Zentao Pro 8.8.2 RCE

Understanding the application

Searching for sensitive functions (passthru)
Searching for sensitive functions (exec)

Trying out different attack vectors

SQL Query Investigation

Spaced out suspicious statements.
Zentaopro\module\report\ext\config\crystal.php shows there is an SQL blacklist
ajaxCheckVar is used in these instances.
Investigating the inlink function
The evils array

File Upload Investigation

The file is stored on the database.

Investigating the cronjob

The POST request’s body.
The related code.
Remote code execution on the cronjob section of the application

Investigating the sensitive functions

The original RCE exploit.

Summary

Thanks for reading

--

--

--

Blogging

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Charles Web Debugging Proxy: How to use it and what is it for.

Code Coverage with OpenClover for Java code in CI/CD

How to create an NFT collection with pure Python

Connect I2C 1602 LCD to Raspberry Pi Pico (RP2040)

Thank you for 10,000 Discord members

Variadic Template C++: Implementing Unsophisticated Tuple

DataStax’s Snowflake Sink Connector for Apache Pulsar

Understanding Great Expectations and How to Use It

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam C

Adam C

Blogging

More from Medium

DevOps- Get Started with Shell Scripting

Develop your own VPN protocol: Introduction with baby-steps

AWS Lambda Command Injection

INTRO — AWS CLOUD PENETRATION TEST