wukongopensource / wukongcrm-9.0-php Goto Github PK

Declaration of app\admin\model\File::createData($files, $param, $x = '150', $y = '150') should be compatible with app\admin\model\Common::createData($param)

admin/model/common.php
public function delDataById($id = '', $delSon = false)

application\admin\model\Group.php 里。
//删除角色 public function delDataById($group_id) { $dataInfo = $this->get($group_id); if(!$dataInfo){ $this->error = '该角色不存在或已删除';

https://github.com/72crm/72crm/blob/58d446279867ab3f5f171fc2173bbd5fa438cfbb/application/admin/model/Scene.php#L133

public function getDataById($id = '', $user_id, $types = '')
public function getDataById($id = '', $user_id=‘’, $types = '')

https://github.com/72crm/72crm/blob/75fb1cdec76acb9e086e704645c380489e6b93c6/ux/src/views/OAManagement/schedule/index.vue#L96
解决方法：_i 改为_d

Brief of this vulnerability

72crm v9 has sql injection vulnerability in View the task calendar

Test Environment

• Windows10
• PHP 5.6.9+Apache/2.4.39

Affect version

72crm v9

Vulnerable Code

application\work\controller\Task.php line 506

The $param parameter is passed to getDateList

The start_time parameter and stop_time parameter are directly spliced ​​into $whereDate, and then executed on line 493. resulting in sql injection vulnerability

Vulnerability display

First enter the background

Click as shown,go to the View the task calendar and capture the packet

payload: start_time=1&stop_time=1))+or+sleep(2)--+

Sleep successfully for 2 seconds

If debug mode is enabled

payload：start_time=1&stop_time=1))+or+updatexml(1,concat(0x7e,database(),0x7e,version()),1)--+

Successfully obtained the database name and version number

良心之作，感谢悟空为开源软件做出的贡献！

请问这种情况大概是什么原因呢？

这开源协议真恶心
世界上没有人写这么恶心的开源协议

config.php 中的app_debug设置为true.但是页面依然是TP5的错误页面,没有错误原因

系统配置设置公司名和logo，保存时提示成功，返回工作台界面后信息都未改变。数据库已插入正确的数据。

Hey this is Philipp from Germany, I just installed this application on my local server. But i can't find the language selection. My chinese skills are like zero, but i like this software and I want to use it :)

我看项目文件中 install目录在admin/view目录下 路径对应不上

https://github.com/72crm/72crm/blob/58d446279867ab3f5f171fc2173bbd5fa438cfbb/application/admin/model/Group.php#L106

PHP7.2.10 下delDataById方法重写，由于参数不同报错（php5.6没问题）
源代码位置：/application/admin/model/Group.php#L106
源代码：public function delDataById($group_id)
建议修改为：public function delDataById($group_id= '', $delSon = false)

RT

在index.html里面http://api.map.baidu.com/api?v=3.0&ak=DgizbHpImTxRZKlLNDbmiEEK42uuMAtN修改成//api.map.baidu.com/api?v=3.0&ak=DgizbHpImTxRZKlLNDbmiEEK42uuMAtN

https://github.com/72crm/72crm/blob/58d446279867ab3f5f171fc2173bbd5fa438cfbb/application/oa/controller/Message.php#L67

大哥啊，第二次了。这边应该是数组 $taskWhere = [];不是字符。。。。

https://github.com/72crm/72crm/blob/58d446279867ab3f5f171fc2173bbd5fa438cfbb/application/admin/model/File.php#L32
参数未指定默认值，PHP7下报错（php毕竟不会停留在5.6）
源代码：public function createData($files, $param, $x = '150', $y = '150')
建議修改為：public function createData($files='', $param=[], $x = '150', $y = '150')

为什么总是出现登录了没多久，就被迫退出的情况？

https://github.com/72crm/72crm/blob/58d446279867ab3f5f171fc2173bbd5fa438cfbb/application/crm/model/ConfigData.php#L52
还是php7下，参数
源：public function getData()
建议：public function getData($name = NULL)

Hey there!

I'd like to report a security issue but cannot find contact instructions on your repository.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

本人习惯使用宝塔面板搭建的环境，但是以前源码放到空间，就可以用了。现在还有什么前端后端的，搞不懂了，求官方出教程，谢谢。

类型错误: Argument 3 passed to app\admin\model\Excel::exportCsv() must be an instance of app\admin\model\callback, instance of Closure given, called in /www/wwwroot/crm.95ym.cn/application/crm/controller/Customer.php on line 581

导出报错

https://github.com/72crm/72crm/blob/50b65f7bac1712d7e22a0c2461ed5de87a37a461/application/admin/model/User.php#L125

index.php/admin/install/index.html
` // miss 路由：处理没有匹配到的路由规则
public function miss()
{

    if (Request::instance()->isOptions()) {
        return ;
    } else {
        echo '悟空软件';
    }
}`

Brief of this vulnerability

72crm v9 has Arbitrary file upload vulnerability Where to upload the logo

Test Environment

• Windows10
• PHP 5.6.9+Apache/2.4.39

Affect version

72crm v9

Vulnerable Code

application\admin\controller\System.php line 51

After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file

follow-up move function（set filename）
line 352:

follow up function
Generate time-based file names with php as a suffix

then move_uploaded_file with this filename （thinkphp\library\think\File.php line 369）

Vulnerability display

First enter the background
Click as shown,go to the Enterprise management background

click this

Just upload a picture and capture the package, modify the content as follows

Back to enterprise management background

access image address

php code executed successfully
Notice：Because it is uploaded at the logo, unauthorized users can also access this php code

Is it available in English?

没仔细看

请求模块：/admin/users/index
请求主体：page=1&limit=15&search=&structure_id=2&status=all
具体代码：
$groups = '';
$groupids = '';
foreach ($groupsArr as $key=>$val) {
$groups[] = $val['title'];
$groupids[] = $val['id'];
}
错误说明：$groups = '';$groupids = '';定义为字符类型，后面以数组操作导致报错。。。

Brief of this vulnerability

72crm v9 has Arbitrary file upload vulnerability Where to upload the avatar

Test Environment

• Windows10
• PHP 5.6.9+Apache/2.4.39

Affect version

72crm v9

Vulnerable Code

application\admin\controller\Users.php line 259

After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file

follow-up move function（set filename）
line 352:

follow up function
Generate time-based file names with php as a suffix

then move_uploaded_file with this filename （thinkphp\library\think\File.php line 369）

Vulnerability display

First enter the background
Click as shown,go to the Enterprise management background

Click to change avatar

Capture the packet and modify the content as follows

Although it is judged as an illegal file, the file has been uploaded successfully, and the file path will be exposed when the debug mode is turned on


getshell

note：
Even if debug is not turned on, the file name can be blasted out through the file name naming rules

安装完成，其他没问题，就是修改网站LOGO后，网站LOGO一直就是×，再次修改还是×，请求解决。

宝塔面板Nginx的装上用不了，用宝塔系统自带的伪静态转换规则转换了之后用不了，不知道是伪静态的问题还是，不支持宝塔的环境呢，希望出一个宝塔Nginx的安装教程