RuoYi漏洞点

RuoYi漏洞点
2022-12-18 15:8:37 Author: 仙友道(查看原文) 阅读量:50 收藏

RuoYI指纹 => app="若依-管理系统"

RuoYI版本 => ry-ui.js?v=4.2.0 | ry-ui.css?v=4.2.0

Shiro RCE

漏洞分析

Pom.xml:20

com/ruoyi/framework/config/ShiroConfig.java:325

File Download

RuoYI <= V4.5.0

漏洞分析

ResourceDownload

V4.1.0 <= RuoYI <= V4.5.0

com.ruoyi.common.utils.file.FileUtils#writeBytes

com.ruoyi.web.controller.common.CommonController#resourceDownload

需要以 /profile 开头，从此目录回溯

FileDownload

RuoYI <= V3.2.0

com/ruoyi/common/utils/file/FileUtils.java:38

com/ruoyi/web/controller/common/CommonController.java:57 任意文件下载

File Delete

RuoYI <= V3.2.0

漏洞分析

com/ruoyi/common/utils/file/FileUtils.java:85

com/ruoyi/web/controller/common/CommonController.java:60 任意文件删除

Sql Injection

RuoYI <= 4.6.2

漏洞分析

SysRoleMapper

src/main/resources/mapper/system/SysRoleMapper.xml#58

=> com.ruoyi.system.mapper.SysRoleMapper#selectRoleList

=> com.ruoyi.system.service.impl.SysRoleServiceImpl#selectRoleList

=> com.ruoyi.web.controller.system.SysRoleController#list

=> com.ruoyi.system.domain.SysRole#dataScope

SysDeptMapper

src/main/resources/mapper/system/SysDeptMapper.xml#51

在147行还有一处注入

=> com.ruoyi.system.mapper.SysDeptMapper#selectDeptList

=> com.ruoyi.system.service.impl.SysDeptServiceImpl#selectDeptList

=> 此方法在Controller层有多处调用

=> com.ruoyi.web.controller.system.SysDeptController#list

SysUserMapper

src/main/resources/mapper/system/SysUserMapper.xml#81

=> com.ruoyi.system.mapper.SysUserMapper#selectUserList

=> com.ruoyi.system.service.impl.SysUserServiceImpl#selectUserList

=> 此方法在Controller层有多处调用

=> com.ruoyi.web.controller.system.SysUserController#list

Fastjson RCE

RuoYi <= v4.2.0

漏洞分析

com.ruoyi.generator.service.impl.GenTableServiceImpl#validateEdit

没复现成功

RCE

V3.3.0 <= RuoYi <= v4.6.2

漏洞分析

com.ruoyi.quartz.util.JobInvokeUtil#invokeMethod(com.ruoyi.quartz.domain.SysJob)

com.ruoyi.quartz.util.QuartzDisallowConcurrentExecution#doExecute

调用invokemethod方法，此处为JOB具体任务类

com.ruoyi.quartz.controller.SysJobController#run

到达Controller层

反射执行方法，限制如下：

1、类的构造方法为Public

2、类的构造方法无参

3、调用目标字符串的参数为：支持字符串，布尔类型，长整型，浮点型，整型

4、调用目标方法除了为Public，无参，还需要具有执行代码/命令的能力

Thymeleaf SSTI

V4.6.0 – V4.7.1

漏洞分析

localRefreshTask

com.ruoyi.web.controller.demo.controller.DemoFormController#localRefreshTask

CacheController

com.ruoyi.web.controller.monitor.CacheController#getCacheNames

com.ruoyi.web.controller.monitor.CacheController#getCacheKeys

com.ruoyi.web.controller.monitor.CacheController#getCacheValue

Shiro 多个认证绕过、Spring Framework反射型文件下载漏洞、FastJson RCE暂未学习，后续学了回来填坑。

Reference

https://doc.ruoyi.vip/ruoyi/document/kslj.html#%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E

文章来源: http://mp.weixin.qq.com/s?__biz=Mzg3NjYwNDgzMQ==&mid=2247485706&idx=1&sn=53c26249c714a98026308d8798cff4b1&chksm=cf2ef5faf8597cec705c58f43c7a9d716238128413cb5823e98f02915b2ee92ff528ac7c990d#rd
如有侵权请联系:admin#unsafe.sh