Login with built-in account and password
Because there are some problems in the environment built by myself, it may be because the version is too high , (strange problems, users do not have permission), so currently only do conceptual verification, analyze the principle of the vulnerability
Access /smartbi/vision/RMIServlet
the interface
We can clearly see the corresponding processing CheckIsLoggedFilter
class
smartbi.freequery.filter.CheckIsLoggedFilter#doFilter
From here, it may be necessary to conduct a more detailed analysis. First, determine whether the path of the request is If yes, /vision/RMIServlet
enter this branch, and then determine whether there is windowUnloading
a string starting with in the request body. This is another bypass method Related, no analysis here
Next, determine whether there are parameters obtained through POST or GET methods in turn. className
IfmethodName
There is a judgment here. Perform authentication operations on classes and methods. If it is true, it will continue to judge whether to log in. You only need to meet the requirements and FilterUtil.needToCheck
return false.
smartbi.util.FilterUtil#needToCheck
We noticed that the operation of logging in from the database can also be accessed without authentication.
smartbi.usermanager.UserManagerModule
smartbi.usermanager.UserManagerModule#loginFromDB
smartbi.usermanager.SecurityServiceImpl#loginFromDB
The direct comparison here is the password queried from the database, so we can directly use the built-in account and MD5 password to log in
To help you study cybersecurity, you can receive a full set of information for free:
① Mind map of cybersecurity learning and growth path
② 60+ classic cybersecurity toolkits
③ 100+ SRC analysis reports
④ 150+ e-books on cybersecurity attack and defense techniques
⑤ The most authoritative CISSP Certification Exam Guide + Question Bank
⑥ More than 1800 pages of CTF Practical Skills Manual
⑦ Collection of the latest interview questions from network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)
admin can also log in successfully
Why not use the original login mode to log in? First, the original login mode login does not know the corresponding account number and password. Secondly, we will briefly analyze the original login logic.
smartbi.usermanager.UserManagerModule#clickLogin
smartbi.usermanager.UserManagerModule#login
smartbi.usermanager.SecurityServiceImpl#login
The main processing login logic is in this part
smartbi.usermanager.SecurityServiceImpl#loginDB
smartbi.usermanager.UserBO#isPasswordValidate
When making a comparison here, first String passwordInLib = this.user.getPassword();
look up the user's password from the database, and process and compare according to the first character at the beginning of the user's password
We already know that the corresponding value in the database is 0a
, but there is no MD5 value corresponding to any value, a
so the built-in user cannot be logged in normally
Bug fixes
http://192.168.222.133:18080/smartbi/vision/sysmonitor.jsp
The same POC can no longer be used successfully, let's pay attention to the content of the repaired code