This CMS is awesome, and is there lang translate file

初步分析是开发环境下代码修改会重启系统，新增模型会把model目录下的文件删除，导致服务重启，从而导致报错。

后台登录无响应，500 request timeout

环境： MacOS：Sierra，MySQL5.7.19，nodejs：v8.2.1

控制台无报错信息，以下为控制台输出信息

[2017-08-11 10:15:55] [HTTP] GET /admin/public/signin 200 269ms
{ success: 1,
challenge: '1560f1dd2e523f6f9263fa24a502a5d2',
gt: '4dad8be53801fa4e2e50c1be078e2187' }
[2017-08-11 10:15:55] [HTTP] GET /admin/public/geetest?t=1502417755542 200 409ms
[2017-08-11 10:18:04] [HTTP] POST /admin/public/signin 200 120033ms

如视频封面我想要备注提示上传图片宽高
如图片、文章封面就可以随意宽高上传

2023-03-16 16:55:34,849 INFO 17284 egg-sequelize Executed (default): SHOW INDEX FROM sys_models_associate FROM meng_da
2023-03-16 16:55:34,863 INFO 12492 [egg-sequelize] Not overriding built-in method from model attribute: where
2023-03-16 16:55:34,866 INFO 12492 [egg-sequelize] Not overriding built-in method from model attribute: where
2023-03-16 16:55:34,867 INFO 12492 [egg-sequelize] Not overriding built-in method from model attribute: where
2023-03-16 16:55:34,869 ERROR 12492 nodejs.TypeError: Cannot read properties of undefined (reading 'hasMany')
at Function.SysUser.associate (F:\workspace\mine\mengda-official-site\app\model\sys_user.js:22:31)
at F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:118:54
at Array.forEach ()
at loadDatabase (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:117:12)
at F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:35:22
at Array.forEach ()
at module.exports (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:34:24)
at module.exports (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\app.js:4:26)
at Hook.configDidLoad (F:\workspace\mine\mengda-official-site\node_modules\egg-core\lib\lifecycle.js:99:9)
at Lifecycle.triggerConfigDidLoad (F:\workspace\mine\mengda-official-site\node_modules\egg-core\lib\lifecycle.js:154:14)

pid: 12492
hostname: DESKTOP-559IHRU

F:\workspace\mine\mengda-official-site\node_modules\egg-cluster\lib\app_worker.js:32
throw err;
^

TypeError: Cannot read properties of undefined (reading 'hasMany')
at Function.SysUser.associate (F:\workspace\mine\mengda-official-site\app\model\sys_user.js:22:31)
at F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:118:54
at Array.forEach ()
at loadDatabase (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:117:12)
at F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:35:22
at Array.forEach ()
at module.exports (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\lib\loader.js:34:24)
at module.exports (F:\workspace\mine\mengda-official-site\node_modules\egg-sequelize\app.js:4:26)
at Hook.configDidLoad (F:\workspace\mine\mengda-official-site\node_modules\egg-core\lib\lifecycle.js:99:9)
at Lifecycle.triggerConfigDidLoad (F:\workspace\mine\mengda-official-site\node_modules\egg-core\lib\lifecycle.js:154:14)
[2023-03-16 16:55:34.877] [cfork:master:15552] worker:12492 disconnect (exitedAfterDisconnect: false, state: disconnected, isDead: false, worker.disableRefork: true)
[2023-03-16 16:55:34.877] [cfork:master:15552] don't fork, because worker:12492 will be kill soon
2023-03-16 16:55:34,878 INFO 15552 [master] app_worker#3:12492 disconnect, suicide: false, state: disconnected, current workers: ["2","3"]
2023-03-16 16:55:34,881 INFO 17284 egg-sequelize Executed (default): SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE' AND TABLE_NAME = 'sys_models_fields' AND TABLE_SCHEMA = 'meng_da'
[2023-03-16 16:55:34.895] [cfork:master:15552] worker:12492 exit (code: 1, exitedAfterDisconnect: false, state: dead, isDead: true, isExpected: false, worker.disableRefork: true)
[2023-03-16 16:55:34.896] [cfork:master:15552] worker:17284 disconnect (exitedAfterDisconnect: true, state: disconnected, isDead: false, worker.disableRefork: false)
[2023-03-16 16:55:34.897] [cfork:master:15552] don't fork new work (refork: false)
2023-03-16 16:55:34,897 INFO 15552 [master] app_worker#2:17284 disconnect, suicide: true, state: disconnected, current workers: ["4"]
9233 closed
2023-03-16 16:55:34,906 WARN 6356 [ClusterClient:Connection] socket is closed by other side while there were still unhandled data in the socket buffer
Debugger listening on ws://127.0.0.1:9233/a1e69dcb-56d5-448f-adb6-d44326a89222
For help, see: https://nodejs.org/en/docs/inspector
[2023-03-16 16:55:34.927] [cfork:master:15552] worker:17284 exit (code: null, exitedAfterDisconnect: true, state: dead, isDead: true, isExpected: true, worker.disableRefork: false)
2023-03-16 16:55:35,816 INFO 9832 [RemoteConfig] loading remote config from F:\workspace\mine\mengda-official-site\run\remote_config.json
9233 opened

global.encryptPassword = function(password, md5encoded) {
md5encoded = md5encoded || false;
password = md5encoded ? password : think.md5(password);
return think.md5(think.md5('www.cmswing.com') + password + think.md5('Arterli'));
};

https://github.com/arterli/CmsWing/blob/ba8dbac6bd42ca844b6903151eaf029906681de0/src/bootstrap/global.js

test1

/home/ubuntu/CmsWing-1.1.0/src/config/adapter/view.js:213
env.addFilter("getmodelfield", async(id, model_id, field, callback) => {
^

SyntaxError: Unexpected token (
at createScript (vm.js:56:10)
at Object.runInThisContext (vm.js:97:10)
at Module._compile (module.js:542:28)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.require (module.js:497:17)
at require (internal/module.js:20:19)
at Object. (/home/ubuntu/CmsWing-1.1.0/src/config/adapter.js:51:16)
at Module._compile (module.js:570:32)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.require (module.js:497:17)

Find a code execution vulnerability in cmswing project version 1.3.8，Details can be found in the analysis below.

Vulnerability Location

The vulnerability lies in the updateAction function in the cmswing/src/controller/admin/action.js

  async updateAction() {
    const data = this.post();
    if (think.isEmpty(data.id)) {
      data.status = 1;
      data.update_time = Date.now();
      const res = await this.model('action').add(data);
      if (res) {
        this.success({name: '新增成功！', url: '/admin/action/index'});
      } else {
        this.fail('添加失败！');
      }
    } else {
      data.update_time = Date.now();
      const res = await this.model('action').update(data);
      if (res) {
        this.success({name: '更新成功！', url: '/admin/action/index'});
      } else {
        this.fail('更新失败！');
      }
    }
  }

The variable data is the user behavior data transmitted by the front end. The function updateAction updates the user behavior using data. Due to the lack of data checking, SQL injection exists. When the user triggers the corresponding behavior, for example, adding articles, SQL statement execution will be triggered.

Local Test

Enter the background of the system, select user behavior，add our payload to the rules of conduct

Add an article to trigger the user behavior just now. The SQL statement is executed successfully and the response time exceeds 5 seconds.

Database Execution Log

需要给权限给sql

grant all privileges on . to 'root'@'192.168.0.103' identified by '123456';
如果你是本地登录的，那么：
grant all privileges on . to 'root'@'localhost' identified by '123456';
当然你也可以直接改成这样：
grant all privileges on . to 'root'@'%' identified by '123456';
就可以给所有ip都设定root登陆了。
如果授权成功，会有Query OK的提示。
然后：
flush privileges;
这个是刷新授权的意思，如果没有这句话，授权可能无法立刻生效。
exit;
这个是退出的意思。

参考https://blog.csdn.net/qq_36735409/article/details/78032144

模板注入 src/controller/admin/template.js
/**

• 网站首页模版编辑

• @returns {*}
  */
  async homeAction() {
  const gid = await this.model('temp_group').where({isdefault: 1}).getField('gid', true);
  const map = {
  module: 'home',
  controller: 'index',
  action: 'index',
  type: this.para('type') || 1,
  gid: gid
  };
  const temp = await this.model('temp').where(map).find();
  let temppath;
  if (temp.type == 2) {
  temppath = ${think.ROOT_PATH}/view/${temp.module}/mobile/;
  } else {
  temppath = ${think.ROOT_PATH}/view/${temp.module}/;
  }
  const templateFile = ${temppath}${temp.controller}${this.config('view.nunjucks.sep')}${temp.action}${this.config('view.nunjucks.extname')};
  if (this.isPost) {
  const data = this.post();
  data.id = temp.id;
  data.module = map.module;
  data.controller = map.container;
  data.action = map.action;
  data.name = temp.name;
  data.type = temp.type;
  data.gid = temp.gid;
  console.log(data);
  // await this.model("temp").add(data);
  temp.pid = temp.id;
  delete temp.id;
  temp.baktime = new Date().getTime();
  temp.lastuser = this.user.uid;
  console.log(temp);
  // return false;
  // 修改前先备份
  if (data.html != temp.html) {
  const bak = await this.model('temp_bak').add(temp);
  const res = await this.model('temp').update(data);
  if (!think.isEmpty(res)) {
  fs.writeFileSync(templateFile, data.html);
  return this.success({name: '添加成功!'});
  }
  } else {
  return this.fail('请先修改模板!');
  }
  } else {
  // 首页网站编辑
  // console.log(this.adminmenu["10"]);
  this.meta_title = '首页模板';

  if (think.isFile(templateFile)) {
  const tempcon = fs.readFileSync(templateFile, 'utf8');
  temp.html = tempcon;
  }
  // console.log(temp);
  this.assign('temp', temp);
  return this.display();
  }
  }
  可以看到通过nunjucks模板对前端进行渲染,对传入的post请求的html参数只有判空校验,所以可以通过模板注入命令执行来进行RCE，直接构造调用child_process的命令执行，我们这里进行弹计算器演示
  
  
  然后访问首页进行渲染
  
  成功弹出计算器，其他的模板也存在该注入问题

Window10系统
node 14.9.3

$ npm run dev

[email protected] dev D:\playtime\CmsWing
egg-bin dev

[egg-ts-helper] create typings\app\extend\context.d.ts (3ms)
[egg-ts-helper] create typings\app\extend\helper.d.ts (5ms)
[egg-ts-helper] create typings\app\controller\index.d.ts (4ms)
[egg-ts-helper] create typings\app\middleware\index.d.ts (3ms)
[egg-ts-helper] create typings\app\model\index.d.ts (5ms)
[egg-ts-helper] create typings\config\index.d.ts (26ms)
[egg-ts-helper] create typings\config\plugin.d.ts (1ms)
[egg-ts-helper] create typings\app\service\index.d.ts (2ms)
[egg-ts-helper] create typings\app\index.d.ts (1ms)
2022-11-08 00:04:33,981 INFO 8392 [master] node version v14.19.3
2022-11-08 00:04:33,982 INFO 8392 [master] egg version 3.3.3
2022-11-08 00:04:35,242 INFO 14168 [egg-sequelize] Not overriding built-in method from model attribute: where
2022-11-08 00:04:35,271 INFO 14168 [egg-sequelize] Not overriding built-in method from model attribute: where
2022-11-08 00:04:35,274 INFO 14168 [egg-sequelize] Not overriding built-in method from model attribute: where
2022-11-08 00:04:35,393 ERROR 14168 nodejs.Error: Body must be a string. Received: undefined.
at devAssert (D:\playtime\CmsWing\node_modules\graphql\jsutils\devAssert.js:12:11)
at new Source (D:\playtime\CmsWing\node_modules\graphql\language\source.js:32:32)
at new Parser (D:\playtime\CmsWing\node_modules\graphql\language\parser.js:98:9)
at Object.parse (D:\playtime\CmsWing\node_modules\graphql\language\parser.js:31:18)
at Object. (D:\playtime\CmsWing\node_modules\graphql-tools\dist\stitching\introspectSchema.js:40:42)
at Module._compile (internal/modules/cjs/loader.js:1085:14)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
at Module.load (internal/modules/cjs/loader.js:950:32)
at Function.Module._load (internal/modules/cjs/loader.js:790:12)
at Module.require (internal/modules/cjs/loader.js:974:19)

模板注入 src/controller/admin/template.js
/**

• 网站首页模版编辑

• @returns {*}
  */
  async homeAction() {
  const gid = await this.model('temp_group').where({isdefault: 1}).getField('gid', true);
  const map = {
  module: 'home',
  controller: 'index',
  action: 'index',
  type: this.para('type') || 1,
  gid: gid
  };
  const temp = await this.model('temp').where(map).find();
  let temppath;
  if (temp.type == 2) {
  temppath = ${think.ROOT_PATH}/view/${temp.module}/mobile/;
  } else {
  temppath = ${think.ROOT_PATH}/view/${temp.module}/;
  }
  const templateFile = ${temppath}${temp.controller}${this.config('view.nunjucks.sep')}${temp.action}${this.config('view.nunjucks.extname')};
  if (this.isPost) {
  const data = this.post();
  data.id = temp.id;
  data.module = map.module;
  data.controller = map.container;
  data.action = map.action;
  data.name = temp.name;
  data.type = temp.type;
  data.gid = temp.gid;
  console.log(data);
  // await this.model("temp").add(data);
  temp.pid = temp.id;
  delete temp.id;
  temp.baktime = new Date().getTime();
  temp.lastuser = this.user.uid;
  console.log(temp);
  // return false;
  // 修改前先备份
  if (data.html != temp.html) {
  const bak = await this.model('temp_bak').add(temp);
  const res = await this.model('temp').update(data);
  if (!think.isEmpty(res)) {
  fs.writeFileSync(templateFile, data.html);
  return this.success({name: '添加成功!'});
  }
  } else {
  return this.fail('请先修改模板!');
  }
  } else {
  // 首页网站编辑
  // console.log(this.adminmenu["10"]);
  this.meta_title = '首页模板';

  if (think.isFile(templateFile)) {
  const tempcon = fs.readFileSync(templateFile, 'utf8');
  temp.html = tempcon;
  }
  // console.log(temp);
  this.assign('temp', temp);
  return this.display();
  }
  }
  可以看到通过nunjucks模板对前端进行渲染,对传入的post请求的html参数只有判空校验,所以可以通过模板注入命令执行来进行RCE，直接构造调用child_process的命令执行，我们这里进行弹计算器演示

然后访问首页进行渲染
成功弹出计算器，其他模板也存在该问题

运行后连接不了数据库报错。

富文本中上传图片后为
<img data-mce-src="public/xxx/xxx.jpg">
这个相对路径在127.0.0.1:7001/admin下可以工作
但是在前台页面如 http://127.0.0.1:7001/cms/detail/1 中是错误的

目前暂时将app/controller/cms/doc.js:getContent:266中的type为input-rich-text的obj.options中增加了tinymce的配置项切换到绝对路径修复

          obj.type = 'input-rich-text';
          obj.receiver = {
            method: 'post',
            url: '/upload/adminToken',
            headers: {
              resBody: '{"link":"{{url}}"}',
            },
          };
          obj.options = {
            height: 600,
            relative_urls: false,
            remove_script_host: false,
            convert_urls: true,
            document_base_url: '/',
            codesample_languages: [
              { text: 'HTML', value: 'html' },
              { text: 'JavaScript', value: 'javascript' },
              { text: 'CSS', value: 'css' },
              { text: 'json', value: 'json' },
              { text: 'graphql', value: 'graphql' },
              { text: 'bash', value: 'bash' },
              { text: 'git', value: 'git' },
              { text: 'markdown', value: 'markdown' },
              { text: 'sql', value: 'sql' },
              { text: 'typescript', value: 'typescript' },
            ],
            content_css: '/public/sys/prism.css',
          };

The first XSS vulnerablity
Question and answer module. In the Question supplement function, when inserting a link, fill in "> < SVG / onload = alert ('xss') > <! -- in the address item to form a stored XSS.This vulnerability can be triggered when any visitor views the issue

The second XSS vulnerablity
Stored XSS exists in the title item of online submission module, and the payload is as follows <script>alert (1)</script>
The specific location of the vulnerability is shown in the figure below,After the submission is approved by the admin user, the vulnerability will be triggered when the administrator opens the content management page.

设置推荐位，前台页面无效。后台推荐位设置成列表推荐，模板写了 position='1'，实际前台展示没有变化。返回编辑，刚才设置推荐位的信息没有选中

访问http://127.0.0.1:8360正常！

访问地址http://127.0.0.1:8360/admin时出现404错误！
NotFoundError: url /admin not found.

[ERROR]: [Intervention] Unable to preventDefault inside passive event listener due to target being treated as passive. See <URL>

smoothscroll.js 最后将 addEvent("mousewheel", wheel); 改为 addEvent("mousewheel", wheel, {passive: false}); 貌似可以解决

Find a RCE vulnerability in cmswing project version 1.3.7，Details can be found in the analysis below.

Local Test

1.Enter the background of the system, select update_channel module，then edit it.

2.Change log rule [user|console.log(require('child_process').execSync('ipconfig').toString('utf-8'))] or [user|console.log(require('child_process').execSync('calc').toString('utf-8'))]

3.Enter [System settings] - [Navigation settings], change a navigation .

4.Change anything, then save it. We can find that our code is executed

5. Get IP and open calc.

thinkjs -V 显示的为2.2.8

test

如题，通过删除商品，购物车会报错

更新一条记录的某个字段和自增某个字段可以在一条语句完成
例如
common/model/member.js的autoLogin中

    let data = {
        'last_login_time': new Date().valueOf(),
        'last_login_ip': _ip2int(ip),
    };
    let use = await this.where({id: user.id}).update(data);
    await this.where({id: user.id}).increment('login');

可改为

    let field = 'login';
    let data = {
      last_login_time: new Date().valueOf(),
      last_login_ip:_ip2int(ip),
      [field]: ['exp', `\`${field}\`+1`],
    };
    await this.where({ id: user.id }).update(data);

Find a SQLi vulnerability in cmswing project version 1.3.7，Details can be found in the analysis below.

Local Test

1.Enter the background of the system, select update_channel module，then edit it.

2.Change behavior rule table:member|field:score|condition:id=${self} AND (select if(substr(version(),1)>0,sleep(5),1))|rule:1

3.Enter [System settings] - [Navigation settings], change a navigation .

4.Change anything, then save it.we can find sqli vulnerability.

package.json里面写着MIT，不过可以再根目录放置一个LICENSE么

It seems there is no issue with npm start. But I am unable forward to http://127.0.0.1:8360.

[2018-03-23T05:14:51.131] [11064] [INFO] - Server running at http://127.0.0.1:8360
[2018-03-23T05:14:51.134] [11064] [INFO] - ThinkJS version: 3.2.7
[2018-03-23T05:14:51.134] [11064] [INFO] - Enviroment: development
[2018-03-23T05:14:51.134] [11064] [INFO] - Workers: 4
[2018-03-23T05:14:53.017] [3464] [INFO] - mysql://root:[email protected]:3306/cmswing
[2018-03-23T05:14:53.061] [3464] [INFO] - SQL: SELECT `name`,`value`,`type` FROM `cmswing_setup` WHERE ( `status` = 1 ) ORDER BY sort ASC, Time: 43ms
[2018-03-23T05:14:53.064] [2788] [INFO] - mysql://root:[email protected]:3306/cmswing
[2018-03-23T05:14:53.065] [3464] [INFO] - SQL: SELECT * FROM `cmswing_ext`, Time: 2ms
[2018-03-23T05:14:53.104] [2788] [INFO] - SQL: SELECT `name`,`value`,`type` FROM `cmswing_setup` WHERE ( `status` = 1 ) ORDER BY sort ASC, Time: 39ms
[2018-03-23T05:14:53.107] [2788] [INFO] - SQL: SELECT * FROM `cmswing_ext`, Time: 1ms
[2018-03-23T05:14:53.221] [15348] [INFO] - mysql://root:[email protected]:3306/cmswing
[2018-03-23T05:14:53.259] [15348] [INFO] - SQL: SELECT `name`,`value`,`type` FROM `cmswing_setup` WHERE ( `status` = 1 ) ORDER BY sort ASC, Time: 37ms
[2018-03-23T05:14:53.262] [15348] [INFO] - SQL: SELECT * FROM `cmswing_ext`, Time: 2ms
[2018-03-23T05:14:53.269] [6712] [INFO] - mysql://root:[email protected]:3306/cmswing
[2018-03-23T05:14:53.304] [6712] [INFO] - SQL: SELECT `name`,`value`,`type` FROM `cmswing_setup` WHERE ( `status` = 1 ) ORDER BY sort ASC, Time: 35ms
[2018-03-23T05:14:53.307] [6712] [INFO] - SQL: SELECT * FROM `cmswing_ext`, Time: 1ms
[2018-03-23T05:14:55.779] [17696] [INFO] - mysql://root:[email protected]:3306/cmswing
[2018-03-23T05:14:55.816] [17696] [INFO] - SQL: SELECT `name`,`value`,`type` FROM `cmswing_setup` WHERE ( `status` = 1 ) ORDER BY sort ASC, Time: 36ms
[2018-03-23T05:14:55.819] [17696] [INFO] - SQL: SELECT * FROM `cmswing_ext`, Time: 2ms
[2018-03-23T05:15:00.014] [2788] [INFO] - SQL: SELECT `id` FROM `cmswing_order` WHERE ( `pay_status` = 0 ) AND ( `status` = 2 ) AND ( `create_time` < 1521666900011 ) AND ( `type` = 0 ), Time: 2ms
[2018-03-23T05:15:00.017] [2788] [INFO] - CLI admin/crontab/cloa 200 8ms

设置微信自动回复，当内容为文字时，设置换行不生效，直接打印出<br>,\n也不能用

Find a code execution vulnerability in cmswing project version 1.3.8，Details can be found in the analysis below.

The vulnerability lies in the log function in the cmswing/src/mode/action.js

async log(action, model, record_id, user_id, ip, url) {
    // action=action||null,model=model||null,record_id=record_id||null,user_id=user_id||null;
    // 参数检查
    if (think.isEmpty(action) || think.isEmpty(model) || think.isEmpty(record_id)) {
      return '参数不能为空';
    }

    if (think.isEmpty(user_id)) {
      const user = await think.session('userInfo');
      const id = user.id;
      user_id = id;
    }

    // 查询行为，判断是否执行

    const action_info = await this.where({name: action}).find();
    if (action_info.status != 1) {
      return '该行为被禁用';
    }

    // 插入行为日志

    const data = {
      action_id: action_info.id,
      user_id: user_id,
      action_ip: _ip2int(ip),
      model: model,
      record_id: record_id,
      create_time: new Date().valueOf()
    };
    data.remark = '';
    // 解析日志规则，生成日志备注；
    if (!think.isEmpty(action_info.log)) {
      const match = action_info.log.match(/\[(\S+?)\]/g);
      if (!think.isEmpty(match)) {
        const log = {
          user: user_id,
          record: record_id,
          model: model,
          time: new Date().valueOf(),
          data: {
            user: user_id,
            record: record_id,
            model: model,
            time: new Date().valueOf()
          }
        };

        const replace = [];
        for (let val of match) {
          val = val.replace(/(^\[)|(\]$)/g, '');
          const param = val.split('|');
          console.log(1111111,param);
          if (!think.isEmpty(param[1])) {
            if (param[0] == 'user') {
              replace.push(await call_user_func(param[1], log[param[0]]));
            } else {
              replace.push(call_user_func(param[1], log[param[0]]));
            }
          } else {
            replace.push(log[param[0]]);
          }
        }

        data.remark = str_replace(match, replace, action_info.log);
        // console.log(data.remark)
      } else {
        data.remark = action_info.log;
      }
    } else {
      // 未定义日志规则,记录操作URL
      data.remark = '操作url:' + url;
    }
    if (!think.isNumber(record_id)) {
      data.record_id = 0;
    }
    await this.model('action_log').add(data);

    if (!think.isEmpty(action_info.rule)) {
      const rules = await this.parse_action(action, user_id);
      // console.log(rules);
      const res = await this.execute_action(rules, action_info.id, user_id);
    }
  }
  
  ......
  
  global.call_user_func = function(cb, params) {
  const func = eval(cb);
  if (!think.isArray(params)) {
    params = [params];
  }
  return func.apply(cb, params);
};

The variable log is the user behavior log data transmitted by the front end. The function log implements the processing of the variable log. If the param[0]=='user', the call_user_func function is called. The variable is not checked. Malicious parameters will lead to the eval method of the call_user_fun function to implement code execution.

Local Test

Enter the background of the system, select user behavior，add our payload to the rules of conduct

Add an article to trigger the user behavior just now.

Execution Log, the code was successfully executed and the IP-related information was printed out

在后台管理中,模型管理->新增模型->addAction() 这个动作 应该少一个创建数据库table的逻辑, 请您确认一下

RT, 都一年没更新了

Find a code execution vulnerability in cmswing project version 1.3.8，Details can be found in the analysis below.

Vulnerability Location

The vulnerability lies in the rechargeAction function in the cmswing/src/controller/admin/user.js

  async rechargeAction() {
    if (this.isAjax('POST')) {
      const data = this.post();
      const self = this;
      const insertId = await this.db.transaction(async() => {
        await self.db.where({id: data.id}).increment('amount', data.balance);
        const amount_log = await self.db.where({id: data.id}).getField('amount', true);
        return await self.model('balance_log').db(self.db.db()).add({
          admin_id: self.user.uid,
          user_id: data.id,
          type: 2,
          time: new Date().valueOf(),
          amount: data.balance,
          amount_log: amount_log,
          note: `管理员（${await get_nickname(self.user.uid)}）为您充值，充值的金额为：${data.balance} 元`
        });
      });

      if (insertId) {
        return this.success({name: '充值成功!'});
      } else {
        return this.fail('充值失败!');
      }
    } else {
      const id = this.get('ids');
      const name = await get_nickname(id);
      this.assign('name', name);
      this.assign('id', id);
      this.meta_title = '会员充值';
      return this.display();
    }
  }

The variable data.balance represents the amount of recharge. The function rechargeAction increases the amount of money by the specified user, but lacks sufficient checks for data.balance, which results in SQL injection when database update operation is performed.

Local Test

Enter the background of the system, select user recharge

Modify the balance to (select if(left(version(),1)=5,sleep(5),sleep(10))). it was found that the replenishment was successful and the response time was extended by 5 seconds, proving that our statement was successfully injected into the database for execution.

Database Execution Log

注册的时候我使用了 [email protected]的长度字符串报错
也没有提示 后来看了后台logs

m','18819448261',1565861057993,0,1), Time: 5ms
{ Error: ER_DATA_TOO_LONG: Data too long for column 'username' at row 1
    at Query.Sequence._packetToError (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/sequences/Sequence.js:47:14)
    at Query.ErrorPacket (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/sequences/Query.js:77:18)
    at Protocol._parsePacket (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/Protocol.js:291:23)
    at Parser._parsePacket (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/Parser.js:433:10)
    at Parser.write (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/Parser.js:43:10)
    at Protocol.write (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/Protocol.js:38:16)
    at Socket.<anonymous> (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/Connection.js:91:28)
    at Socket.<anonymous> (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/Connection.js:525:10)
    at Socket.emit (events.js:189:13)
    at addChunk (_stream_readable.js:284:12)
    at readableAddChunk (_stream_readable.js:265:11)
    at Socket.Readable.push (_stream_readable.js:220:10)
    at TCP.onStreamRead [as onread] (internal/stream_base_commons.js:94:17)
    --------------------
    at Protocol._enqueue (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/protocol/Protocol.js:144:48)
    at PoolConnection.query (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@mysql/lib/Connection.js:201:25)
    at Promise (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@think-helper/index.js:83:10)
    at new Promise (<anonymous>)
    at args (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@think-helper/index.js:82:12)
    at ThinkMysql.[think-mysql-query] (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@think-mysql/index.js:169:12)
    at getConnection.then.connection (/Users/macbook/Downloads/CmsWing/node_modules/[email protected]@think-mysql/index.js:247:25)
    at process._tickCallback (internal/process/next_tick.js:68:7)
  code: 'ER_DATA_TOO_LONG',

我在尝试微信扫一扫登录时，会跳转到https://localhost/connect/qrconnect?...
而不是https://open.qq.com/connect/qrconnect?...

SyntaxError: Invalid or unexpected token
at new Script (vm.js:79:7)
at createScript (vm.js:251:10)
at Object.runInThisContext (vm.js:303:10)
at Module._compile (internal/modules/cjs/loader.js:657:28)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:700:10)
at Module.load (internal/modules/cjs/loader.js:599:32)
at tryModuleLoad (internal/modules/cjs/loader.js:538:12)
at Function.Module._load (internal/modules/cjs/loader.js:530:3)
at Module.require (internal/modules/cjs/loader.js:637:17)
at require (internal/modules/cjs/helpers.js:22:18)

准备用vue.js写前台页面，请问有rest的api接口地址可以供调用吗？

用 admin 账号登陆删掉后，不能再用QQ号登陆。估计时数据库没有删除 QQ 相关信息，导致数据不一致。

步骤：

1 按照文档配置完善，正常ip+8360可以访问 例如 http://127.0.0.1:8360

2：按照这里的https://www.cmswing.com/p/404.html 使用nginx配置，另存为shop.conf软连接

include shop.conf; 

nginx -t 测试没有问题，重启

3：访问域名http://xxx.com/index.js 提示404

我的shop.conf

server {
listen 80;
server_name www.mygame.com;
root /home/wwwroot/default;
set $node_port 8360;
index index.js index.html index.htm;
if ( -f $request_filename/index.html ){
    rewrite (.*) $1/index.html break;
}
if ( !-f $request_filename ){
    rewrite (.*) /index.js;
}
location = /index.js {
    proxy_http_version 1.1;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_pass http://127.0.0.1:$node_port$request_uri;
    proxy_redirect off;
}
location ~ /static/ {
    etag         on;
    expires      max;
}

}

我想做个社区内居民互相买卖二手货的小站点，javascript算刚入门，请问一下，如果要给您的模板加上用户可以发布商品信息的功能，难度有多大？谢谢！

例如，域名是www.xyz.com, 希望配置www.xyz.com/cms/到cmswing. 是否可以再cmswing中添加一个prefix="cms", 这样可以方便的配置nginx

勉强在cloud9上运行起来了，但是对于这个系统确实不熟悉，node.js知识为零，求增加框架相关文档。 @arterli

如何支持https？