Add finereport-sqli-file-upload.yaml

[adeljck]

Template / PR Information

FineReport-sqli-file-upload

• References:
  • https://www.finereport.com/product/history
  • https://y4tacker.github.io/2024/07/23/year/2024/7/%E6%9F%90%E8%BD%AFReport%E9%AB%98%E7%89%88%E6%9C%AC%E4%B8%AD%E5%88%A9%E7%94%A8%E7%9A%84%E4%B8%80%E4%BA%9B%E7%BB%86%E8%8A%82/

Template Validation

I've validated this template locally?

• ✅ YES
• NO

Additional Details (leave it blank if not applicable)

fofa-query: app="帆软-FineReport"

Additional References:

[DhiyaneshGeek]

Hi @adeljck

Is it possible share some reference link to this POC ?

Thanks

[adeljck]

add a link about this vuln
check pls
thanks

[DhiyaneshGeek]

Hi @adeljck

This looks like a authenticated template, by seeing the cookie headers in the request

can you update the template accordingly

Join our discord server and send a DM (#geekfreak) my username

Thanks

[adeljck]

first request with 302 not means it's need a auth
if the sql we filled in run success,the respones header will heave a Loacation field,with "n=true"

how many sql you fill in,how many "true" you will see in Location field

[DhiyaneshGeek]

Hi @adeljck

GET /webroot/scripts/js/{{filename}}.jsp 

With the second request the file will be accessible ?

will there be any content to match in the second response body , it will help full if you can share the debug data

Thanks

[adeljck]

yes,because it looks like a mysql write file vuln or redis unauth file write vuln ,an abnormal jsp file will generate in specific directory. when you access it ,it will return 500,but file is created.
if system deploy in a linux ,you can use this to write a cron to reserve a shell.
it also can write a webshell,but i still reasearch it now.

file content


because use sqlite library,and do not check paramater t and n,so attacker can execute sql to write a file to a specific location

[DhiyaneshGeek]

Hi @adeljck

i have found a valid non-intrusive endpoint, where we can confirm the rce vulnerability

Let me know if this changes works

Thanks

[adeljck]

The jsp file names are randomized and the files are written in a static resource directory. A normally running site will not store jsp files inside this directory

[DhiyaneshGeek]

Hi @adeljck

Mostly we try to find a non-intrusive way of template

Does the above changes works at your end ?

Hello @adeljck , thank you so much for sharing this template with the community and contributing to this project 🍻

You can grab some cool PD stickers over here http://nux.gg/stickers 😄

[adeljck]

I'll make some changes. Wait a minute.

[DhiyaneshGeek]

Hi @adeljck , hope it's not file upload again 👀

[adeljck]

Fix it to non-intrusive way

[DhiyaneshGeek]

Hi @adeljck

the SSTI payload was easy to understand to the user which i added earlier

i'm marking this on hold for my Team Members to Review Further cc @princechaddha

Thanks for sharing the details

[adeljck]

it's still on hold,is there still have any question with this file?

[DhiyaneshGeek]

Hi @adeljck

we are sticking with the non intrusive payload the SSTI method

i'm reverting back the changes

Let me know if you have any queries