['title']}.{$file['extension']}";
        }
        elseif($objectType == 'themePackage')
        {
            return "{$file['title']}.{$file['extension']}"; 
        }
         
        /* rand file name more */
        list($path, $fileName) = explode('/', $pathName);
        $fileName = md5(mt_rand(0, 10000) . str_shuffle(md5($fileName)) . mt_rand(0, 10000));
        return $path . '/f_' . $fileName . '.' . $file['extension'];
    }

前面的if都是不具备条件的自然是执行最后的操作,但这里看见没$file['extension']是后缀,是我们可以控制的,那么就是可以getshell了。。。。
本地复现下试试: