Cve-2020-10199 recurrence of nexus repository manager3 remote command execution vulnerability

One 、 Summary of vulnerability

nexus The full name is Nexus Repository Manager, yes Sonatype One of the company's products . It is a powerful Warehouse Manager , It greatly simplifies the maintenance of internal warehouses and the access to external warehouses . It is mainly used to build the company's internal maven Private clothes . But its function is not just to create maven Private warehouse is so simple , It can also be used as nuget、docker、npm、bower、pypi、rubygems、git lfs、yum、go、apt And so on , Very powerful .—— Big guy link ：https://zhuanlan.zhihu.com/p/353955349

Two 、 Affects version

Nexus Repository Manager OSS/Pro 3.x <= 3.21.1

3、 ... and 、 Loophole principle

stay Nexus Repository Manager OSS/Pro 3.21.1 And previous versions , Due to improper safety handling of certain functions , Result in an authorized attacker , Malicious... Can be constructed remotely HTTP request , Execute arbitrary malicious code on the server 、 Implemented unsafe EL expression , So as to obtain the system permission .

CVE-2020-10199 The vulnerability of requires ordinary user rights to trigger , and CVE-2020-10204 You need administrator privileges .

Add ：EL expression ——el Expression language ,Java Unified expression language （ English ：Unified Expression Language, abbreviation JUEL） Is a special purpose programming language , Mainly in the Java Web Applications are used to embed expressions into web page . stay JSP Model objects are accessed through EL Expression syntax to express . all EL The format of expressions is in “${}” Express . for example ,${ userinfo} Represents getting variables userinfo Value .

Four 、 Loophole recurrence environment

Kali Linux + Vulfocus
Infiltration machine ：Kali Linux 
Drone aircraft ：Vulfocus

5、 ... and 、 The experimental steps

1. Open the mirror environment , Access page

 2. Using the account id:admin  password:admin Login account

 3.brup Capture packets and construct the following packets , perform 6*6*6( At this time, the virtual machine is too too laggy , Restart , So the port and environment have been changed )

4. Carry out 6*6*6 Modify to create a Nexus file

 5. Listen on the specified port , Execute bounce shell

6. You can see the previously created Nexus Document and flag

6、 ... and 、 Repair method

According to official and new documents , Upgrade to the latest version ——https://help.sonatype.com/repomanager3

7、 ... and 、 Written later

The significance of the recurrence of this vulnerability is mainly another idea , After all, the scope is not particularly wide . Of course, what is more important is for linux Deep learning of 、 Understand and use , Prepare to open a new linux Learning column ~

https://mp.weixin.qq.com/s/CAtsX3yP81mULbMDTo0J1A—— A boss sorted out the principle of the vulnerability recurrence process and the explanation of the super bottom , Great , Quoted here for convenience of learning