Skip to content

l3s10n/ZenTaoPMS_SqlInjection

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

CVE-2022-47745

中文 : README_zh.md

ZenTao is the #1 Team Collaborative Tool for R&D teams in China with 1.4 Million Users. It has many users, such as Twitter, Lenovo, etc. Here is its official website: https://www.zentao.pm/ (English) and https://www.zentao.net/ (Chinese).

you can complete SQL injection by constructing a special request and sending it to function importNotice of controller convert. Since the SQL injection here is stack injection and can execute any SQL statement, you can directly getshell through the SQL statement in case of improper configuration.

By accessing misc-catcha-user.html, we can obtain a legal zentaosid, so we can complete the sql injection without logging in.

Version affected

16.4 <= versions <= 18.0.beta1

Already be fixed, you can refer to this issue: easysoft/zentaopms#106

Principle

Here is a section of source code of the function importNotice:

public function importNotice($method = 'db')
{
    if($this->server->request_method == 'POST')
    {
        if($method == 'db')
        {
            $dbName = $this->post->dbName;
            if(!$dbName)
            {
                $response['result']  = 'fail';
                $response['message'] = $this->lang->convert->jira->dbNameEmpty;
                return print($this->send($response));
            }

            if(!$this->convert->dbExists($dbName))
            {
                ...

}

We can use url /index.php?m=convert&f=importNotice&zentaosid=xxx to access this function, and zentaosid is part of the cookie of any logged-in user. Besides, $this->post->dbName is from data segment of our post request, which means we can control the value of $dbName.

And here is the source code of dbExists

public function dbExists($dbName = '')
{
    $sql = "SHOW DATABASES like '{$dbName}'";
    return $this->dbh->query($sql)->fetch();
}

Since we can control the value of dbName, we can set its value to '; <sql_statement> #.

Demonstrate

you can see it at Demonstrate.mp4 of this repository

exp

you can get it at exp.py of this repository

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages