Giter Site home page Giter Site logo

gongfuxiang / shopxo Goto Github PK

View Code? Open in Web Editor NEW
2.6K 86.0 787.0 482.78 MB

ShopXO企业级免费开源商城系统,可视化DIY拖拽装修、包含PC、H5、多端小程序(微信+支付宝+百度+头条&抖音+QQ+快手)、APP、多仓库、多商户、多门店、IM客服,进销存遵循MIT开源协议发布、基于ThinkPHP8框架研发

Home Page: https://shopxo.net/

License: MIT License

PHP 31.48% HTML 15.05% Batchfile 0.01% Shell 0.01% JavaScript 40.44% CSS 8.63% Smarty 0.11% PLpgSQL 4.29%
b2c thinkphp shopxo-b2c shop shopxo

shopxo's Introduction

Gitee star Gitee fork GitHub star GitHub fork License

ShopXO企业级免费开源电商系统

如果对您有帮助,您可以点右上角 “Star” 收藏一下 ,获取第一时间更新,谢谢!

项目介绍

ShopXO国内企业级免费开源电商系统!

  • 求实进取、创新专注、自主研发、国内企业级电商系统解决方案。
  • 遵循MIT开源协议发布,无需授权、可商用、可二次开发、满足99%的电商运营需求。
  • 支持PC+手机自适应,独立H5、小程序(支付宝、微信、百度、头条&抖音、QQ、快手),APP(IOS、Android)
  • 支持多仓库、多商户、多门店、进销存(组件插件化、即插即用),可视化DIY拖拽装修。

体验码

二维码

基础信息

名称 地址 名称 地址
演示地址 https://demo.shopxo.net/ 安装教程 https://install.shopxo.net/
更新日志 https://log.shopxo.net/ 文档地址 https://doc.shopxo.net/
开源协议 https://license.shopxo.net/ 手机端 https://uniapp.shopxo.net/

官方QQ群、答案shopxo.net

官方1群 官方2群 官方3群 官方4群 官方多商户群 官方多门店群 官方进销存群 官方uniapp群
833531593 641730223 1127073697 323523483 782971010 281418967 719894308 679303149

当前项目源代码平台

平台 地址
Gitee https://gitee.com/zongzhige/shopxo
GitHub https://github.com/gongfuxiang/shopxo
Coding https://zongzhige.coding.net/public/shopxo/shopxo/git
GitCode https://gitcode.com/zongzhige/shopxo

uniapp端源代码平台

平台 地址
Gitee https://gitee.com/zongzhige/shopxo-uniapp
GitHub https://github.com/gongfuxiang/shopxo-uniapp
Coding https://zongzhige.coding.net/public/shopxo/uniapp/git
GitCode https://gitcode.com/zongzhige/shopxo-uniapp
uni-app https://ext.dcloud.net.cn/plugin?id=6380

部分功能特性

名称 描述
多种模式 销售+自提+虚拟+展示+销售/自提,多仓库独立库存管理、可视化DIY拖拽装修
分销 可配置1~3级、分享赚取佣金、小程序商品海报、取货点、佣金可配置具体到SKU(比例和固定金额)
会员等级 等级折扣(具体到商品规格)、满减、手动设置会员等级、付费购买+续费+三级返佣
限时秒杀 独立秒杀中心、商品详情秒杀倒计时、自动开始结束
优惠券 满减劵、折扣劵、注册送、用户领取、管理员发放
钱包 用户钱包,在线充值(固定金额或比例赠送+自定义赠送),申请提现
微信小程序直播 海报分享、web端展示直播列表,支持分身独立多商户模式
积分商城+签到 积分抵扣、积分兑换、无限发布签到活动获取积分
多商户 商家入驻、独立店铺(二级域名/保证金/代理模式)、店铺等级(购买/升级/功能限制)、可视化DIY拖拽装修+页面设计、不同商家自动拆单,店铺、商品(可选择平台商品)、分类、结算、订单管理、评论回复、运费设置、数据统计,支持插件结合使用(电子面单批量导出及发货、微信小程序直播、分销、优惠券、限时秒杀)
多门店 派单+转单+核销+代客下单+商品(独立售价+库存+商品)+批次+次卡+员工和薪水自动抽成+充值+收银+桌码+O2O店铺运营模式,线上线下完美结合、适用(社区+餐饮+美容美发+在线预约+门店消费+自提+外送+快递)、支持达达配送
批发 阶梯售价、新购+复购单独配置、自由配置无限极数量阶梯售价、可以具体到规格
客服 统一多端在线客服系统、支持(表情/图片/视频/快捷消息)、好友上下线实时通知、实时输入状态、支持网页及小程序直接发起即时咨询、客服离线(短信+邮件实时通知)、支持商品卡片、可打包工作台客服APP
进销存ERP 采购(入库/退货)、销售(发货/退货)、自定义模板打印+导出Excel+PDF、产品excel批量导入+多单位+多仓库仓位、仓库盘点+调拨、其他出入库、客商+会员等级、采销收付款、商城商品与产品双向同步、商城订单自动同步批量发货
组合搭配 多个商品组合打包一口价或折扣销售、商品套餐组合搭配用户可选2件起下单、商品关联营销、捆绑销售提高成交率,支持多商户
配送员 同城自建物流团队配送系统,骑手管理、调度中心(地图方圆画圈批量派单及打印、实时观察订单及骑手位置)、配送员微信小程序端实时定位

系统特性

系统特性

全平台支持

全平台支持

小程序支持多种配色

多种配色

小程序效果图片

小程序页面

PC端展示

前端

后台管理展示

后端

可视化DIY拖拽装修展示

可视化拖拽

系统管理模块

系统管理模块

用户端模块

用户端模块

扩展功能

扩展功能

荣誉证书

GVP证书

如何参与项目

非常欢迎您对ShopXO的开发作出贡献!你可以选择以下方式向ShopXO贡献:

通过Pull Request提交修复、完善我们的文档和例子

shopxo's People

Contributors

afubao avatar captainchaozi avatar chulaixi avatar crazys1973 avatar ecshoper avatar gongfuxiang avatar lvxin0315 avatar ntdgg avatar yangxindan avatar yx3000 avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

shopxo's Issues

XSS vulnerability

After the template file of ‘index.php?s=order/index' is parsed, there is a controllable variable here.
image
image
By using payload index.php?s=order&ids="><script>alert(1);</script> ,we can get an xss alert.But it need anyone is logining,so hacker can get user's cookies when they visit the evil link.
image

是否会出现超卖的情况?

比如商品库存剩1,A和B同时读取到,一起下单,结果库存变成-1。

我粗略看了一下源码,貌似没有看到加锁的部分。

后台任意文件删除漏洞

后台删除文件处由于没有对文件名做校验导致可以通过../进行回溯来删除任意文件夹,删除install文件(锁文件所在的文件夹)时,可以重装系统
在Appminialipaylist.php文件中,params是受控制的:
default
进入delete方法中,当不是zip结尾时会认为是文件夹
default
跟进FileUtil.php文件UnlinkDir方法中
default
方法中只对是不是文件夹做了校验,最后进入了rmdir方法中

点击删除
default
抓包修改
default

成功删除
default

重装漏洞

您好:
我是360代码卫士的工作人员,在我们的开源代码审计过程中,发现shopxo存在系统重装漏洞,详细信息如下:
在shopxo\application\install\controller\Index.php文件中,Add方法中没有校验锁文件,导致攻击者可以重装数据库。
default
构造如下post请求
default

可以发现本地数据库中新建了一个shopxo2的数据库,实际场景中攻击者可以在自己额公网服务器中的数据库开启远程连接,连上自己的数据库
default

最关键的地方是数据库配置文件也修改了
default
这个地方可以通过写入php代码来getshell,由于是在github上,详细信息就不具体说了,如果您对后面getshell的方法流程感兴趣,很乐意通过邮件告诉您

使用CDN,微信支付报invalid spbill_create_ip错误。

查找了原因,发现使用CDN后,使用系统内置函数 GetClientIP 获取到的用户IP为:
218.17.xx.xx,218.93.204.51,36.42.75.103
变成了逗号分隔的三段式,后两个均为CDN的节点IP。

$ips = explode(',' $onlineip);
建议 return reset($ips);

Fatal error: Call to undefined function mb_substr()

我下载并解压源代码到我本地的Ubuntu系统里,并且我安装了PHP 7.2.19-0ubuntu0.18.04.2 (cli) (built: Aug 12 2019 19:34:28) ( NTS ), 我通过在shopxo代码所在目录运行 php -S 127.0.0.1:8001 启动了一个本地服务,浏览器里访问 http://127.0.0.1:8001/public/index.php?s=/install/index/index 却遇到Fatal error: Call to undefined function mb_substr(),请我应该如何正确安装呢?
Screenshot from 2019-10-10 21-50-01

Index/user/index 的问题

我看了很久index模块下user控制器下index方法里面有很多钩子,没看到有什么效果,很迷惑。

涉及到数据库事务的代码, 有点乱~~~

涉及到数据库事务的代码, 有点乱~~~

看这里application/service/OrderService.php:399
`Db::startTrans();

    // 消息通知
    $detail = '订单支付成功,金额'.PriceBeautify($params['order']['total_price']).'元';
    MessageService::MessageAdd($params['order']['user_id'], '订单支付', $detail, 1, $params['order']['id']);

    // 更新订单状态
    $upd_data = array(
        'status'        => 2,
        'pay_status'    => 1,
        'pay_price'     => $pay_price,
        'payment_id'    => $params['payment']['id'],
        'pay_time'      => time(),
        'upd_time'      => time(),
    );
    if(Db::name('Order')->where(['id'=>$params['order']['id']])->update($upd_data))
    {
        // 添加状态日志
        if(self::OrderHistoryAdd($params['order']['id'], 2, $params['order']['status'], '支付', 0, '系统'))
        {
            // 库存扣除
            $ret = BuyService::OrderInventoryDeduct(['order_id'=>$params['order']['id'], 'order_data'=>$upd_data]);
            if($ret['code'] != 0)
            {
                // 事务回滚
                Db::rollback();
                return DataReturn($ret['msg'], -10);
            }

            // 提交事务
            Db::commit();
            return DataReturn('支付成功', 0);
        }
    }

    // 事务回滚
    Db::rollback();`

1.9.3 bug

点击后台,站点设置,网站搜索,搜索,扩展均报错。

financial analysis

Whether this system can make a fuss about financial analysis, or as part of an invoicing system, I mainly want to add some elements of financial analysis.

There is a File upload vulnerability that can getshell

The file upload vulnerability here lies in the blacklist method used when verifying the suffix of the uploaded file. This verification method is not strict and is often bypassed by attackers in various ways
The PluginsUpload method in the application\service\PluginsAdminService.php file has a file creation operation, in which the input of the file_put_contents function is controllable
image
Line 1072 checks the file suffix name, here is the blacklist check
image
The value in the private static variable $exclude_ext is ‘.php’, which can easily be bypassed
image
There are many ways to bypass the blacklist verification of suffix names. Taking my local Windows system environment as an example, you can upload file names that do not conform to the Windows file naming rules

shell.php::$DATA
shell.php::$DATA…….
shell.php.
shell.php(空格)
shell.php:1.jpg

The windows system will automatically remove the content behind the symbols that do not conform to the rules. You can change the file suffix in the linux environment and upload it to the website
Through the audit of the PluginsUpload method in the PluginsAdminService.php file
When the zip archive does not match the resource directory, it will jump out of the loop of reading the archive file
image
image
image
And the resource directory cannot be controller, because the directory corresponding to controller exists, and the compressed package will be closed directly without entering the subsequent file writing operation
image
Finally, the method is called in the Upload method of the application\admin\controller\Pluginsadmin.php file
image

The attacker can upload such a compressed package after logging into the background system
image
And upload the compressed package at Application Center -> Application Management -> Upload Application
image
Visit public\static\upload\file_uploadfile_\shell.php
image

In application\service\ThemeService.php there is also the same blacklist verification problem for uploaded files
image
The processing logic is very similar to the above file
After logging in to the system, upload the zip archive at the site management -> theme management -> theme installation
image
Visit public\static\index\test.php after uploading
image

未定义变量

application/service/PaymentService.php 153 $payment 三元运算符 :后面是否是空字符串,现在是$payment

There are some vulnerabilities in the upload payment plugin that can get webshell

When uploading payment plug-ins, attackers can bypass file verification and upload malicious php files by constructing the code of the php file in the zip compression package. Even uploading the php file without constructing the code will trigger the file containment vulnerability or upload files through competitive upload
In the Upload method in the application\service\PaymentService.php file, the file_put_contents function parameter is controllable
image
But later call GetPaymentConfig method to do file verification, if the file verification is not passed, the file will be deleted
In the GetPaymentConfig method, the class_exists function checks whether the class is defined, the class uses the fully qualified name, and then it checks whether there are three methods defined in the class
image
According to this, the attacker only needs to define a class in the PHP file, define the namespace, and define the three methods mentioned above in order to pass the verification. The complete code is as follows:

<?php 
namespace payment;
class a{
public function __construct($params = [])
    {
        phpinfo();
    }
public function Config()
    {
    }
public function Pay()
    {
    }
public function Respond()
    {
    }
}
$b=new a();
?>

Finally, the method is called in application\admin\controller\Payment.php
image

After logging in to the background, upload the zip package containing a.php at the site management -> payment method -> upload
image
Visit extend/payment/a.php
image

Not by constructing code:
The first is file inclusion. The class_exists function will call the autoload function by default. The definition of the autoload function is found in /thinkphp/library/think/Loader.php
image
findFile is the function of thinkphp to find files. It is mainly loaded through psr-4 and classmap. The fully qualified name of the class we passed in is returned by the findFile function and finally spliced into the complete file path.
image
Finally, the autoload function calls the __include_file function, and this function directly performs the file include operation
image
At this point, we have not entered the following file deletion operation but included the file, and the code will also be executed.

Upload the zip archive containing the php file at the same location, the code content is:
<?php $f = '1.php'; $shell = '<?php phpinfo(); ?>'; file_put_contents($f,$shell); ?>
Although the upload failed message is returned after uploading, the code has been included and executed
The file is created in 1.php under the root directory of shopxo installation, visit 1.php
image

There are also problems with uploading files and then deleting files. If there is no file included here, there is another way to upload files is competitive upload, because there is a time difference from file verification to file deletion, and you can keep uploading while keeping access.
I use burpsuite's intruder module to keep sending packages and python scripts to keep accessing
image
The Python script is as follows:

import requests
url='http://url/extend/payment/2.php'
while True:
	s=requests.get(url)
	if 'phpinfo' in s.text:
		print(s.text)
		exit()

Upload the php file in the compressed package as follows:

<?php 
phpinfo(); 
$f = '1.php'; 
$shell = '<?php phpinfo(); ?>'; 
file_put_contents($f,$shell);
?>

The generated php file is in the extend\payment directory
Visit extend\payment\1.php
image

Plesk部署,结果炸了

首先给你们点个赞,相当好的项目,整洁清晰,甩其他开源项目好几条街。

有没有试过在plesk上部署?按照教程部署完之后,直接炸了,连plesk也打不开了,"Err_Connection_Refused", 连ssh也连不上机器,重启后一直崩溃无法连接。。。
后来重新试了一两个新机器,目前稳定的设置以下

OS:

ubuntu 18, cpu x 1, ram x 2gb

plesk:

Plesk Obsidian 18.0.20

php:

7.3.11, FPM application served by nginx

DB:

Mariadb 10

ssl:

lets encrypt

问题好像出在将runtime文件夹设置为777,因该在cache上出了点问题,不知道怎么直接把plesk给炸了。plesk上的所有网站都无法响应了"Err_Connection_Refused",但是还可以通过8443端口连接到后台,然后显示apache和nginx服务都正常运行,cpu高峰才47%,ram最高490mb。。。瞎折腾一番结果连8443端口也炸了,ssh也无法连接。。。幸好是台dev机器。。。
后来删了重装plesk,再次部署shopxo1.7,没有设置runtime权限,保留其原来权限755,目前网站后台(admin.php)只崩溃过几次,499,503,504,也没有波及到plesk及其他网站。

由于之前机器完全废了,所以提供不了更多信息,目前在不设置runtime777的情况下还是稳定的,要是再崩溃的话,我会提供更多信息。

版本通杀无条件登陆任意用户

APPLICATION、$params['user_id']可以被用户控制,存在变量覆盖问题。
image
利用修改头像接口
1、添加参数application=app跟参数user_id,导致$params['user_id']用户id变成用户指定id
image
2、进入UserLoginRecord方法,这里好像没啥问题
image
3、进入UserAvatarUpload方法,这里完成图片上传后又调用了UserLoginRecord方法
image
4、再进入UserLoginRecord方法。因为这次调用没有指定$is_app,默认为false
image
这就导致了最终结果变成当前session存储的用户变成用户指定的任意用户id,并且这个id是一个可以猜测的简单数字
5、最终效果
image

unrestricted file upload vulnerability

You previously fixed one vulnerability of the theme file upload .
image
image

But now there is a similar vulnerability in /app/admin/appmini.php,because you didn't use the above method.
image
image

http://localhost:3000/admin.php?s=appmini/index/nav_type/weixin/view_type/upload.html
image
image
Then my file will be uploaded to sourcecode/weixin/
image

And i can bypass the !IS_AJAX,even upload my files to any writable directory using ../.
admin.php?s=appmini/themeupload&ajax=ajax
image
image

Trying to get in touch regarding a security issue

Hey there!

I'd like to report a security issue but cannot find contact instructions on your repository.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.