Zentao Pro 8.8.2 RCE

Understanding the application

  • What is Zentao Pro used for?
  • What technologies are used in the application?
  • What features are there?
  • Are there any sensitive functions in the application?
Searching for sensitive functions (passthru)
Searching for sensitive functions (exec)

Trying out different attack vectors

  • Investigate how the SQL Query works. (SQL Injection?)
  • Investigate how the file upload functionality works. (Insecure file upload / Directory traversal?)
  • Investigate the cronjob section (RCE?) Here I explain how to work from the view to find the vulnerable code in the back-end.
  • Investigate the sensitive functions found in the previous round (This is working backwards from a sensitive function to a starting point)

SQL Query Investigation

Spaced out suspicious statements.
Zentaopro\module\report\ext\config\crystal.php shows there is an SQL blacklist
  • The first function is a js file which runs when the query button is clicked.
  • The second function is the view which would then call the controller.
  • The third file just declares some default values.
ajaxCheckVar is used in these instances.
Investigating the inlink function
The evils array

File Upload Investigation

The file is stored on the database.

Investigating the cronjob

The POST request’s body.
The related code.
Remote code execution on the cronjob section of the application

Investigating the sensitive functions

The original RCE exploit.

Summary

  • Be aware of potential rabbit holes. If the cycle’s goal is achieved, reset and write everything you’ve learned down. Then when venturing down different rabbit holes, you will be more refreshed and you will also waste less time. For example, I could’ve spent a lot more time understanding how the SQL Query spaces everything out. However, once I understood there was little to be gained I decided that I would do it later.
  • Look EVERYTHING up. During this review, there were some bits I did not know such as PHP’s “dao”. This enabled me to understand the application a lot better when reading the code. Anything that pings some sort of curiosity should be investigate.
  • There are multiple ways of finding relevant code. You can start from browsing the code or start from finding variables in the application’s requests. In some cases, I worked from both ends to meet in the middle to fully understand the flow of the application.
  • Learning the habit’s of the developer really helped me find out the blacklisted SQL functions quickly.

Thanks for reading

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store