[*] :: Title: Emantals – Hospital Management System with Website WebShell Upload [*] :: Author: QUIXSS [*] :: Date: 2019-04-23 [*] :: Software: Emantals – Hospital Management System with Website [?] :: Technical Details & Description: # Weak security measures like no restriction for .PHP5/.PHP7 file upload has been discovered in the «Emantals – Hospital Management System with Website». [?] :: Demo Website: # https://codecanyon.net/item/emantals-hospital-management-system-with-website/23110818 # Frontend: http://theme.meteros.agency/Emantals # Backend: http://theme.meteros.agency/Emantals/login # Login: mhndsabla@meteors.com, Password: 123456 (or register a new profile) [!] :: Special Note: # One of the declared features of this web-application is «Totally secured system (SQL injection, XSS, CSRF)». Very funny, huh? [!] :: PoC Upload: # http://theme.meteros.agency/Emantals/storage/users/November2018/K546Qvjhw9GmsCWo4lPy.php # http://theme.meteros.agency/Emantals/storage/users/February2019/eC8dkHs3gC5V6fzjxP9A.php # http://theme.meteros.agency/Emantals/storage/users/April2019/IIzn7WZfcO77aQ7xIllv.php # http://theme.meteros.agency/Emantals/public/assets/images/grey.php?cmd=ls -la [+] :: PoC [WebShell Upload]: # Authorize on the demo website for tests: http://theme.meteros.agency/Emantals/login (login mhndsabla@meteors.com, password 123456). Then go to the «Edit Profile» page: http://theme.meteros.agency/Emantals/Patients/Dr.mhndsablaa/edit (for user «Dr.mhndsablaa»). # There is one and only vulnerable file upload field on this page. You can upload any .PHP file u want, just change file type from .PHP to .PHP5 or .PHP7. Submit the form and your file will be here: http://theme.meteros.agency/Emantals/storage/users/XXXXYYYY/ZZZZZ.phpV (or u can «inspect» broken image to get the link), where XXXX is month name like «April», YYYY is year like «2019» and ZZZZZ.phpV is your uploaded file name (V is for version of uploaded file: .PHP5 or .PHP7). Sample link: http://theme.meteros.agency/Emantals/storage/users/April2019/yourfile.php5 (check the «PoC Upload» for real working examples). [+] :: BONUS: # You can «broke» any profile by adding <img src=x> in the «Username» field. Save the result and then try to logout, probably you'll see a fatal error with database connection details like host, username and password. You can upload webshell with DB access and use this credentials for some fun.