苹果cms-v10,maccms-v10,麦克cms,开源cms,内容管理系统,视频分享程序,分集剧情程序,网址导航程序,文章程序,漫画程序,图片程序

Last update: Dec 24, 2022

Related tags

CMS maccms10

Overview

苹果cms-v10

苹果CMS程序是一套采用PHP+MYSQL环境下运行的完善而强大的快速建站系统。经过近多年的开发经验和技术积累，苹果CMS程序已逐步走向成熟，在易用性和功能上已经成为同行中的佼佼者。程序体积小->优化程序代码，运行速度快->高效的缓存处理，只要普通的虚拟主机就可以完美搭建起来，建站成本非常低。仿MVC模板分离，内置标签，自定义函数标签接口，强大的自定义采集功能，只要你会HTML就可以轻松做出个性化的网站。程序易用性和功能上一直以来都积极采纳广大站长提出的各种好的建议，迅速响应各种紧急问题，我们的服务理念贯穿其中，保证每一位站长每一个环节都可以从容应对。v10采用tp5.x内核进行开发，扩展了模板处理引擎，将后台程序与html模板简单的分离出来，让设计人员与程序人员最大限度的发挥自己的优势而互不干扰，大大加快了项目有序、快速的完成。即使您是第一次接触，也会在最短的时间内熟练掌握它的使用方法。后台管理模块，一目了然，操作简单，绝对不会让您眼花缭乱。

Apple CMS program is a set of PHP and MYSQL environment operating in a perfect and powerful fast station system. After nearly years of development experience and technology accumulation, Apple CMS program has gradually matured, in ease of use and functionality has become the leader in peers. The program size is small - > optimizer code, running fast - > efficient caching processing, as long as the ordinary virtual host can be perfectly built, the cost of building a station is very low. Imitation MVC template separation, built-in tags, custom function label interface, powerful custom acquisition function, as long as you will HTML can easily make personalized website. Program ease of use and function has been actively adopted by the vast number of station director put forward a variety of good suggestions, quickly respond to a variety of urgent issues, our service concept throughout it, to ensure that every station director every link can be calmly coped with. v10 using the tp5.x kernel for development, extended the template processing engine, the background program and html template simple separation, so that designers and programmers to maximize their advantages without interference, greatly speed up the project orderly and fast completion. Even if you are in first contact, you will master how to use it in the shortest possible time. Back-office management module, at a glance, easy to operate, will never dazzle you.

免责声明

本程序仅供内部学习和交流使用，没有内置任何数据，请在遵守当地法律的前提下使用本站程序，对用户在使用过程中的自行维护的信息内容本站不负任何责任！

This program is for internal learning and communication use only, there is no built-in data, please comply with local laws under the premise of using the site program, the user in the process of self-maintenance of the information content of this site is not responsible!

Comments

bug in file:application/index/controller/Verify.php

直接看代码不说话

[x] git diff /application/index/controller/Verify.php

--- a/application/index/controller/Verify.php
  +++ b/application/index/controller/Verify.php
  @@ -1,7 +1,7 @@
   <?php
   namespace app\index\controller;
   use think\captcha\Captcha;
  -use think\config;
  +use think\Config;
   use think\Controller;
   >
   class Verify extends Controller
  @@ -13,6 +13,7 @@ class Verify extends Controller

opened by denghuiquan 2

专题影片数bug

https://github.com/maccmspro/maccms10/blob/1643ed853c655f12aa9b9cd271aa60c2e9646acb/application/common/model/Topic.php#L38-L49

vod_list数据来源topic_rel_vod+vod_tag，显示专题影片数时只处理了topic_rel_vod的数量，vod_tag的数量遗漏了

opened by dianyings 1

后台漏洞：可绕过登录直接进入管理后台

导读：利用登录逻辑漏洞，构造特定cookie，实现无需账号密码，直接进入管理后台

1. 查看后台登录验证的相关代码

/application/common/model/Admin.php 的 checkLogin() 函数

public function checkLogin()
{
    return ['code'=>1,'msg'=>'已登录','info'=>$info];
    $admin_id = cookie('admin_id');
    $admin_name = cookie('admin_name');
    $admin_check = cookie('admin_check');

    if(empty($admin_id) || empty($admin_name) || empty($admin_check)){
        return ['code'=>1001, 'msg'=>'未登录'];
    }

    $where = [];
    $where['admin_id'] = $admin_id;
    $where['admin_name'] = $admin_name;
    $where['admin_status'] =1 ;

    $info = $this->where($where)->find();
    if(empty($info)){
        return ['code'=>1002,'msg'=>'未登录'];
    }
    $info = $info->toArray();

    $login_check = md5($info['admin_random'] . $info['admin_name'] .$info['admin_id']) ;
    if($login_check != $admin_check){
        return ['code'=>1003,'msg'=>'未登录'];
    }
    return ['code'=>1,'msg'=>'已登录','info'=>$info];
}

2. 分析登录逻辑

看到代码为直接获取cookie中的信息来查询数据库，所以我们是不是构造cookie就可以完成登录了：

$admin_id = cookie('admin_id');
$admin_name = cookie('admin_name');
$admin_check = cookie('admin_check');

3. 构造cookie，进入后台

结合代码逻辑和tp框架的特性，我们构造一下cookie，就能完美绕过进入后台。

4. 演示：直接操作进入后台

打开网站后台地址，浏览器console 输入设置cookie代码： xxx.com/admin.php 再次重新打开后台地址，将会直接进入 xxx.com/admin.php

opened by maccmspro 0

xss attacks on background

Go to background, go to Basics > AD Management > Name,

Insert payload1 in the name box:

It can cause XSS attacks. Vulnerability name：Storage type xss Vulnerability level：Medium risk Vulnerability location： http://127.0.0.1/admin.php/admin/banner/infocat.html

opened by Cedric1314 0
后台存在ssrf漏洞

Enter the background, click Collect --> Custom interface --> Interface address,

In the name box into payload1:http://7ca8e96e.dns.1433.eu.org.

It can cause ssrf attacks.

opened by Cedric1314 0
谨防盗版程序和诈骗网站.la版本

以下两篇文章足以说明一切你搞黑产自然我们会收拾你紧急：苹果cms由于maccms.la版本存在自动更新后门站已经被入侵 https://github.com/maccmspro/download/wiki/%E7%B4%A7%E6%80%A5%EF%BC%9A%E8%8B%B9%E6%9E%9Ccms%E7%94%B1%E4%BA%8Emaccms.la%E7%89%88%E6%9C%AC%E5%AD%98%E5%9C%A8%E8%87%AA%E5%8A%A8%E6%9B%B4%E6%96%B0%E5%90%8E%E9%97%A8%E7%AB%99%E5%B7%B2%E7%BB%8F%E8%A2%AB%E5%85%A5%E4%BE%B5 警告:严厉谴责CC攻击我们的.la版本假冒团队，整理了被控制的小部分肉鸡网站，有你的吗？ https://github.com/maccmspro/download/wiki/%E8%AD%A6%E5%91%8A:%E4%B8%A5%E5%8E%89%E8%B0%B4%E8%B4%A3CC%E6%94%BB%E5%87%BB%E6%88%91%E4%BB%AC%E7%9A%84.la%E7%89%88%E6%9C%AC%E5%81%87%E5%86%92%E5%9B%A2%E9%98%9F%EF%BC%8C%E6%95%B4%E7%90%86%E4%BA%86%E8%A2%AB%E6%8E%A7%E5%88%B6%E7%9A%84%E5%B0%8F%E9%83%A8%E5%88%86%E8%82%89%E9%B8%A1%E7%BD%91%E7%AB%99%EF%BC%8C%E6%9C%89%E4%BD%A0%E7%9A%84%E5%90%97%EF%BC%9F

opened by maccmspro 5