0day-seeyonOA-zipslip(win)
Incorrect decompression exists in seeyonOA v8. An attacker can gain access to the server through zipslip after obtaining ordinary user privileges.
Route
Analyse
The vulnerability lies in WorkFlowDesignerController.class 's importProcess method, which constructs multipart upload to upload malicious zip compressed files and writes shell to the web directory via.. /
- get the input zipfile
- create the temporary file and directory
write the input to tempZipFile
- Extract zipfile and write to the file
CtpLocalFile newFile = new CtpLocalFile(savepath + entryName);
As can be seen from this code, the file name in the package is not checked during decompression, so that files can be written across directories.
POC
