mizhexiaoxiao / websiteguide Goto Github PK

View Code? Open in Web Editor NEW

169.0 4.0 69.0 24.29 MB

😃企业内部网址导航系统，基于Python+Django+Vue开发，具有网址导航、网址管理、用户管理等功能

License: MIT License

Python 70.07% Shell 0.61% JavaScript 27.61% HTML 0.31% Dockerfile 1.40%

python3 vue django django-rest-framework docker website websiteguide ops ops-tools ops-admin

websiteguide's Introduction

Hi there 👋

😶 I'm a Devops Engineer

Abilities

Content Me 📱

email: [email protected]

😆 Views

websiteguide's People

Contributors

Stargazers

Watchers

Forkers

cheekboy szyvvv pptfz kevindwei vsolo yutougegeyangzhuchang lookthisline iscarson jokerchat loneyao jackerboy luffy7272 kira5271 idle-man gooooodman chriszhang789 linyup jianqiang2012 zhanglianng gcc-coder glf1990 yasaxii maxwelledisons hujianli94 linkwss yy1117 gdzy1987 jiang-123 feiyu563 bailonghai charles-liming joexiayong vmfuyun chenxqscut ccall248 alcat01 elmeast reggiepy luckytom130 pinkuburu uahoo oulika liukaips rainmanzheng muzihuaner xaiocaibi xulianggg rickcao-2017 xiaobingchan cigarliu coding-alt guocang lbbit solmyr118 platanus2000 clrsdream chaojigang001 st2ne lvpeixin kimlv eric-1208 fancyfxy1012 godnes cjsdcqs kobe-curry wxlbj zv246

websiteguide's Issues

安装时候提示

npm WARN deprecated [email protected]: this library is no longer supported

unable to access 'https://github.com/mizhexiaoxiao/WebsiteGuide.git/

git clone 访问GitHub时，解析到的IP地址为192.30.255.113，这个地址时访问不通的。请教下如何处理，非常喜欢这个导航，希望有时间给看看，多谢多谢。

能否新增自定义排序功能。图标库。标签大小调整

自定义排序不然创建了就不能该顺序不好对齐或者调整顺序
图标库是个很好的东西可以集中管理重复使用
每个标签太大了如果类目过多一个屏幕就放不下几个了

静态文件位置没设置好，dist压根就没有~~~

TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
# 'DIRS': [os.path.join(BASE_DIR, 'templates')]
'DIRS': [os.path.join(BASE_DIR, 'websitefronted/dist')] #《《《《《《《《this

[Warning] RCE in WebsiteGuide v0.2

Vulnerability Product:WebsiteGuide v0.2
Vulnerability version: 0.2
Vulnerability type: Remote Command Execute
Vulnerability Details:
Vulnerability location: Image Upload

the variable "save_path" in /websiteapp/views.py -> IconViewSet.post method, does not check the name of file user upload ,
causes "../../" such path is available
and does not check binary of the image
causes user could upload image, pycode, html and stuff

Insecure image upload could cover the original code , causes Remote Command Execute

payload : https://github.com/Leeyangee/leeya_bug/blob/main/..1..1views.py
the payload is original code at /websiteapp/views.py but add a simple function os.system() to verify rce
(this is just a simple payload , It downloading index.html from http://www.bing.com , in order to verifying the vulnerability)

Firstly , Add a website in "分组管理"

After built , visit http://localhost:8000/admin/website
click navigator "网址管理", and click "替换图标"

and click "上传图标" choose the payload (or the image you wanna upload in normal situation)
finally click "确定" to upload

in the whole period of uploading , listening network

After upload the payload , you are able to observe the HTTP request that you just uploaded in burpsuite
Send it to the repeater and replace filename ..1..1views.py to ../../views.py

and finally , click Send , send the payload you had just modified
then you can find that the original code /websiteapp/views.py has changed from

to

that means you just changed the pycode and could causes RCE vulnerability

just visit the website page to trigger the api /api/icon, you can find the index.html downloaded from http://www.bing.com at the path /websiteapp/

proved RCE

by above method, you can upload your file to every file in website or cover every file in website

discovered by leeya_bug