module
OpenEMR 4.1.1 Patch 14 SQLi Privilege Escalation Remote Code Execution
| Disclosed | Created |
|---|---|
| 2013-09-16 | 2018-05-30 |
Disclosed
2013-09-16
Created
2018-05-30
Description
This module exploits a vulnerability found in OpenEMR version 4.1.1 Patch 14 and lower.
When logging in as any non-admin user, it's possible to retrieve the admin SHA1 password
hash from the database through SQL injection. The SQL injection vulnerability exists
in the "new_comprehensive_save.php" page. This hash can be used to log in as the admin
user. After logging in, the "manage_site_files.php" page will be used to upload arbitrary
code.
When logging in as any non-admin user, it's possible to retrieve the admin SHA1 password
hash from the database through SQL injection. The SQL injection vulnerability exists
in the "new_comprehensive_save.php" page. This hash can be used to log in as the admin
user. After logging in, the "manage_site_files.php" page will be used to upload arbitrary
code.
Author
xistence xistence@0x90.nl
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.