Zentao Pro 8.8.2 RCE

Understanding the application

Searching for sensitive functions (passthru)
Searching for sensitive functions (exec)

Trying out different attack vectors

SQL Query Investigation

Spaced out suspicious statements.
Zentaopro\module\report\ext\config\crystal.php shows there is an SQL blacklist
ajaxCheckVar is used in these instances.
Investigating the inlink function
The evils array

File Upload Investigation

The file is stored on the database.

Investigating the cronjob

The POST request’s body.
The related code.
Remote code execution on the cronjob section of the application

Investigating the sensitive functions

The original RCE exploit.

Summary

Thanks for reading

Blogging

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

資料庫筆記

How to Verify a Signed Message in Solidity

Introduction to Message Brokers Part 2: ActiveMQ vs. Redis Pub/Sub

Leetcode — 5. Longest Palindromic Substring (Medium)

Client onboarding @ Typeqast — How we work together

How to Use the DeployHub Jenkins Plugin for CD without Agents

…What Even Is That? API Edition…

Batch Convert XCode String files, from utf-16 to utf-8

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam C

Adam C

Blogging

More from Medium

Student data breaches and expanded guidelines for health information

Diffie-Hellman Key Exchange

Fuzzing Clojure Code With Jazzer

Clojure

Extended Attributes and TCC on macOS