module
OpenEMR 4.1.1 Patch 14 SQLi Privilege Escalation Remote Code Execution
| Disclosed | Created |
|---|---|
| Sep 16, 2013 | May 30, 2018 |
Disclosed
Sep 16, 2013
Created
May 30, 2018
Description
This module exploits a vulnerability found in OpenEMR version 4.1.1 Patch 14 and lower.
When logging in as any non-admin user, it's possible to retrieve the admin SHA1 password
hash from the database through SQL injection. The SQL injection vulnerability exists
in the "new_comprehensive_save.php" page. This hash can be used to log in as the admin
user. After logging in, the "manage_site_files.php" page will be used to upload arbitrary
code.
When logging in as any non-admin user, it's possible to retrieve the admin SHA1 password
hash from the database through SQL injection. The SQL injection vulnerability exists
in the "new_comprehensive_save.php" page. This hash can be used to log in as the admin
user. After logging in, the "manage_site_files.php" page will be used to upload arbitrary
code.
Author
xistence [email protected]
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.