RuoYI版本 => ry-ui.js?v=4.2.0 | ry-ui.css?v=4.2.0
Shiro RCE
漏洞分析
com/ruoyi/framework/config/ShiroConfig.java:325
File Download
漏洞分析
ResourceDownload
V4.1.0 <= RuoYI <= V4.5.0
com.ruoyi.common.utils.file.FileUtils#writeBytes
com.ruoyi.web.controller.common.CommonController#resourceDownload
FileDownload
com/ruoyi/common/utils/file/FileUtils.java:38
com/ruoyi/web/controller/common/CommonController.java:57 任意文件下载
File Delete
漏洞分析
com/ruoyi/common/utils/file/FileUtils.java:85
com/ruoyi/web/controller/common/CommonController.java:60 任意文件删除
Sql Injection
漏洞分析
SysRoleMapper
src/main/resources/mapper/system/SysRoleMapper.xml#58
=> com.ruoyi.system.mapper.SysRoleMapper#selectRoleList
=> com.ruoyi.system.service.impl.SysRoleServiceImpl#selectRoleList
=> com.ruoyi.web.controller.system.SysRoleController#list
=> com.ruoyi.system.domain.SysRole#dataScope
SysDeptMapper
src/main/resources/mapper/system/SysDeptMapper.xml#51
=> com.ruoyi.system.mapper.SysDeptMapper#selectDeptList
=> com.ruoyi.system.service.impl.SysDeptServiceImpl#selectDeptList
=> com.ruoyi.web.controller.system.SysDeptController#list
SysUserMapper
src/main/resources/mapper/system/SysUserMapper.xml#81
=> com.ruoyi.system.mapper.SysUserMapper#selectUserList
=> com.ruoyi.system.service.impl.SysUserServiceImpl#selectUserList
=> com.ruoyi.web.controller.system.SysUserController#list
Fastjson RCE
漏洞分析
com.ruoyi.generator.service.impl.GenTableServiceImpl#validateEdit
RCE
V3.3.0 <= RuoYi <= v4.6.2
漏洞分析
com.ruoyi.quartz.util.JobInvokeUtil#invokeMethod(com.ruoyi.quartz.domain.SysJob)
com.ruoyi.quartz.util.QuartzDisallowConcurrentExecution#doExecute
调用invokemethod方法,此处为JOB具体任务类
com.ruoyi.quartz.controller.SysJobController#run
3、调用目标字符串的参数为:支持字符串,布尔类型,长整型,浮点型,整型
4、调用目标方法除了为Public,无参,还需要具有执行代码/命令的能力
Thymeleaf SSTI
漏洞分析
localRefreshTask
com.ruoyi.web.controller.demo.controller.DemoFormController#localRefreshTask
CacheController
com.ruoyi.web.controller.monitor.CacheController#getCacheNames
com.ruoyi.web.controller.monitor.CacheController#getCacheKeys
com.ruoyi.web.controller.monitor.CacheController#getCacheValue
Shiro 多个认证绕过、Spring Framework反射型文件下载漏洞、FastJson RCE暂未学习,后续学了回来填坑。
Reference
https://doc.ruoyi.vip/ruoyi/document/kslj.html#%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E
原文始发于微信公众号(仙友道):RuoYi漏洞点
评论