Advertisement






Emantals – Hospital Management System with Website WebShell Upload

CVE Category Price Severity
N/A CWE-Other N/A High
Author Risk Exploitation Type Date
Unknown High Remote 2019-04-23
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019040208

Below is a copy:

Emantals Hospital Management System with Website WebShell Upload
[*] :: Title: Emantals  Hospital Management System with Website WebShell Upload
[*] :: Author: QUIXSS
[*] :: Date: 2019-04-23
[*] :: Software: Emantals  Hospital Management System with Website
  
[?] :: Technical Details & Description:
# Weak security measures like no restriction for .PHP5/.PHP7 file upload has been discovered in the Emantals  Hospital Management System with Website.

[?] :: Demo Website:
# https://codecanyon.net/item/emantals-hospital-management-system-with-website/23110818
# Frontend: http://theme.meteros.agency/Emantals
# Backend: http://theme.meteros.agency/Emantals/login
# Login: [email protected], Password: 123456 (or register a new profile)

[!] :: Special Note:
# One of the declared features of this web-application is Totally secured system (SQL injection, XSS, CSRF). Very funny, huh?

[!] :: PoC Upload:
# http://theme.meteros.agency/Emantals/storage/users/November2018/K546Qvjhw9GmsCWo4lPy.php
# http://theme.meteros.agency/Emantals/storage/users/February2019/eC8dkHs3gC5V6fzjxP9A.php
# http://theme.meteros.agency/Emantals/storage/users/April2019/IIzn7WZfcO77aQ7xIllv.php
# http://theme.meteros.agency/Emantals/public/assets/images/grey.php?cmd=ls -la

[+] :: PoC [WebShell Upload]:
# Authorize on the demo website for tests: http://theme.meteros.agency/Emantals/login (login [email protected], password 123456). Then go to the Edit Profile page: http://theme.meteros.agency/Emantals/Patients/Dr.mhndsablaa/edit (for user Dr.mhndsablaa).
# There is one and only vulnerable file upload field on this page. You can upload any .PHP file u want, just change file type from .PHP to .PHP5 or .PHP7. Submit the form and your file will be here: http://theme.meteros.agency/Emantals/storage/users/XXXXYYYY/ZZZZZ.phpV (or u can inspect broken image to get the link), where XXXX is month name like April, YYYY is year like 2019 and ZZZZZ.phpV is your uploaded file name (V is for version of uploaded file: .PHP5 or .PHP7). Sample link: http://theme.meteros.agency/Emantals/storage/users/April2019/yourfile.php5 (check the PoC Upload for real working examples).

[+] :: BONUS:
# You can broke any profile by adding <img src=x> in the Username field. Save the result and then try to logout, probably you'll see a fatal error with database connection details like host, username and password. You can upload webshell with DB access and use this credentials for some fun.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.