This exploit code chains an Authorization Bypass (CVE-2024-0264) with Local File Inclusion (CVE-2024-0265) in Sourcecodester Clinic Queuing System 1.0, leading to RCE
Usage:
python3 clinicx.py 'http://localhost/cqs'
The issue is systemic, affecting both LoginRegistration.php
and Master.php
. The validation of formToken
had a logic flaw that led to it being bypassed.
//LoginRegistration.php
// <SNIPPED>
extract($_POST);
$allowedToken = $_SESSION['formToken']['manage_user'];
if(!isset($formToken) || (isset($formToken) && $formToken != $allowedToken)){
// throw new ErrorException("Security Check: Form Token is valid.");
$resp['status'] = 'failed';
$resp['msg'] = "Security Check: Form Token is invalid.";
}else{
// <SNIPPED>
In order for the request to be granted, the following conditions must be met:
- formToken must be set
- formToken should be equal to
$_SESSION['formToken']['manage_user']
By sending the formToken as BLANK in the request, the validation can be bypassed as the null POST parameter will be equal to the null session variable.
The GET parameter page
was unsafely put inside an include()
php function.
//index.php
// <SNIPPED>
<?php include($page.".php"); ?>
// <SNIPPED>
The value of $page appended with .php
was passed inside include. This can be exploited by leveraging PHP filters. In the exploit code, the technique PHP Filter Chaining was used to gain RCE.