A few tests ago, I came across an OpenEMR install with a weak password for a 'Guest' level account. Using the guest access, mixed with some application issues I found along the way, I was able to eventually compromise the server running OpenEMR. It also served as a good launching point to further attack the Internal network. Lets dig in...

First, I found SQL Injection in the following location:

Reports > Visits > SuperBill > Dates

By browsing to this page and dumping in junk in either the start or end date parameters, we see the following SQL error message:

ERROR: query failed: select * from forms where form_name = 'New Patient Encounter' and date between 'a'' and '2013-07-12' order by date DESC

Turning SQLMap loose, I managed to dump most of the database contents (depending on your DB user, of course). This led to some juicy patient data, as well as a load of usernames and password hashes for the OpenEMR application. I let my GPU box chew on the password hashes for a bit, and kept poking at the application.

The next issue I found was HTML injection / XSS on an 'Office Notes' page. By visiting Misc > Office Notes and entering a UNC path into the notes section, I was able to entice any users visiting that page to attempt authentication with my system, which was hosting a fake SMB server with static challenges:



This allowed me to capture a handful of domain usernames and password hashes. In addition, I had some luck cracking the OpenEMR password hashes from earlier, and some of the passwords were re-used locally on the Linux system hosting OpenEMR, allowing me access via SSH.