OpenEMR Version < 5.0.1 Remote Code execution vulnerability
A few days back i was doing a penetration testing on OpenEMR application. OpenEMR is a medical practice management software which also supports Electronic Medical Records (EMR). It is ONC Complete Ambulatory EHR certified and it features fully integrated electronic medical records, practice management for a medical practice, scheduling, and electronic billing. I was able to get code execution from an authenticated Arbitrary File Actions vulnerability. The remote code execution that exists was really unstable since it replaces the GLOBAL config. So i decided to make my own public exploit which I’ll post in my GitHub account
To make it clear am not the one who discovered the vulnerability just found a blog post and decided to make an exploit script for it
For the exploit to work you must have the correct credential and this can be done by performing a SQL Injection on that particular version of the application. SQL Injection in add_edit_event_user.php is caused by unsanitized user input from the eid, userid, and pid parameters. Exploiting this vulnerability requires authentication to Patient Portal; however, it can be exploited without authentication when combined with the Patient Portal authentication bypass .
The vulnerable code is shown below that makes the web application vulnerable to SQLinjection
To automate the process i recommend using sqlmap which automatically dumps all the credentials from the database. The credentials are specifically stored in users_secure table on the database. The credentials dumped will be inform of a hash which can be easily cracked using hashcat or john the ripper
Below is a part of the python source code script that i created to exploit the web application
Below is a proof of concept gif for the exploit
Am still new to coding hope the code isn’t bad anyway one of the hacking platform and one of the boxes has this specific vulnerable web app thought i could release the python script to help people who are doing a box since the remote code execution script that is available now is so so unstable especially for people who are new to coding
Anyway that’s it for now guys till next time take care
My GitHub link (Updated Version)
The exploit is now also available on exploitdb and searchsploit
That’s it for now guys till next time take care