-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Exploit Module for CVE-2022-40471: Clinic's Patient Management System 1.0 - Unauthenticated RCE #19733
New Exploit Module for CVE-2022-40471: Clinic's Patient Management System 1.0 - Unauthenticated RCE #19733
Conversation
Hi can you tell me what's the issue with the check? The module works perfectly in my Kali Linux environment |
Hi aaryan-11-x, there was some issue with different PR that got merged, which caused tests to fail. You created your branch from the version where merged changes cause checks to fail. You can close this PR, checkout from upstream again and submit new PR or you can keep this one and we will merge changes later on. Otherwise, your PR is in review right now. |
Ok. I'll continue with this PR only. |
Release NotesNew exploit module for Clinic's Patient Management System 1.0, also dubbed as CVE-2022-40471. The module exploits unrestricted file upload, which can be further used to get remote code execution (RCE) through a malicious PHP file. |
This pull request introduces an exploit module for Metasploit that targets an unauthenticated Remote Code Execution (RCE) vulnerability in Clinic's Patient Management System (CPMS) version 1.0. The vulnerability is due to improper file validation in the system's file upload feature, allowing an attacker to upload arbitrary PHP files, such as a PHP web shell, which can then be executed remotely. The attack is facilitated by the presence of a directory listing feature in
/pms/user_images
, where the uploaded PHP file can be accessed via a publicly accessible URL.CVE-2022-40471
EDB-ID: 51779
Vulnerable Application:
Clinic's Patient Management System 1.0 is vulnerable to this issue, which allows attackers to upload a PHP shell to the server and execute arbitrary PHP code. This is caused by misconfiguration in the file upload functionality, which does not properly validate uploaded files.
The application can be downloaded from here
Verification Steps:
msfconsole
and load the new exploit module:Example Scenarios:
Linux Target:
Windows Target:
Options:
TARGETURI
: (Required) The base path to the Clinic Patient Management System (default:/pms
).LISTING_DELAY
: (Optional) The delay before fetching the directory listing after uploading the shell (default:2
seconds).This exploit was tested successfully on both Linux and Windows environments, providing a fully functional RCE attack vector against the vulnerable CPMS version 1.0.