0day-seeyonOA-zipslip(win)

Incorrect decompression exists in seeyonOA v8. An attacker can gain access to the server through zipslip after obtaining ordinary user privileges.

Route

image.png

Analyse

The vulnerability lies in WorkFlowDesignerController.class 's importProcess method, which constructs multipart upload to upload malicious zip compressed files and writes shell to the web directory via.. /

  1. get the input zipfile

image.png

  1. create the temporary file and directory

image.png
write the input to tempZipFile
image.png

  1. Extract zipfile and write to the file

image.png

CtpLocalFile newFile = new CtpLocalFile(savepath + entryName);

As can be seen from this code, the file name in the package is not checked during decompression, so that files can be written across directories.

POC

image.png
image.png
image.png

作者:Rainy-Day

出处:https://www.cnblogs.com/Rainy-Day/p/18061399

版权:本作品采用「署名-非商业性使用-相同方式共享 4.0 国际」许可协议进行许可。

posted @   _rainyday  阅读(423)  评论(0编辑  收藏  举报
相关博文:
阅读排行:
· DeepSeek 解答了困扰我五年的技术问题。时代确实变了!
· PPT革命!DeepSeek+Kimi=N小时工作5分钟完成?
· What?废柴, 还在本地部署DeepSeek吗?Are you kidding?
· DeepSeek企业级部署实战指南:从服务器选型到Dify私有化落地
· 程序员转型AI:行业分析
历史上的今天:
2023-03-08 库源与类 AnnotationInvocationHandler 的字节码不符
more_horiz
keyboard_arrow_up light_mode palette
选择主题
点击右上角即可分享
微信分享提示