Zentao Pro 8.8.2 RCE

Understanding the application

During the initial stages of the code review, it is critical to understand more about how the application works and what possible attack vectors there may be. The initial questions were:

Searching for sensitive functions (passthru)
Searching for sensitive functions (exec)

Trying out different attack vectors

The next cycles in my methodology focus more on investigating different use cases and finding out if I can deviate from the expected behavior. To do this, it is critical to further my understanding of the finer details of the application. This is what was in my list of things to-do:

  • Investigate how the file upload functionality works. (Insecure file upload / Directory traversal?)
  • Investigate the cronjob section (RCE?) Here I explain how to work from the view to find the vulnerable code in the back-end.
  • Investigate the sensitive functions found in the previous round (This is working backwards from a sensitive function to a starting point)

SQL Query Investigation

To identify the area in the code for the SQL query functions, I interacted with the web application to attempt basic SQL Injection queries. I found that some of them got spaced out. To understand how this happens I have to look at the code.

Spaced out suspicious statements.
Zentaopro\module\report\ext\config\crystal.php shows there is an SQL blacklist
  • The second function is the view which would then call the controller.
  • The third file just declares some default values.
ajaxCheckVar is used in these instances.
Investigating the inlink function
The evils array

File Upload Investigation

After investigating the SQL Query section of the application. The to-do list / master list was be updated appropriately. To investigate the file upload functionality, I used my previous knowledge of how the files are structured to find the relevant code.

The file is stored on the database.

Investigating the cronjob

The application allows for users to create cron jobs. To find the code related to this functionality, you can search through the directories or use the application and find it from there.

The POST request’s body.
The related code.
Remote code execution on the cronjob section of the application

Investigating the sensitive functions

Earlier in this review, we looked for any functions that can be used to perform remote code execution. One of the files that were found was \xampp\zentaopro\bin\php\crond.php. You can use this as a starting point to find the new RCE in the cronjob section of the application.

The original RCE exploit.

Summary

To find my new RCE vulnerability these are some key learning moments that helped me:

  • Look EVERYTHING up. During this review, there were some bits I did not know such as PHP’s “dao”. This enabled me to understand the application a lot better when reading the code. Anything that pings some sort of curiosity should be investigate.
  • There are multiple ways of finding relevant code. You can start from browsing the code or start from finding variables in the application’s requests. In some cases, I worked from both ends to meet in the middle to fully understand the flow of the application.
  • Learning the habit’s of the developer really helped me find out the blacklisted SQL functions quickly.

Thanks for reading

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store