Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Zhiyuan OA Session Leak

By kannthu

Vidoc logoVidoc Module

What is the "Zhiyuan OA Session Leak?" module?

The "Zhiyuan OA Session Leak" module is a vulnerability detection module that targets the Zhiyuan OA software. It is designed to identify a specific vulnerability that allows remote unauthenticated users to access sensitive session information through the 'getSessionList.jsp' endpoint. This vulnerability has a medium severity level.

This module was authored by pikpikcu.


If exploited, this vulnerability can expose sensitive session information to unauthorized users. This can potentially lead to unauthorized access to the system and compromise the confidentiality and integrity of the data.

How does the module work?

The module works by sending an HTTP GET request to the '/yyoa/ext/https/getSessionList.jsp?cmd=getAll' endpoint. It then applies matching conditions to determine if the vulnerability is present.

The matching conditions for this module are as follows:

- The response must contain the words "<usrID>" and "<sessionID>". - The response status code must be 200.

If both conditions are met, the module will report the vulnerability.

Here is an example of the HTTP request sent by the module:

GET /yyoa/ext/https/getSessionList.jsp?cmd=getAll

For more information, you can refer to the following resource:


- max-request: 1

Module preview

Concurrent Requests (1)
1. HTTP Request template
Matching conditions
word: <usrID>, <sessionID>and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability