wukongopensource / wukongcrm-9.0-php Goto Github PK
View Code? Open in Web Editor NEW悟空CRM-基于TP5.0+vue+ElementUI的前后端分离CRM系统
Home Page: http://www.5kcrm.com
License: Other
悟空CRM-基于TP5.0+vue+ElementUI的前后端分离CRM系统
Home Page: http://www.5kcrm.com
License: Other
Hey this is Philipp from Germany, I just installed this application on my local server. But i can't find the language selection. My chinese skills are like zero, but i like this software and I want to use it :)
本人习惯使用宝塔面板搭建的环境,但是以前源码放到空间,就可以用了。现在还有什么前端后端的,搞不懂了,求官方出教程,谢谢。
安装完成,其他没问题,就是修改网站LOGO后,网站LOGO一直就是×,再次修改还是×,请求解决。
https://github.com/72crm/72crm/blob/58d446279867ab3f5f171fc2173bbd5fa438cfbb/application/crm/model/ConfigData.php#L52
还是php7下,参数
源:public function getData()
建议:public function getData($name = NULL)
这开源协议真恶心
世界上没有人写这么恶心的开源协议
public function getDataById($id = '', $user_id, $types = '')
public function getDataById($id = '', $user_id=‘’, $types = '')
没仔细看
为什么总是出现登录了没多久,就被迫退出的情况?
Declaration of app\admin\model\File::createData($files, $param, $x = '150', $y = '150') should be compatible with app\admin\model\Common::createData($param)
admin/model/common.php
public function delDataById($id = '', $delSon = false)
application\admin\model\Group.php 里。
//删除角色 public function delDataById($group_id) { $dataInfo = $this->get($group_id); if(!$dataInfo){ $this->error = '该角色不存在或已删除';
https://github.com/72crm/72crm/blob/58d446279867ab3f5f171fc2173bbd5fa438cfbb/application/admin/model/File.php#L32
参数未指定默认值,PHP7下报错(php毕竟不会停留在5.6)
源代码:public function createData($files, $param, $x = '150', $y = '150')
建議修改為:public function createData($files='', $param=[], $x = '150', $y = '150')
72crm v9 has Arbitrary file upload vulnerability Where to upload the logo
72crm v9
application\admin\controller\System.php line 51
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file
follow-up move function(set filename)
line 352:
follow up function
Generate time-based file names with php as a suffix
then move_uploaded_file with this filename (thinkphp\library\think\File.php line 369)
First enter the background
Click as shown,go to the Enterprise management background
click this
Just upload a picture and capture the package, modify the content as follows
Back to enterprise management background
access image address
php code executed successfully
Notice:Because it is uploaded at the logo, unauthorized users can also access this php code
72crm v9 has Arbitrary file upload vulnerability Where to upload the avatar
72crm v9
application\admin\controller\Users.php line 259
After follow-up, it was found that the validate was not set, and the move operation was performed directly, resulting in the ability to upload any file
follow-up move function(set filename)
line 352:
follow up function
Generate time-based file names with php as a suffix
then move_uploaded_file with this filename (thinkphp\library\think\File.php line 369)
First enter the background
Click as shown,go to the Enterprise management background
Click to change avatar
Capture the packet and modify the content as follows
Although it is judged as an illegal file, the file has been uploaded successfully, and the file path will be exposed when the debug mode is turned on
getshell
note:
Even if debug is not turned on, the file name can be blasted out through the file name naming rules
系统配置设置公司名和logo,保存时提示成功,返回工作台界面后信息都未改变。数据库已插入正确的数据。
类型错误: Argument 3 passed to app\admin\model\Excel::exportCsv() must be an instance of app\admin\model\callback, instance of Closure given, called in /www/wwwroot/crm.95ym.cn/application/crm/controller/Customer.php on line 581
导出报错
index.php/admin/install/index.html
` // miss 路由:处理没有匹配到的路由规则
public function miss()
{
if (Request::instance()->isOptions()) {
return ;
} else {
echo '悟空软件';
}
}`
Hey there!
I'd like to report a security issue but cannot find contact instructions on your repository.
If not a hassle, might you kindly add a SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
请求模块:/admin/users/index
请求主体:page=1&limit=15&search=&structure_id=2&status=all
具体代码:
$groups = '';
$groupids = '';
foreach ($groupsArr as $key=>$val) {
$groups[] = $val['title'];
$groupids[] = $val['id'];
}
错误说明:$groups = '';$groupids = '';定义为字符类型,后面以数组操作导致报错。。。
良心之作,感谢悟空为开源软件做出的贡献!
宝塔面板Nginx的装上用不了,用宝塔系统自带的伪静态转换规则转换了之后用不了,不知道是伪静态的问题还是,不支持宝塔的环境呢,希望出一个宝塔Nginx的安装教程
大哥啊,第二次了。这边应该是数组 $taskWhere = [];不是字符。。。。
Is it available in English?
PHP7.2.10 下delDataById方法重写,由于参数不同报错(php5.6没问题)
源代码位置:/application/admin/model/Group.php#L106
源代码:public function delDataById($group_id)
建议修改为:public function delDataById($group_id= '', $delSon = false)
RT
72crm v9 has sql injection vulnerability in View the task calendar
72crm v9
application\work\controller\Task.php line 506
The $param parameter is passed to getDateList
The start_time parameter and stop_time parameter are directly spliced into $whereDate, and then executed on line 493. resulting in sql injection vulnerability
First enter the background
Click as shown,go to the View the task calendar and capture the packet
payload: start_time=1&stop_time=1))+or+sleep(2)--+
Sleep successfully for 2 seconds
If debug mode is enabled
payload:start_time=1&stop_time=1))+or+updatexml(1,concat(0x7e,database(),0x7e,version()),1)--+
Successfully obtained the database name and version number
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.