RuoYi SQL Injection Vulnerability Allowing Arbitrary Code Execution

A SQL injection vulnerability has been identified in RuoYi Framework versions through 4.7.9. This vulnerability allows authenticated administrators to execute arbitrary SQL commands via the 'createTable' function in 'SqlUtil.java'. The issue arises from insufficient input validation, which can be exploited by using '%0b' to bypass regular expression filters and inject SQL payloads.

Impact

Exploitation of this vulnerability allows an authenticated administrator to execute arbitrary SQL commands, potentially leading to unauthorized data access or manipulation. In this case, the entire database can be dumped, including user credentials and system configurations.

Reproduction

To reproduce this vulnerability, log in as an administrator and send a request to the '/tool/gen/createTable' endpoint. Inject a SQL payload that exploits the vulnerability by using '%0b' to bypass the application's SQL injection filters. After successfully injecting SQL, the database version can be exfiltrated as proof of exploitation.

Remediation

Update to RuoYi Framework version 4.8.0 or later, and implement proper input validation to filter out the '%0b' character and adjust the SQL keyword filter to correctly block injection attempts.