版本号: 11.5.3
续上文使用Arthas快速寻找路由,已经找到了所有的Controller,一共有1292个,对于这个项目,路由主要由三部分组成:
tomcat的context path此处为webroot,在一些其他的系统中作为第三方组件调用,可能会有出入com.fr.base.ServerConfig#servletName,这里是Holders.simple("decision");- 再
@RequestMapping中设置的Controller路径 具体的鉴权是由Aspect,来实现的,挨个去看太慢了,直接通过刚才拿到的路由去fuzz,这里主要关注可以未授权访问的路由(后台RCE手里有一大把) 经过初步的判断,找到如下路由
/login/config
/logout/cross/domain
/login
/login/image/base64/{attachId}
/login/slider/info
/login/password/strategy
/v10/cluster/file/cache/refresh
/v10/cluster/file/sync
/v10/encryption/status
/v10/encryption/page
/v10/encryption/seed/status
/v10/migration/status
/v10/migration/page
/v10/migration/check
/v10/migration/dialect
/v10/mobile/global/config
/v10/mobile/app/upgrade/config
/v10/mobile/productPlan
/v10/mobile/launch/image
/v10/mobile/launch/{device}
/v10/mobile/custom/login
/v10/mobile/bi/component/height
/v10/register/remove
/system/health
/system/health
/system/info
/system/info
/view/fit/form/design/config
/view/fit/form/email/send
/view/fit/form/session/close
/view/fit/form/widget/view/value
/view/fit/form/load/content
/view/fit/form/pre/execute/elements
/view/fit/form/dynamic/para/submit
/view/fit/form/attach/download
/view/fit/form/tab/sequence/execute
/view/fit/form/batch/load/content
/view/fit/form/para/config
/view/fit/form/attach/release
/view/fit/form/recalculate/element/title
/view/fit/form/params/save
/view/fit/form/check/occupancy
/view/fit/form/params/query
/view/fit/form/export
/view/fit/form/attachment/upload
/view/fit/form/export
/view/fit/form/fit/config
/view/fit/form/widget/interact
/view/fit/form/attach/image
/view/fit/form/remote/evaluate
/view/fit/form/widget/data
/view/fit/form/toolbar/image
/view/fit/form/tab/execute
/view/fit/form/tab/interact
/view/fit/form/edit/heartbeat
/view/fit/form/save
/view/fit/form/db/commit
/view/fit/form/para/submit
/view/fit/form/chart/calculate/hyperlink
/view/fit/form/chart/pop
/view/fit/form/chart/data
/view/fit/form/chart/write/html
/view/chart/relate/date
/view/chart/write/html
/view/report/dbCommit
/report/email/send
/view/form/widget/interact
/view/form/pre/execute/elements
/view/form/recalculate/element/title
/view/report/v10/page/num
/view/report/v10/page/conf
/view/report/v10/page/data
/preview/info/collect
/view/widget/v10/data
/nx/report/v10/export
/nx/report/v10/consume
/nx/report/v10/session/close
/nx/report/v10/widget/view/value
/nx/report/v10/params/save
/nx/report/v10/params/query
/nx/report/v10/print/paper/setting
/nx/report/v10/print/paper/setting
/nx/report/v10/largedataset/export/excel
/nx/report/v10/email/contacts
/nx/report/v9/para/submit
/nx/report/v9/largedataset/export/excel
/nx/report/v9/params/query
/nx/report/v9/largedataset/check
/nx/report/v9/print/paper/setting
/nx/report/v9/email/contacts
/nx/report/v9/params/save
/nx/report/v10/remote/evaluate
/nx/report/v10/chart/pop
/nx/report/v10/chart/data
/nx/report/v10/para/submit
/nx/report/v10/page/num
/nx/report/v10/page/count
/nx/report/v10/widget/interact
/nx/report/v10/print/pdf
/nx/report/v10/print/preview
/nx/report/v10/attach/image
/nx/report/v10/email/send
/nx/result
/nx/details
/nx/execute
/nx/report/v10/page/data
/nx/report/v10/largedataset/check
/nx/report/v10/print/ie/pdf
/nx/list
/nx/cache
/nx/performance
/nx/report/v10/page/config
/nx/report/v10/page/config
/nx/report/v9/page/data
/nx/report/v9/page/num
/nx/report/v9/page/config
/nx/report/v9/page/config
/nx/report/v10/widget/data
/nx/report/v10/email/sender
/nx/report/v9/widget/data
/nx/report/v10/direct/export
/nx/report/v9/widget/interact
/nx/report/v9/widget/view/value
/nx/report/v9/print/ie/pdf
/nx/report/v9/email/send
/nx/report/v9/email/sender
/nx/report/v9/consume
/nx/report/v9/print/pdf
/nx/report/v9/db/commit
/nx/report/v10/db/commit
/nx/report/v9/chart/data
/nx/report/v9/export
/nx/report/v9/session/close
/nx/report/v9/attach/image
/nx/report/v9/remote/evaluate
/report/check/frontEndException
/export/check/font
/remote/design/check
/remote/design/version
/remote/design/version
/remote/design/vt
/remote/design/vt
/remote/design/branch
/remote/design/branch
/remote/design/record
/remote/design/record
/remote/design/verify
/remote/design/main/version
/remote/design/main/version
/esd/last/updated
/esd/caches/{sessionID}
/esd/session/update
/data/portal/view/fit/form/para/submit
/data/portal/template/report/config/{entryId}/{widgetName} || /data/portal/template/report/config/{entryId}
/url/mobile/plugin/emb
/url/mobile
/url/mobile/light
/url/mobile/packagedApp
/url/mobile/packagedApp/preview
/view/duchamp/fit/form/chart/data
/view/duchamp/fit/form/chart/data
/view/duchamp/fit/form/attach/image
/view/duchamp/resource/extra/font
/view/duchamp/fit/form/chart/calculate/hyperlink
/view/duchamp/fit/form/chart/calculate/hyperlink
/view/duchamp/resource
/view/duchamp/resource/locale
/view/duchamp/resource/video
/view/duchamp/resource/font
/view/duchamp/resource/preview
/view/duchamp/offScreen/clear
/view/duchamp/offScreen/remote/html
/view/duchamp/offScreen/isRemoteJoin
/view/duchamp/offScreen/getAnswer
/view/duchamp/offScreen/getAnswer
/view/duchamp/offScreen/getOffer
/view/duchamp/offScreen/getOffer
/view/duchamp/offScreen/saveMessage/{messageType}
/view/duchamp/offScreen/signalingParameters
/view/duchamp/offScreen/getRemoteIceCandidate
/view/duchamp/offScreen/getRemoteIceCandidate
/view/duchamp/offScreen/getLocalIceCandidate
/view/duchamp/offScreen/getLocalIceCandidate
/view/duchamp/offScreen/joinRoom
/detect/enable
/detect/resource
/ops/client/cluster/node
/ops/client/cluster/url
/ops/client/cluster/status
/ops/client/info/sync
/ops/client/info/cluster
/ops/client/info/cluster
/ops/client/info/file
/ops/client/info/file/upload
/ops/client/operation/downtime/change/port
/metrics/schedule
/metrics/once
/ops/client/config/visual
/ops/client/config/visual
/ops/client/config/visual/hidden
/ops/client/inspection/trigger
其实Token是存在硬编码的,但是鉴权处会对token 通过jti进行登陆状态检查,所以是无法伪造的。至此实际上FineReport重构后的版本前台已经没什么可利用的点了,后续会分析重构前的版本和一些有趣的后台rce