├── README.md └── typora-img ├── 1.png └── README ├── image-20240428210208452.png ├── image-20240428210437571.png ├── image-20240428210657969.png ├── image-20240428211317424.png ├── image-20240428211619867.png └── image-20240428213649824.png /README.md: -------------------------------------------------------------------------------- 1 | ### 0x01 漏洞描述 2 | 3 | ​ 禅道项目管理系统存在身份认证绕过漏洞,远程攻击者利用该漏洞可以绕过身份认证,调用任意API接口并修改管理员用户的密码,并以管理员用户登录该系统,配合其他漏洞进一步利用后,可以实现完全接管服务器。 4 | 5 | 6 | 7 | ### 0x02 漏洞影响版本 8 | 9 | 16.0 <= 禅道项目管理系统 <=18.11(开源版) 10 | 6.0 <= 禅道项目管理系统 <=8.11 (企业版) 11 | 3.0 <= 禅道项目管理系统 <=4.11(旗舰版) 12 | 13 | 14 | 15 | ### 0x03 漏洞环境 16 | 17 | > hunter语法 18 | 19 | ```shell 20 | app.name="ZenTao 禅道" 21 | ``` 22 | 23 | ![image-20240428210208452](typora-img/README/image-20240428210208452.png) 24 | 25 | 26 | 27 | ### 0x04 漏洞复现 28 | 29 | 首先我们通过访问下面的接口可以获取到一个Set-Cookie 30 | 31 | ![image-20240428210437571](typora-img/README/image-20240428210437571.png) 32 | 33 | 34 | 35 | 我们可以使用拿到的Cookie值去进行其他操作,如下面的接口可以进行管理员账户的创建,部分响应状态码是403,但并不影响账户创建。 36 | 37 | ![image-20240428210657969](typora-img/README/image-20240428210657969.png) 38 | 39 | 40 | 41 | ### 0x05 漏洞修复建议 42 | 43 | ​ 目前禅道官方已正式发布修复版本, 建议受影响用户尽快升级至安全版本。如不能升级,可在module/common/model.php文件中的echo $endResponseException->getContent();后面加上exit(); 来修复权限绕过漏洞。 44 | 45 | 46 | 47 | ### 0x06 工具 48 | 49 | 漏洞利用工具,支持单个扫描、批量扫描等等 50 | 51 | ![image-20240428211317424](typora-img/README/image-20240428211317424.png) 52 | 53 | 可以创建开源版、企业版、旗舰版用户 54 | 55 | ![image-20240428211619867](typora-img/README/image-20240428211619867.png) 56 | 57 | ![image-20240428213649824](typora-img/README/image-20240428213649824.png) 58 | -------------------------------------------------------------------------------- /typora-img/1.png: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /typora-img/README/image-20240428210208452.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/charonlight/ZentaoExploitGUI/ff71865b99a74e47075fcd901af397d9d2cedecf/typora-img/README/image-20240428210208452.png -------------------------------------------------------------------------------- /typora-img/README/image-20240428210437571.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/charonlight/ZentaoExploitGUI/ff71865b99a74e47075fcd901af397d9d2cedecf/typora-img/README/image-20240428210437571.png -------------------------------------------------------------------------------- /typora-img/README/image-20240428210657969.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/charonlight/ZentaoExploitGUI/ff71865b99a74e47075fcd901af397d9d2cedecf/typora-img/README/image-20240428210657969.png -------------------------------------------------------------------------------- /typora-img/README/image-20240428211317424.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/charonlight/ZentaoExploitGUI/ff71865b99a74e47075fcd901af397d9d2cedecf/typora-img/README/image-20240428211317424.png -------------------------------------------------------------------------------- /typora-img/README/image-20240428211619867.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/charonlight/ZentaoExploitGUI/ff71865b99a74e47075fcd901af397d9d2cedecf/typora-img/README/image-20240428211619867.png -------------------------------------------------------------------------------- /typora-img/README/image-20240428213649824.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/charonlight/ZentaoExploitGUI/ff71865b99a74e47075fcd901af397d9d2cedecf/typora-img/README/image-20240428213649824.png --------------------------------------------------------------------------------