share your technology and add some temperature for safety

Posted by santillano at 2020-04-09

When brother Doo is at a loss to write,

A little sister who is engaged in the project management profession has a brilliant idea.

Her Zen management software attracted my attention,

In order to pull in a straight distance from my little sister,

Brother Dou has carried out a comprehensive test of Zen,

Share this issue

This management system background arbitrary file upload loophole's reappearance process.

Environment construction:

Step1: prepare the basic environment: Ubuntu 14.04;

Step2: download the source code of Zen road version 6.2 on the Internet;

Step3: decompress the source code downloaded online to the directory / var / www / HTML;

Step4: visit http://ip/zentaopms/www/index.php through a browser, and the system will automatically switch to the installation program. Install the website.

Loophole recurrence:

2. Log in to the system and roughly browse each module of the system, and find that files with the suffix of PHP can be uploaded directly at the new method of background - > extension - > Editor & API - > background management - > model.

3. Open burp to set up the agent, grab and track the saved data of the page, and analyze it. Go through the process of data saving normally:

(1) In the burp interception state, edit the page data and click save.

(2) Right click the intercepted packet send to repeater.

(3) On the repeater page, click go to return the data normally.

(4) Visit the link.

Thought analysis:

1. First, browse each module of the system to find the available upload points, then simulate normal upload to check whether to return to the path of the uploaded file, and finally check whether the file path has access rights. Through the above access process, we can see that the upload point can be used.

Key parameters:




The file path filepath is Base64 encoded, and the character part of the file content filecontent is URL encoded

The filename is the name of the file we uploaded.

So the parameters we just uploaded after decoding are as follows:

filePath= /var/www/html/zentaopms/module/admin/ext/model/test.php

fileContent= <?php


2. Upload the Trojan horse to obtain the server permission.

Fill in the data again, here we write a sentence Trojan horse, and change the file to yijuhua.php

3. Use the kitchen knife to link the one sentence Trojan horse

Password: v


There are many high-risk loopholes in this system. This issue is to share any file upload. The next issue will bring the analysis and recurrence of SQL injection vulnerabilities in the background. You must keep up with the pace!