langhsu / mblog Goto Github PK
View Code? Open in Web Editor NEW开源免费的Java博客系统, 采用spring-boot、spring-data-jpa、shiro、freemarker、bootstrap等框架, 支持Docker
Home Page: http://mtons.com
License: GNU General Public License v3.0
开源免费的Java博客系统, 采用spring-boot、spring-data-jpa、shiro、freemarker、bootstrap等框架, 支持Docker
Home Page: http://mtons.com
License: GNU General Public License v3.0
我看了下网站全局的xss过滤规则代码是
com.mtons.mblog.web.formatter.StringEscapeEditor 41->87行
public void setAsText(String text) throws IllegalArgumentException {
if (text == null) {
setValue(null);
} else {
String value = text;
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a src='...' type of expression
// scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
// value = scriptPattern.matcher(value).replaceAll("");
//
// scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
// value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
setValue(value);
}
}
1.过滤规则的标签和事件太少了如: <img src="x" onerror="alert('xss01')">
2.这样替换可以被绕过如:javascripjavascript:t:alert('xss02');
点击这个xss02
文章搜索处
http://1.cc:8080/search?kw=okok11111<img src="x" onerror="alert('xss')">
修改昵称地方,前端限制了输入长度
手动修改下maxlength=100
修复建议:
1.把html标签过滤成html实体
2.markdown url那里要验证url是以http开始的.
不想多人来注册,又想朋友进来发布写内容,停掉注册接口后,就没办法添加新用户了。
服务器配置https://域名/oauth/callback/call_weibo
地址配置的是我自己的本地测试http://localhost:9000/oauth/callback/call_weibo
都是失败的:
登入界面也没出现QQ登入图标:
使用markdown写数学公式,但是效果不好。参看简书里的文章https://www.jianshu.com/p/6566f7eab7d5依然没有解决问题。请高手帮忙。
这样的话可以自己扩展一些功能什么的,没有一个清晰的项目结构,无从下手。
给用户A分配文章管理,但是没有分配编辑文章角色,用户A可以编辑文章
Vulnerability description
Test version: 3.5.0
Latest version: 3.5.0
Vulnerability profile:
The security component of Shiro 1.4.0 is used in mbog, which leads to privilege bypass. The attacker can bypass the privilege to upload files and finally execute commands.
The utilization process is as follows:
code analysis
Step 1:
upload file code:
http://192.168.83.3/admin/theme/upload
In mblog version 4.0, Shiro version 1.4.0 is used. There are loopholes in privilege bypass and pandering oracle. You only need to use privilege to bypass the loopholes
Template management controller
src/main/java/com/mtons/mblog/web/controller/admin/ ThemeController.java
There are two types of requestmapping: upload template and enable template
In the upload method, receive the zip file uploaded by the user, judge the suffix, and pass the multipart file into the BlogUtils.uploadTheme () method
BlogUtils.uploadTheme In the () method, get the site.location Properties( user.dir ), mbog is a springboot application, which runs in a single jar. The following code obtains the current location, creates the / storage / templates directory under the current location, stores the user's uploaded zip file in this directory, and then creates a folder with the same name as the compressed package to store the files in the compressed package
Step 2:
enable the template code
http://192.168.83.3/admin/theme/active/?theme=evil
The corresponding controller file is in:
src/main/java/com/mtons/mblog/web/controller/admin/ ThemeController.java
The update method encapsulates the parameters in the request as a map and passes them into the optionsService.update () method
Later, it calls the contextStartup.reloadOptions (false) method
optionsService.update The () method implementation classes are as follows:
src/main/java/com/mtons/mblog/modules/service/impl/ OptionsServiceImpl.java
According to the key in the request parameter, the optionsRepository.findByKey In the () method, the optionsrepository object is the query object of spring data JPA. It has only interface but no specific implementation. It can be directly regarded as Dao layer code
Request parameter? Theme = evil,
Key corresponds to theme and value corresponds to evil
From the data table, according to the theme query, the value is assigned
Then execute optionsRepository.save () to update
stay contextStartup.reloadOptions (false) method
List options = optionsService.findAll (); find all the key and value in the database and encapsulate them into map objects, including the theme = evil passed just now
After fetching the theme attribute from the database, modify the system attribute. At this time, the preparatory work is completed. You only need to request the index page again to let the server load the malicious template index.ftl To trigger command execution
Vulnerability submission information
author:说书人
mail:[email protected]
数据库的表结构需要自己建吗
隐藏某个分类后,在最新发布下面,还能看到分类下的文章
打包成war包后 http://127.0.0.1:8080/blog
nginx 反向代理 css加载和生成链接都为404
location / {
proxy_pass http://127.0.0.1:8080/blog/;
proxy_set_header Host $host;
proxy_set_header Remote_Addr $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
请教下,为什么每次部署会清空数据库呢?
这是application-mysql.yml 的配置
spring:
datasource:
#schema: classpath*:scripts/schema.sql
#continue-on-error: false
#sql-script-encoding: utf-8
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://172.30.112.148:3306/db_mblog?serverTimezone=GMT&useSSL=false
username: root
password: 123456
flyway:
enabled: true
jpa:
database: mysql
show-sql: false
hibernate:
ddl-auto: create // [这里用update也试过 同样报错]
database-platform: org.hibernate.dialect.MySQL5InnoDBDialect //这里是添加的方言问题
properties:
hibernate:
dialect : org.hibernate.dialect.MySQL5Dialect
format_sql: true
naming.physical-strategy: org.hibernate.scripts.model.naming.PhysicalNamingStrategyStandardImpl
cache.use_second_level_cache: false
default.directory_provider: filesystem
search.default.indexBase: ${site.location}/storage/indexes
目前报错的原因是 无法创建mysql表 但是不知道具体问题
还请赐教 谢谢了~~~
系统设置里面对接七牛云配置完成后,上传图片是上传到七牛云的。
正确的访问路径路径是:http://qcfqz7dmz.bkt.clouddn.com/blog/9ce122ea2384ed8dc04abb44900a54f4.PNG
实际的访问路径:http://139.196.163.59:8090/post/qcfqz7dmz.bkt.clouddn.com/blog/9ce122ea2384ed8dc04abb44900a54f4.PNG
会多出来我们本项目的ip+端口号。是因为自己设置错误了?
就是 * 列表支持不好 预览能看到 但是文章打开看不到
在就是能不能支持TOC 支持目录
bug反馈:1.在博客被修改后,标签依旧存在
2.修改后的博客发布时间为未进行改变
could not execute statement; nested exception is org.hibernate.exception.GenericJDBCException: could not execute statement
docker 启动后无法访问,本地测试没有任何反应
如何查看日志呀
related to post views there's fake increment to any articles
The article was deleted, but the comments were not automatically deleted.
打包成war包后 http://127.0.0.1:8080/blog
nginx 反向代理 css加载和生成链接都为404
location / {
proxy_pass http://127.0.0.1:8080/blog/;
proxy_set_header Host $host;
proxy_set_header Remote_Addr $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
博客栏目中,首页轮播图为何不显示呢,需要怎么配置呢
There is a CSRF vulnerability in the background article management. The attacker constructs a CSRF load.
Once the administrator clicks a malicious link, the article will be deleted.
[Vulnerability Type]
Cross-site request forgery (csrf)
[Vendor of Product]
https://github.com/langhsu/mblog
[Affected Component]
GET /admin/post/delete?id=6 HTTP/1.1
Host: 127.0.0.1:8082
sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8082/admin/post/list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_acc69acbc4e6d4c69ecf77725d072490=1628653260; Hm_lvt_cd8218cd51f800ed2b73e5751cb3f4f9=1629356854,1629356969; Hm_lvt_1040d081eea13b44d84a4af639640d51=1629787797; UM_distinctid=17b76ec38b042b-043bd40aca20f-3373266-e1000-17b76ec38b13f6; CNZZDATA1255091723=1621369374-1629783007-http%253A%252F%252F127.0.0.1%253A8080%252F%7C1629783007; JSESSIONID=BcGdm-4poQD-nImmtzQx_gevDCZGrfxbmnirm5hb
Connection: close
[Attack Type]
Remote
[Impact Code execution]
true
POC:
A xss vulnerability was discovered in mblog.
In mblog3.5, stored XSS exists via the /post/editing
value parameter, which allows remote attackers to inject arbitrary web script or HTML.
poc
xss payload:
<img src=x onerror=alert(1)>
Another stored XSS exists via the /settings/profile
value parameter, which allows remote attackers to inject arbitrary web script or HTML.
poc
xss payload:
<img src=x onerror=alert(1)>
编辑器插入代码后,无法获取输入焦点继续输入文字
比如,新增用户A,赋予进入后台的权利,A可以通过仪表盘点击栏目或者文章,进行删除或者修改
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.