CVE-2022-24124 PoC — Casdoor SQL注入漏洞

Source

https://github.com/ColdFusionX/CVE-2022-24124

Associated Vulnerability

Title:Casdoor SQL注入漏洞 (CVE-2022-24124)
Description:Casdoor是开源的一个身份和访问管理 (IAM) / 单点登录 (SSO) 平台，带有支持 OAuth 2.0 / OIDC 和 SAML 身份验证的 Web UI 。 Casdoor 1.13.1 之前存在安全漏洞，该漏洞允许攻击者通过api/get-organizations进行攻击。

Description

POC for CVE-2022-24124

Readme

# POC for CVE-2022-24124

> Exploit Code for [CVE-2022-24124](https://nvd.nist.gov/vuln/detail/CVE-2022-24124) aka Casdoor SQL Injection

Exploit Links: [[ExploitDB-50792](https://www.exploit-db.com/exploits/50792)] [[PacketStormSecurity](https://packetstormsecurity.com/files/166163/Casdoor-1.13.0-SQL-Injection.html)]

Expected outcome: Dump SQL database version on host running Casdoor < 1.13.1

Intended only for educational and testing in corporate environments.

### Exploit Usage

```shell
Barricade➜ go run exploit.go -u http://127.0.0.1:8080

-=Casdoor SQL Injection (CVE-2022-24124)=-
- by Mayank Deshmukh (ColdFusionX)

[*] Dumping Database Version
XPATH syntax error: .12-MariaDB-0+deb11u1
```

File Snapshot


 [4.0K]  /data/pocs/bf7276fd9833bf968ebf68fdeaceae95afa71b5e
├── [1.6K]  exploit.go
├── [1.0K]  LICENSE
└── [ 708]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!